Internal control audits are usually conducted as part of an overall risk assessment. First risks are identified and then internal controls are identified to mitigate the risks. Internal control assessments usually evaluate these 5 interrelated elements of effectiveness:
- Control environment. Senior management sets the tone for vision, mission, quality, ethics, goals, and controls. Daily operational control defers to the people who know the process or a product – the process owners.
- Risk assessment. Risk management is the fundamental objective of all managers in the next few years. The precondition to effective risk management is identified core processes, stabilized processes, capable processes, and control of process variation.
- Control activities. Control activities are the people, policies, suppliers and other factors that ensure risks are identified, monitored, and mitigated throughout the project, product, or contract lifecycle. Controls may include approvals, authorizations, validation, verification, reconciliation, and segregation of authorities.
- Information and communication. No information and no communication result in no control. It’s that simple.
- Internal control systems and processes must be monitored. It’s not enough to have a process out of control or worse that is noncompliant with a specification or standard. Ongoing monitoring should ensure corrective and preventive actions.[i]
The nature and purpose of internal control auditing can be understood by examining what is done and produced. The main products of internal auditing are reports detailing the efficiency, economy, and effectiveness of management and financial controls, policies, plans, and procedures. Typical products and outputs of these audits may include:
- Risk management and assurance analysis.
- Corporate governance assessment.
- Management control effectiveness.
- Internal financial control analysis.
- Budget reports and analysis.
- Fiscal policy compliance.
- Statutory compliance.
- Contract analysis.
[i] COSO Web site, www.coso.org, “Internal Control – Integrated Framework, 2000.
Bio:
Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com) is the founder of:
CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com
He is the evangelist behind Future of Quality: Risk®. He is currently working on the Future of Work and machine learning projects.
He is a frequent speaker and expert on Supply Chain Risk Management and cyber security. His current books available on all platform are shown below: