|
© Matti Mattila, CPFA, CISA, CIA |
| | | |
|
Control is attempts to keep performance or state of affairs
within what is expected, allowed or accepted.
|
 |
|
| Figure 1: Relations between concepts.
Upper level management directs and controls how lower level processes are managed.
Managers of lower level processes account their superiors for management of processes
they have been entrusted with;
they monitor the coverage and effectiveness of the process's internal control structure
whereby risks inside the process are mitigated (green arrows). In addition managers identify risks
outside the process that the entity is exposed to, and treat them (green arrow).
|
|
|
|
|
Internal Control is control that in an administrative sense, built within a process,
is ensuring disciplined accomplishment of the plan that any goal-oriented process has got.
The plan tells how the process shall proceed and how it shall be controlled
so that purpose of the process will be fulfilled.
Internal control is an inherent system against inherent risks of any human-made process.
|
|
|
Process is a series of pre-defined steps repeated according to a plan
for producing a specific end result, e.g. a service or a product.
|
|
|
Risk is the chance of something happening that will have an impact on objectives [1].
|
|
|
Risk Management is a process for controlling risks
with significant negative consequences.
Risks are mitigated by means of both risk management and internal control.
|
|
|
In Cia Review [2] Irvin N. Gleim has defined control as a process whereby you
(1) develop expectations, standards, budgets, and plans;
(2) undertake activity, production, study, and learning;
(3) measure the activity, production, output, and knowledge;
(4) compare actual activity with what was expected or budgeted;
(5) modify the activity, behavior, or production to better achieve the expected or desired outcome;
(6) revise expectations and standards in light of actual experience; (7) continue the process.
This definition is problematic in the sense that control encompasses almost everything.
On the other hand most distinguishing characteristics of control are included in the definition,
namely phases (1), (3) and (4) of the process.
When accomplishment [outcome] or performance [process] itself is not what you expected,
and this fact is understood,
you attempt to impact the performance so that the expectations will realize.
|
|
|
|
|
|
|
[1]
Australian/New Zealand Standard: Risk Management (AZ/NZS 43602004), page 4
[2]
Gleim Irwin N.: Cia Review, 6th Edition, volume I, page 49
|
|