What Are Information Systems Communication Controls?
FACULTY INSIGHT
What Really Is an Information Systems & Communication Control? (Stop Getting This Wrong)
The ACCA AA examiner has flagged this as the single most misunderstood control component — here's exactly what it means and how to stop losing marks on it.
Master Every ISA 315 Control Component
Get structured exam prep built around real examiner feedback:
Every session, without fail, I watch students lose marks on this exact topic. I've been teaching ACCA AA and CIA candidates across India and Asia for years, and the Information System & Communication component of internal controls is — hands down — the one that trips up the most people, even strong students who have revised everything else. The ACCA AA examiner said it plainly in the September/December 2024 report: "The component most candidates struggled with was information system and communication." And the reason? Candidates assume it's about IT systems, software, or technology infrastructure. It isn't. At all. In this post, I'm going to fix that misunderstanding permanently. By the time you finish reading, you'll know exactly what this component means, how to describe it for full marks, and how the CIA framework gives you a deeper foundation than most AA candidates ever build. Let's get into it.
Why Candidates Keep Getting This Wrong
I want to start with the mistake itself — because understanding why you're going wrong is half the battle. When candidates see the phrase "information system," the brain immediately goes to IT. Computers. Software. Maybe cybersecurity. This is completely understandable — in everyday language, "information system" often means a digital system. But in the context of ISA 315, the standard that governs how auditors identify and assess risks of material misstatement, this component means something very specific and very different.
The Information System & Communication component under ISA 315 refers to the procedures — whether manual or automated — used to record transactions, process data, maintain accountability over assets and liabilities, and communicate relevant information throughout the organisation. It is about the accounting records and business processes, NOT about IT infrastructure or software systems.
The ACCA AA SD24 examiner's report was explicit: "Many candidates incorrectly assumed that this related to an information technology or IT system rather than relating to records to process transactions, assets and liabilities to maintain accountability." When I see this come up in class, I always say the same thing: think "accounting system" not "IT system." Think "how transactions flow through the business from start to finish." That mental reframe alone is worth a mark in the exam.
The Real ISA 315 Definition (Decoded)
Let me give you the full picture. Under ISA 315 (Revised 2019), the Information System and Communication component of internal control encompasses the following — and this is what you need to be able to articulate for marks:
The information system includes the procedures and records that: (1) identify and record all valid transactions; (2) describe transactions in enough detail to permit proper classification; (3) measure the value of transactions; (4) determine the time period in which they occurred; and (5) present transactions and disclosures in the financial statements. Communication means management communicates roles, responsibilities, and significant control matters to staff — and externally to stakeholders when required.
Let me put that in plain language. This component answers the question: "How does the organisation capture, record, and communicate what has happened financially?" It covers things like: how a sale is recorded from the point of the transaction through to the general ledger; how a supplier invoice is matched to a purchase order and processed for payment; how the payroll system captures hours worked and generates payslips and journal entries. It covers the flow of financial information — not the technology that enables it. For deeper study on how this feeds into the broader internal audit and control framework, our CIA blog hub has a strong collection of related posts.
Communication — the second part of this component — means that everyone in the entity understands their role in the control system. Management must communicate what controls exist, who is responsible for them, and what constitutes a control failure. This also extends externally: for example, informing regulators or customers of breaches where required.
All 5 COSO Control Components — So You Can Distinguish Them
One reason students confuse Information System & Communication with other components is that they haven't clearly mapped all five. Here's how I teach this in class. Think of it as a system with five interlocking parts:
Component 1 — Control Environment: The "tone at the top." Management's attitude toward internal control, ethical values, governance structure, and commitment to competence. This sets the foundation everything else sits on. Think: board oversight, segregation of duties policy, HR policies.
Component 2 — Entity's Risk Assessment Process: How management identifies, analyses, and responds to risks that could prevent them from achieving objectives. Think: management's process for spotting financial reporting risks, including fraud consideration and change management.
Component 3 — Information System & Communication (THIS ONE): The procedures and records used to record and process transactions, maintain accountability over assets and liabilities, and communicate roles and responsibilities. Think: purchase cycle records, sales invoice processing, payroll journals, management reports to the board.
Component 4 — Control Activities: The specific actions and policies implemented to address risks. Think: authorisation controls, segregation of duties, reconciliations, access restrictions, physical controls over assets. These are what most students think of when they hear "internal controls."
Component 5 — Entity's Process to Monitor the System of Internal Control: How management assesses whether controls are operating effectively over time. Think: internal audit function, management self-assessments, review of control deficiency reports.
Notice how Information System & Communication sits in the middle — it's the plumbing of the whole system. Without accurate transaction recording and clear communication of responsibilities, even the best controls in the world won't function properly. Students who understand this nuance always write better answers. For a broader view of how to answer internal control questions in AA, including the deficiency framework, check out our dedicated post on that topic.
