Risk analysis and internal control evaluation: A combined view of asset safeguarding

Risk analysis and internal control evaluation are key security management activities for securing organisational assets. Risk analysis is used to identify areas that need safeguarding while internal control evaluation is used to check whether the current control system is effective with a reasonable degree of assurance. This paper compares the difference between these two approaches and suggests a way of combining the internal control evaluation approach within a risk analysis and management framework. Risk analysis usually focuses on unauthorised activities of unauthorised people and has not paid much attention to threats that could be committed by authorised users. As attention to financial fraud increases, these threats should be appropriately treated within the risk analysis and management process. By using the internal control evaluation approach, we can provide sounder assessment for these threats.