What is a Control Assessment?

A control assessment is the review of operational risks and the effectiveness of the associated controls. This assessment needs to be conducted on an annual basis, because the risk profile of a business changes over time, as the nature of its operations and the general business environment change. Consequently, just copying the audit program from the year before is not always good management.

A high-quality control assessment should require a considerable amount of time to create and update, but its impact is substantial enough to justify the cost. This is because an assessment can spot issues that have arisen recently, allowing management to adapt the system of controls to ensure that the overall risk level remains at a tolerable level. The report is also useful for increasing the general knowledge of the control environment of a business, and the risks that certain controls are designed to detect and/or mitigate.

Control Assessment Updates

A better approach to dealing with the risk profile of a business is to create a control assessment of the business, and to then update the assessment at regular intervals. The assessment should highlight changes in the business since the last assessment, and how these changes could impact the system of controls currently in place. If the company has disparate divisions, it may make more sense to create this assessment at the business unit level.

Whenever the control assessment is updated, the internal audit manager should review it with senior management and/or members of the audit committee, so that these people are aware of recent or upcoming control issues, as well as how these issues may be resolved. The document can also be used within the internal audit department as the basis for changes to audit programs.