The system of internal control in the organization, as a rule, includes such elements as a controlled environment, risk assessment process, information and communication system, control actions, and monitoring of actions. The control environment includes the official position, awareness, and actions of the owner and management representatives regarding the internal control system.
It also incorporates the understanding of the meaning of such a system. The control environment influences the control consciousness of employees. It is the basis for an effective system of internal control that maintains discipline and order. The fact that Michael Koss, the head of the company, had little or no education or experience in accounting or finance suggests that the firm lacked such an internal management element as a controlled environment.
The process of risk assessment is the identification and, if possible, elimination of risks in the conduct of business activities and their possible consequences. It should be taken into account that risks can be associated with both external and internal events and circumstances. Usually, the company should have an internal audit for such purposes, but it was absent. As follows from the case study, control actions were also poorly applied because unauthorized persons had access to confidential information.
The small size of the company was the reason why a section of the Sarbanes-Oxley Act, which required external auditors to evaluate the firm’s financial statements, did not apply to it. This indicates gaps in the information system related to the use of technology for internal administration systems. Overall, it can be said that all elements of the company’s internal controls functioned poorly. However, the most serious gaps were observed in the control environment, risk assessment, and information system.