Internal Control Assessment is the heart of fraud deterrence. This assessment focuses on the identification of specific control objectives, and understanding the control procedures implemented to accomplish those objectives. Additionally, an assessment is made of the degree to which the controls are actually performed within the organization.

Controls design and execution are equally important to for fraud deterrence. Often, an organization is unable to keep their internal controls current with their processing systems. In these cases, systems are changed, replaced, or automated, without corresponding control definitions. Many times, management assumes the operation has been provided clear instruction for operation of the control environment, when in fact, they have not. Employees will informally understand or sometimes informally document the processing instructions, but these instructions are not designed or evaluated in a coordinated way. This can create risk to the organization.

In other cases, an organization will have a well defined set of control procedures, however, those procedures are not universally enforced. In these cases, control objectives and procedures are clear and documented, however, the organization has developed informal “workarounds” to accomplish conflicting or competing objectives. Often, these objectives include noble causes such as customer service, financial reporting deadlines, and ad-hoc management requests. These same workarounds, if not properly controlled could lead to financial misstatement and fraud.

The 2002 Report to the Nation on Occupational Fraud and Abuse reported:

> 46.2% of frauds included in the study occurred because the victim lacked sufficient controls to prevent the fraud

> An additional 39.9% of frauds included in the study occurred because the victim had sufficient controls, but they were ignored by employees and management

The objective of the Internal Control Assessment is to provide management with a view of the design of the internal control structure, as well as the implementation of that structure. This assessment is the starting point for the creation of a control improvement plan, to identify specific actionable steps necessary to deter fraud in the organization.