Internal Controls

The Internal Control module is one of the “Solutions” in eramba and therefore its main associations are with "problems" modules shown in green in the diagram below.

• Risk Management: typically mitigating Risks is done by the use of Internal Controls.
• Compliance Analysis: when a compliance requirement requires an activity, one or more Controls will be used.
• Data Flows: as data flows through your organisation, multiple controls will be put in place to assure its confidentiality, integrity, and availability (CIA).

There is no point in creating internal controls unless they are linked at least to one of the items above. The analogy is simple, there is no point in creating solutions for problems that do not exist.

Internal Controls have two additional associations, these are optional:

• Policies: internal controls are activities and they need governance in the form of a Process, Standard, Policy, Etc
• Projects: often times Internal Controls don't work well, Projects can be linked to the Internal Controls or their Audits in order to demonstrate that something is being done in order to fix them.

Internal Controls have three sub-modules:

• Audits: every control can optionally have one or more audit records, these records are used to test the control and store the evidence of the audit process.
• Maintenances: every control can optionally have one or more maintenance records, they are used to keep the control operating (as opposed to audits that check if the control works or not)
• Issues: are used when we know for a fact the control is not working and there is no point in testing it.