Real-World Examples Across Business Cycles
This is where it clicks for students. I always bring this back to practical scenarios. Here are four business cycle examples of the Information System & Communication component in action — not IT controls, but records, processing procedures, and communication:
Sales Cycle: When a customer places an order, the information system controls are the procedures that ensure: the order is recorded with the correct customer, price, and date; the delivery triggers an invoice; the invoice is posted to the correct debtor account; and the receipt of cash is matched to the correct invoice. The communication element means sales staff know what they can authorise and what needs manager approval.
Purchase Cycle: The procedures that ensure a purchase order is raised and authorised before a supplier invoice is accepted; that the goods received note matches the PO and invoice (three-way match); and that the liability is recorded in the correct period. The communication element includes supplier terms communicated to the finance team and escalation procedures when there are disputes.
Payroll Cycle: The system of controls that captures hours worked or salaries contracted, applies the correct tax codes and deductions, generates the payroll journal, and posts to the correct nominal codes. Communication here means employees understand how to report hours, and managers know the authorisation procedures for pay changes.
Inventory Cycle: Procedures for recording goods received, adjusting stock levels, recording write-downs or write-offs, and reconciling the inventory ledger to physical counts. Communication includes how inventory variances are escalated and investigated.
In every one of these examples, notice that there is no mention of what software the business uses. The Information System & Communication component is about the procedure and flow, whether that's done in SAP, Excel, or a paper ledger. This is a critical distinction that the examiner is testing. For deeper grounding on how tests of controls relate to information systems in the audit, our comparison post is well worth reading alongside this one.
The CIA Part 1 Connection — Why It Matters for Deeper Understanding
Here's something I always tell students who are considering both qualifications: the CIA curriculum, particularly the Surgent CIA Part 1 materials, goes much deeper on internal controls than the AA syllabus. And that depth gives you a real advantage — not just conceptually, but practically in how you write exam answers.
Under the COSO framework as taught in CIA Part 1: The Information & Communication component covers both the information systems that support control activities and the communication channels that ensure personnel understand their control responsibilities. This includes quality information (accurate, timely, accessible), internal communication (roles and responsibilities), and external communication (disclosure obligations to third parties).
What the CIA Part 1 materials help you understand is that this component isn't passive — it's the active connective tissue of the whole control system. The COSO framework's 17 principles include three that map directly to Information & Communication: quality information, internal communication, and external communication. When you understand these principles at the CIA level, writing a full-mark AA description becomes almost automatic.
There's also a strong connection to CIA Part 2, which covers how internal auditors evaluate and test information systems as part of engagement work. The Surgent materials cover IT controls in depth — distinguishing general IT controls (GITCs) from application controls, and both from the ISA 315 Information System component. Knowing that distinction is enormously helpful. It prevents the very mistake the examiner flags: conflating IT controls with the information system control component. If you're building toward the CIA or want to understand how the frameworks connect, our ITGC explainer post is a great companion read, and for the broader CIA journey, see our guide on which CIA part to take first.
The CIA is now recognised in 170+ countries, with strong and growing uptake across India and Southeast Asia. Many AA candidates in India are pursuing it as a complementary qualification — and the control framework overlap makes the dual pathway more efficient than most students realise.
What We See on Exams
From years of reviewing examiner feedback, this component has been tested in almost every AA session in recent memory — SD24, MJ24, D23, and before. The typical question asks candidates to "describe the five components of an entity's system of internal control" for 5 marks, one mark per component. The information system & communication description that earns full marks specifically includes: (1) procedures to record and process transactions, (2) maintenance of accountability over assets and liabilities, and (3) communication of control roles and responsibilities. Candidates who write only "recording transactions" get half a mark at best — they need the accountability element and the communication element to score fully.
— Based on ACCA AA Examiner Reports (SD24, MJ24, D23) & eduyush Student Performance Data
One thing I've noticed with students who sit the exam in India and across Asia: there's sometimes a tendency to over-rely on abbreviated bullet points in knowledge questions. The examiner is explicit that "a few words such as 'identification of risk' is not enough for a description." For this component specifically, you need to write at least two to three sentences that cover the recording function, the accountability function, and the communication function. Practice that with past questions like Francisco Co (MJ24), Silver Co (SD23), and the Granstan Co question from SD24. Those three alone will sharpen your answer dramatically. You can find more AA technical articles and exam technique guidance on our blog.
Common Mistakes We See
❌ Mistake 1: Describing IT Systems Instead of the Control Component
What happens: The student writes something like "the information system component relates to the entity's IT infrastructure, including software, hardware, and cybersecurity controls." This earns zero marks because it is simply wrong as a description of the ISA 315 component. It confuses IT controls (which are part of Control Activities) with this distinct component.
