Your organization may incur the situation where an internal review needs to be conducted to support external auditors, an operation audit to ensure the effectiveness of the operations, a compliance audit to make sure your organization is in compliance with policies or regulations, or a fraud investigation that needs to be confidential.

With the corruption of Enron and WorldCom, internal controls became more and more important. An effective internal control system is a requirement of the Sarbanes- Oxley Act of 2002 which regulates reporting and testing of internal controls over financial reporting for public companies.

In a previous blog, we discussed Internal Control Testing. Evidence is a critical component of internal control testing. Management and auditors are expecting to obtain persuasive evidence to support the determination that internal controls are present and functioning.

Monitoring activities are these actions that an organization develops and performs to ascertain whether the components of internal control are present and functioning. These activities are performed on an ongoing basis or a separate evaluation.

Segregation of duties (SOD) is a type of control activity and it is a fundamental element of internal controls. The principle of SOD is to share responsibilities in a key process, and no one individual should perform two or more of the following functions.

In a previous blog, we discussed internal risk control assessment and introduced a comprehensive risk assessment tool, the Risk Control Matrices (RCM). This blog will address the risk assessment scales and options to respond to risks.

Internal control is a multi-dimensional process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.

We have discussed the Control Environment in a previous blog. This blog will address Risk Assessment.
Businesses face a wide range of risks, including industry risk, strategic risk, operation risk, compliance risk and financial risk. Some risks are relatively significant, which may cause loss of profits or even bankruptcy. A classic example of industry risk is when film giant Kodak filed for bankruptcy after consumers embraced the newer technology of digital cameras and the film era ended.

Before discussing internal control environment let’s briefly review the definition of internal control.

COSO (The Committee of Sponsoring Organizations of the Treadway Commission) defines internal control as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.

Internal control risks in business include the lack of sound internal control environment, poorly designed business processes, IT security risk, integrity and ethic risk, human errors and fraud risk.

The ACFE (Association of Certified Fraud Examiners) uses the fraud triangle as a model for explaining the factors that cause someone to commit occupational fraud.