I think the relationship between risk (what might happen to affect the achievement of objectives) and internal control (what you do to ensure things are done the way you want) is not very well understood.
Here’s my attempt to explain it.
- You have controls to ensure that risks (the effect on objectives of potential events, situations, actions, or decisions) are at desired levels. (Note that I said ‘desired’ instead of ‘acceptable’. There’s an important difference.) So you can’t know whether you have the right controls or that the system of internal control is effective if you don’t have a reliable understanding of the more significant risks to objectives today and for the manageable future. You may have a lot of controls that are working just the way you want. But are they the controls you need when the future is shifting and the risks have changed?
Conclusion: any assessment of the system of internal control is predicated on an assessment of the systems around the identification and management of risk (again, what might happen).
- You cannot have effective management of risk if you don’t have effective controls around their identification, treatment, and so on. The processes around identifying, assessing, and acting on risks (what might happen) include a number of critical controls. For…