Internal Control and Audit

A robust internal control structure strengthens the accuracy of financial data, the effectiveness of operational processes and your ability to manage enterprise risk. MerSar analyses your control environment and builds an audit and control structure sized to what your business actually needs.

What We Deliver

5.1

COSO Framework Integration

We assess the control environment, risk assessment, control activities, information and communication, and monitoring components against COSO principles. A control matrix and implementation roadmap are then built around your existing structure.

5.2

Risk-Based Internal Control System Design

Financial, operational, compliance and reporting risks are prioritised. For every critical process we design control points, clear ownership, approval workflows and follow-up reporting.

5.3

Process Audits and Compliance Reporting

Selected processes are audited across documentation, data, authorization and day-to-day practice. Each finding reaches management with its risk level, root cause, impact and a recommended action plan.

5.4

Internal Audit Unit Setup

We establish the internal audit mandate, the annual audit plan, reporting formats, a finding tracking system and the communication model with management. The result is an internal audit function that contributes to corporate development rather than merely policing it.

Scope: What We Deliver

Our internal control system engagements are built on the internationally recognised COSO framework. We begin by mapping the organisation's risk universe and evaluating the existing control structure; the control gaps we identify are then prioritised against the company's operational, financial and compliance risks. This assessment rests on how processes actually run on the ground. We never limit ourselves to reviewing procedure documents alone; we sit down with process owners one-to-one and observe the real workflow.

  • Risk-based internal control system design and documentation
  • Process-level audits and control testing
  • Compliance reporting and management briefings
  • Internal audit unit setup and annual audit planning
  • Concrete remediation plans for the weaknesses identified

Our goal is not to hand over a checklist. It is to build an internal control architecture that matches your real risk profile, works in practice and holds up over time.

Who It Is For

This service is designed above all for holding structures managing multiple affiliates or subsidiaries, and for companies with international shareholders. Businesses whose growth has outpaced their process discipline, whose decision-making still depends on individuals, and for whom the reliability of financial reporting has become a boardroom issue, benefit directly from a properly built internal control system.

  • Family businesses moving toward a corporate structure
  • Companies with reporting obligations to investors or lenders
  • Holding structures with multiple affiliates
  • Organisations whose audit committee or board is asking for assurance

The internal control system we build is tailored to your scale, sector and organisational structure. It is never applied as an off-the-shelf template; it is designed around the risk profile of each individual organisation.

How We Work

We run internal control and audit engagements through the same four-step method MerSar applies across every service. It keeps the work both comprehensive and easy to track.

  • Analysis: On-site review of current processes and control points, mapping of the risk universe and identification of control gaps
  • Strategy: Defining the risk-based control matrix, priorities and allocation of responsibilities on the COSO framework
  • Implementation: Embedding control procedures, approval workflows and documentation into the organisation, with the relevant teams brought into the process
  • Follow-up: Periodic testing, reporting and, where needed, revision of control effectiveness against measurable KPIs

An internal control system is not an isolated project. It is established as a permanent part of the company's wider governance structure and, over time, becomes part of the corporate culture.

Frequently Asked Questions

How long does it take to set up an internal control system?

The timeline depends on your scale, the number of affiliates and the maturity of your existing processes. The analysis phase typically runs a few weeks, while rolling out the control matrix, completing the documentation and getting the relevant teams up to speed extends over a longer schedule. The exact duration and work plan become clear after the first analysis meeting.

What is the COSO framework, and why do you use this model?

COSO is the globally accepted reference framework for building internal control systems, made up of five components: control environment, risk assessment, control activities, information and communication, and monitoring. We use it because it offers a structure that is aligned with international companies, auditors and investors, and that has been tested over many years.

Do you also set up the internal audit unit?

Yes. We work with you to define the internal audit mandate, the annual audit plan, reporting formats, the finding tracking system and the communication model with management. This turns internal audit into a function that contributes to corporate development, rather than one that simply checks for compliance.

We already have an internal control system. Can we commission the audit only?

Yes. We can assess your existing control structure against the COSO framework and report on weaknesses, control gaps and areas for improvement. This amounts to an independent compliance audit that lets you measure how effective your current system is, without needing to build one from scratch.