5 Components of internal controls

The 5 components of ICS

1. Control Environment (Tone at the top)

• Clear ethics and integrity expectations (code of conduct)
• Competent staff and defined organisational structure
• Board/management oversight and accountability

2. Risk Assessment

• Identifying key risks (fraud, error, compliance, IT, operational risks)
• Assessing likelihood/impact and prioritising risks
• Updating risk assessment when changes happen (new system, new branch, new product)

3. Control Activities

• Segregation of duties (authorise–record–custody separated)
• Approvals and authorisation limits
• Reconciliations (bank, inventory, debtor/creditor)
• Physical controls (locks, access control, stock counts)
• IT controls (access rights, change controls, backups)

4. Information & Communication

• Reliable systems for capturing and processing transactions
• Proper documentation, audit trails, and timely reporting
• Clear internal communication of policies and procedures

5. Monitoring Activities

• Ongoing supervisory reviews and exception reporting
• Periodic internal audits or control self-assessments
• Follow-up and corrective actions when weaknesses are found

Practical implication for audit

• Auditors evaluate whether these components exist and operate effectively.
• Weakness in any component increases control risk, so auditors rely less on controls and do more substantive testing.