Scandals in corporate finance in the early 2000s and subsequent policy changes led corporate executives to adopt a more risk-based approach in corporate governance. Therefore, identification and assessment of risks became extremely important. Risk assessment poses a particular challenge for auditors due to the highly complex structure and processes of internal control systems. Extant research in this area mostly focused on probabilistic models and expert systems that capture and model heuristic knowledge. However, evidence suggests that knowledge of the structure of the internal control system is also essential. There is relatively little research that focuses on the modeling of the structural aspects of financial processes and their internal control systems as a means of helping corporate executives and auditors perform their respective tasks of risk management and assessment. This article proposes an approach to risk management and assessment in internal control systems that models the structure and financial processes of an internal control system. The model uses a directed graph to represent the various elements in an internal control system, such as financial statement assertions, control activities, financial processes, and the causal relationships that exist among these elements. The article demonstrates the usefulness of the model by presenting and discussing algorithms based on this model to help corporate executives manage risk and to help internal and external auditors assess risk, for designing substantive testing and for tracing sources of errors.
Guan, J., & Levitan, A. S. (2012). A Model for Investigating Internal Control Weaknesses. Communications of the Association for Information Systems, 31, pp-pp. https://doi.org/10.17705/1CAIS.03103