How to fix it: Memorise this core phrase: "procedures to record and process transactions, maintain accountability over assets and liabilities, and communicate roles and responsibilities." Practise writing it out in your own words from memory until it's automatic. The examiner wants to see that you understand it's about accounting records and process flow, not technology infrastructure.
❌ Mistake 2: Circular Descriptions That Just Repeat the Component Name
What happens: The student writes: "Information system and communication relates to the communication of information within the entity." The SD24 examiner specifically called this out — circular answers that merely restate the component name earn no credit. It tells the examiner you don't actually understand it.
How to fix it: Always ask yourself: "Have I explained what this component actually does?" A good test — cover the component name and ask if your description still makes sense as a standalone explanation. If it reads like "risk assessment is when management assesses risk," that's circular. Instead: "Risk assessment is the process by which management identifies, analyses, and determines how to respond to business risks that could prevent achievement of objectives." That's a real description.
❌ Mistake 3: Forgetting the Communication Half of the Component
What happens: Many students correctly identify the information system side — recording transactions, maintaining records — but completely drop the communication element. Because marks are awarded for the complete description, this incomplete answer will rarely score full marks. Communication is not a minor detail; it is half of this component's name.
How to fix it: Build a two-part answer template: (1) "The information system involves procedures for recording and processing transactions and maintaining accountability over assets and liabilities." (2) "Communication ensures that relevant information is communicated throughout the entity so that staff understand their control responsibilities, including communication to those outside the entity where required." Use both parts every time, and you'll never leave marks on the table here again.
Ready to Master This Topic and Every ISA?
Get structured, exam-focused guidance with our certification programmes — built around exactly the weaknesses the examiner flags:
Frequently Asked Questions
Q1: What is the Information System and Communication component of internal control under ISA 315?
Under ISA 315 (Revised 2019), this component refers to the procedures — whether manual or computer-based — that an entity uses to initiate, record, process, and report transactions and events, and to maintain accountability for related assets and liabilities. It also includes the communication of roles and responsibilities throughout the entity so that personnel understand how their work contributes to the control system, and external communication to regulators or others where required. Crucially, this is about the flow and recording of accounting data — not about IT infrastructure, software systems, or cybersecurity controls, which fall under the Control Activities component. You can read more about how this fits into the broader internal audit and assurance framework on our blog.
Q2: Why do ACCA AA candidates confuse this component with IT controls?
It's a natural language trap. In everyday usage, "information system" almost always means technology — computers, databases, software. But auditing standards use the term in its original accounting sense: the system by which financial information flows through the organisation. IT controls — things like access restrictions, change management, data backups — are separate and generally treated under Control Activities or as general IT controls (GITCs) in CIA frameworks. The ACCA AA examiner has highlighted this confusion in multiple sessions (SD24 being the most explicit), which tells you it's a persistent, widespread issue. The fix is to firmly associate "information system and communication" with "accounting records, transaction processing, and role communication" — not with technology. Practising past questions like Granstan Co (SD24) will cement this. Our guide on ACCA AA exam technique has more on common knowledge-question traps.
Q3: How does the CIA curriculum help with this component?
The CIA Part 1 Surgent materials cover the COSO framework in considerably more depth than the AA syllabus requires. Specifically, Section 1372 maps all five control components and the 17 principles beneath them, including the three principles directly under Information & Communication: quality information, internal communication, and external communication. Understanding these principles gives you a much richer mental model than memorising a one-line definition. CIA Part 2 then teaches you how to evaluate these controls during an engagement, including how information systems support control activities and where they can break down. For candidates in India and across Asia who are considering the CIA alongside or after the ACCA, the overlap in control framework knowledge makes the dual path genuinely efficient. Our post on how to study for CIA Part 2 covers the engagement-level controls content in detail.
Q4: What is a full-mark answer for describing this component in an AA exam?
A full-mark description needs to cover both halves of the component. Here's a model answer: "The information system component involves the procedures and records used to initiate, record, process, and report transactions and events in a manner that maintains accountability for the related assets and liabilities. The communication element refers to how management communicates the entity's financial reporting objectives and individual control responsibilities to staff, and to external parties where required." That covers the recording and processing function, the accountability function, and the communication function — which is what the examiner is looking for. Half-mark answers tend to only cover one of these, most commonly just "procedures to record transactions" without mentioning accountability or communication. For more on how to structure full-mark knowledge answers, see our deficiency answer framework post.
Master AA Exam Topics — Starting With the Ones Examiners Flag Most
Stop losing marks on knowledge questions that are entirely learnable — structured prep with the right materials makes all the difference.
Master AA Exam TopicsPopular posts
Featured product
Featured product
ACCA Books
Get 50% off original BPP & KAPLAN ACCA books. Study smarter, save bigger today!
BPP Online lectures
BPP online lectures at India pricing – under £55/subject. Learn smart, pay less.
Leave a comment