What is a Control Assessment?

A control assessment is the review of operational risks and the effectiveness of the associated controls. This assessment needs to be conducted on an annual basis, because the risk profile of a business changes over time, as the nature of its operations and the general business environment change. Consequently, just copying the audit program from the year before is not always good management.

A high-quality control assessment should require a considerable amount of time to create and update, but its impact is substantial enough to justify the cost. This is because an assessment can spot issues that have arisen recently, allowing management to adapt the system of controls to ensure that the overall risk level remains at a tolerable level. The report is also useful for increasing the general knowledge of the control environment of a business, and the risks that certain controls are designed to detect and/or mitigate.

Control Assessment Best Practices

There are a number of best practices that you can apply to control assessments. Here are some of the more useful ones:

Update at set intervals. You should conduct control assessments at set intervals. This involves highlighting changes in the business since the last assessment, and how these changes could impact the system of controls currently in place.
Conduct for individual business units. If the company has disparate divisions, it may make more sense to create a control assessment at the business unit level. This is especially important when there are substantial differences in processes at the local level.
Inform management. Whenever a control assessment is updated, the internal audit manager should review it with senior management and/or members of the audit committee, so that these people are aware of recent or upcoming control issues, as well as how these issues may be resolved.
Track remediation items. Once an assessment has been completed, you should assign responsibility for corrective actions, and set deadlines for when you expect these actions to be completed. In addition, monitor the progress of each responsible party, to ensure that the actions are actually completed.
Adjust audit procedures. The control assessment findings can be used within the internal audit department as the basis for changes to audit programs. This may include alterations to audit programs, the amount of resources to be used, and/or the areas requiring more or less attention.