For unlimited access to Class Notes, a Class+ subscription is required.
Internal control systems are useful because they identify and correct accounting-related fraud or
errors. However, internal controls are useless if risks associated with an organization’s routine decisions
are not monitored. Enterprise risk management (ERM) focuses on risks to an organization’s operations
and ensures controls are in place to eliminate, mitigate, or compensate such risks. Additionally, ERM
identifies and assesses risks related to management’s objectives by evaluating internal control components:
control environment, risk assessment, control procedures, monitoring, and information and
An effective control environment primarily defines organizational structure, commitment to competence,
assignment of authority and responsibility, and internal audit functions. Control environments are
important any type of risk approach because it establishes organizational tone, the foundation of
organizational internal control, and its response to risk.
Risk assessment is the process used to estimate the likelihood and impact of risks on management’s
objectives. Risk assessment generally includes risk-response. After potential risks are identified, they
become part of an organization’s risk portfolio. Risk response is then used to evaluate correlations and
total impact and make changes to optimize the risk portfolio.
Control procedures are actions taken by management to eliminate, mitigate, and compensate for risks. The
most frequently used control procedures are performance reviews, segregation of duties, physical controls,
and information-processing controls. Performance reviews gives management the opportunity to perform
periodic evaluations of the organization’s objectives and ensure they are being met. Segregation of duties
separates tasks such as authorization to execute transactions, recording transactions, and periodic
reconciliation of existing assets to current amounts to reduce the risk of an individual creating and
concealing errors, frauds, and misstatements within the organization. Organizations have physical controls
in place to prevent access to documents, inventory, and specific areas by unauthorized
individuals. Information-processing controls create audit trails and are in place to ensure financial
statement transactions are processed correctly.
Monitoring is an ongoing assessment of the quality of an organization’s internal controls. Examples of
monitoring controls may include analyzing customer or vendor billing complaints, supervising the accuracy
of transaction processing, and comparing recorded amounts to assets and liabilities. Monitoring activities
are similar to control activities. Unlike control activities, monitoring activities are more in-depth because
they include identifying weaknesses in other controls. Although monitoring includes management related
tasks, audit committees are generally assigned these tasks.
Information and Communication
Information and communication are necessary for management to complete an organization’s
objectives. Information systems are effective when they consistently provide timely, current, accurate, and
accessible information related to an organization’s external sources. Communication is the means of
relaying information to internal and external sources through report production and distribution.