Internal control, as defined by AU-C 265 Communicating Internal Control Related Matters Identified in an Audit, is comprised of the following five components:
- Control Environment – The internal atmosphere comes from the top down. Specific policies and procedures must have the support of all members of the organization.
- Risk Assessment – Internal control efforts should be directed in accordance with assessed risks.
- Information and Communication – Documentation and communication to all involved members of the organization.
- Control Activities – Policies and procedures to ensure management directives are carried out.
- Monitoring – Periodic assessment of internal control functions and results.
AU-C 265.07 Deficiency in internal control. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing, or (b) and existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.
Consult AU-C 265 for further information regarding internal control.