Skip to main content

Identifying and Analyzing Significant Changes: Principle 9

The organization identifies and evaluates changes that may significantly affect its internal control system. As economic, sectoral, and legal environments change, an organization’s leadership structure, scope, priorities, business model organization, business processes, and activities must adapt and evolve.

The following focal points highlight essential features of this principle:

Focus Points

Evaluate changes in the External Environment

The risk identification process evaluates the legal, economic, and physical changes in which the organization operates.

Change in the External Environment: A regulatory or economic environment change can lead to increased competitive pressures, changes in operating requirements, and significantly different risks. For example, dumping harmful substances in residential or environmentally sensitive areas may result in the imposition of new industry-wide transport restrictions, affecting the organization’s shipping logistics. Mistreating elderly patients in one nursing home may impose additional requirements on all nursing homes.

Change of the Physical Environment: Natural disasters that directly affect the organization itself, its supply chain, and other business partners can cause high risks that that organization must take into account in order to continue its business. For example, Such an organization may need to find alternative sources of raw materials or move its production elsewhere.

Evaluate changes in the Business Model

The organization evaluates the potential effects of new business lines, significant changes in the structure of existing business lines, newly acquired or divested businesses on the internal control system, rapid growth, dependence on foreign geographies, and new technologies.

Business Model Change: When an organization enters into new lines of business, changes how it provides services by engaging new external service providers, or significantly changes the structure of existing lines of business, previous internal controls may no longer be appropriate. For example, Some financial services organizations may be turning to new products and horizontal mergers to focus on responding to the risks associated with their products.

Significant Acquisitions and Divestitures: When an organization acquires a new business, it may need to review and standardize internal controls. Similarly, when an activity is disposed of, the acceptable level of deviation may change within the activities, and the materiality level of the business may decrease. In addition, specific entity-level controls over divested business operations may no longer exist.

Activities in Foreign Countries: Expanding operations in foreign countries or acquiring businesses in foreign countries creates new and often unique risks. For example, local culture and traditions will likely influence The control environment in a new environment. Business risks may arise from the local economic and regulatory environment and factors specific to communication channels.

Rapid Growth: When operations grow significantly and rapidly, existing structures, business processes, information systems, or resources can bring internal controls to the point of collapse. For example, Adding new production shifts or increasing the number of back office staff to meet demands may cause those responsible for supervising these jobs to be unable to adapt to the increase in activity level and maintain the necessary control.

New Technologies: When a new technology is introduced into production, service delivery processes, or information support systems, internal controls will likely need to be changed. For example, Providing sales opportunities via mobile devices may require changes in controls over shipping processes and access controls specific to this technology.

Evaluate Changes in Leadership

Organization: It evaluates changes in management and, accordingly, changes in behavior and philosophy regarding the internal control system.

A member of senior management who is new to an organization may not understand the organization’s culture and create a different philosophy or may focus solely on performance to exclude control-related actions.

For example, A newly hired chief executive who is focused on increasing revenue may send the message that having adequate internal controls in the first place is no longer as important. High staff turnover can also lead to failures without adequate training and supervision. For example, if a company attempts to reduce costs by reducing its headcount by 25%, it could shake up its entire internal control structure.


  • Dr. Davut Pehlivanlı, Current Internal Audit Practices, Beta 2010
  • Prof. Dr. Nejat Bozkurt, Accounting Audit, Alfa 1998
  • Prof.Dr.Nejat Bozkurt, TÜRMOB Independent Audit Training Lecture Notes, 2012
  • Dr.Özgür Çatıkkaş, KGK, Marmara University. Corporate Governance Lecture Notes, 2013
  • İSMMMO-Practical Information for Internal Audit in SMEs, 2013
  • Turkish Internal Audit Institute,
  • Alp Buluch, Article, Internal Control, Hurses, 19 March 2013
  • Turkish Commercial Code No. 6102
  • International Internal Auditing Standards,
  • Treadway Commission Supporting Institutions Committee, Internal Control-Integrated Framework, 2013
  • Public Financial Management and Control Law
  • Public Internal Control Standards
  • Public Internal Control Guide

Bu gönderi şu adreste de mevcuttur: Türkçe