Based on the COSO framework, internal control consists of five integrated components:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring Activities
We have discussed the Control Environment in a previous blog. This blog will address Risk Assessment.
Businesses face a wide range of risks, including industry risk, strategic risk, operation risk, compliance risk and financial risk. Some risks are relatively significant, which may cause loss of profits or even bankruptcy. A classic example of industry risk is when film giant Kodak filed for bankruptcy after consumers embraced the newer technology of digital cameras and the film era ended.
Internal Control Risks
Internal control risks are risks that affect the effectiveness and efficiency of internal controls and thus affect the achievement of objectives. They are a part of operation risk and compliance risk. Operation risk refers to the unexpected failure in organization’s daily operations, which could be caused by personnel and/or processes. Compliance risk is the risk of not maintaining compliance with laws or regulations, such as the Sarbanes-Oxley Act (SOX) or the Foreign Corrupt Practices Act (FCPA). For example, if the Accounts Payable process in an organization is broken, the risk of fraudulent vendors and unauthorized payments would be higher. If a public organization fails to have effective internal controls over financial reporting, the organization faces a serious compliance risk.
An effective internal control system can minimize the risks that may affect achievement of the objectives. The common internal control risks in business include lack of sound internal control environment, poorly designed business processes, IT security risk, integrity and ethic risk, human errors and fraud risk, among others.
What Is Risk Assessment?
Proper risk assessment can assist an organization in managing risks and making decisions. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Please remember that risk management and internal controls are not objectives in themselves. They should always be considered when setting and achieving organizational objectives.
How do you conduct a risk assessment? Certainly you could perform the risk assessment internally with a meeting of management, and no doubt this approach will identify some risks and is better than no risk assessment at all. However, to be more comprehensive, we will introduce you to the Risk Control Matrices (RCM) for internal control risk assessment. The following are procedures to conduct risk assessment using the RCM.
- Inquiries of management and others within an organization.
- Observation and inspection.
- Review of previous years’ audit report, management letters and board minutes.
- Business process mapping and identification.
The RCM is a risk assessment tool to help an organization directly identify the risks between objectives and controls. For example, when an organization has an objective for example that new vendors must be authorized before making a purchase, but the organization does not have an internal control in place to ensure the achievement of the objective, you know immediately that the company incurs the risk of utilizing fraudulent vendors. The next step could be to remediate the risk accordingly.
Key Components in the RCM
To obtain a better understanding of the RCM, there are some key components in the RCM you need to know.
The RCM helps to directly identify risks between objectives and controls. In the meanwhile, the RCM also assists in identifying gaps in controls. Gaps exist when a stated objective is not matched with an effective control activity. For example, after conducting a risk assessment using the RCM, you may find that management does not have predefined relevant objectives, or some objectives are incompatible with broader or the top objectives.
To better understand and apply the use of the RCM, we can provide a RCM sample for download. Please click the button below to download a RCM and let us know when you have any comments or questions.

Emma Zhang is an experienced audit professional, with more than six years of internal audit & Sarbanes Oxley (SOX) compliance focusing on operations, accounting, internal controls and process improvement. Competencies include operational auditing, accounting, management consulting, Sarbanes Oxley (SOX) compliance, audit planning and risk assessments, operational/financial planning and analysis, and data analysis. Emma is a resourceful, creative thinker and analytical problem solver with demonstrated ability to independently manage tasks from planning through execution in dynamic, fast-paced, and time-sensitive environments. Emma is a CPA with a CFE certificate. Emma is also a Blackline Certified Implementation Professional and helps clients to implement Blackline system.