|
Internal control is a living system, because it is built into a process that usually changes as time passes.
During the normal course of actions managers and other staff (accountable persons) make observations
about it.
When they see it does not work as planned, they identify a weakness.
And when they realize how the weakness can be exploited, they identify a risk.
They analyse identified risks, and based on the outcomes of risk analysis,
in accordance with their risk appetite, they determine, whether to react to the risk or not, and if they do, how.
The reaction can be an ad hoc control, and/or change to the internal control structure [1].
|
|
|
Auditors are specialists in internal controls.
They can give valuable information about the weaknesses and risks of the processes,
and alternatives to mitigate the risks.
Accountable persons are more or less blind in assessing the process they work in.
A person outside the process can see problems that persons inside the process fail to see.
|
|
|
In reality audits address not everything in the organization,
and seldom thoroughly the things they address.
However, in professionally made audits auditors should identify, sooner or later,
most of the key risks of internal control,
relevant to the type of audit in question [2].
Analysing audit findings widely can help the board and top management of the organization
to obtain a better view of the state and quality of internal control in their organization.
The ECAR model is a useful framework for analysis of audit findings.
|
|
[1]
The ECAR Model document,
"324 Determination of risks", page 13
[2]
E.g. a financial auditor (an independent auditor) usually audits only those things
that are relevant to his/her audit assignment.
|
|
|