 are highest and put in policies and principles in order to mitigate them. Principle number four, business entities and assesses changes that could significantly impact the system of internal controls. So we're gonna identify and assess any changes. Anytime we have a significant change we should have in our mind, what is the internal control? What are gonna be the risks related to any significant changes? And we should basically map out what are gonna be the risks related to the significant change, make adjustments as necessary based on those changes and those adjusted risks. Next, we'll take a look at the principles related to control activities. Principle number one, principle selects and develops control activities that contribute to the mitigation of risks to achievement of objectives to acceptable levels. So now we're on basically the ground floor. We're talking about the control activities, the actual implementation and development and implementation of those control activities that are gonna be put in place in order to contribute to the mitigation, the lessening of the risks to the achievement of objectives to acceptable levels. We're gonna be thinking about things then, including performance reviews as our control activities, physical controls as our control activities, the segregation of duties. This probably being the one that you wanna think about first. When you think about internal controls in general, one of the first thing that probably comes into mind should be the segregation of duties. You probably think of things like performance review or people when they first think about internal controls are probably thinking about some type of performance reviews. When considering audit and setting up the audit procedures and someone asks you about internal controls, the first thing that should come in your mind is really the separation of duties as one of the major functions and factions or areas of internal controls. Then we have the information processing controls. Principle number two, business selects and develops general control activities over technology to support the achievement of objectives. So once we have these set up, once we have the control activities, we will set them up and we're probably going to need technology in order to do this. We're gonna have some type of database program as part of our internal controls oftentimes. That's gonna allow us to do things like the separation of duties, like having the performance reviews through the interaction and the setting up of that database. And of course we need IT professionals to help us with that part of it. So we set up the internal controls, work with IT then to help us to implement those by restricting or manipulating the database to get certain restrictions and assignments to different individuals. Principle number three, business sets up control activities through policies that establish what is expected and procedures that put policies into play. So obviously once we implement this information, we're gonna actually put into play the policies and the procedures as we set this thing up. So we're imagining of course, we set up the controls, now we're in the part of the control system where we have to actually implement and put those controls into place which involves setting up the policies and procedures and implementing those policies and procedures. Next we have information and communication principle. Principle number one, business obtains, makes and uses relevant quality information to support the functioning of internal controls. This could include identify and record valid transactions, classify transactions correctly, measure the value of transactions correctly, record transactions in the correct period, correctly present transaction and disclosures. Principle number two, business communicates information internally. Communication includes objectives and responsibilities for internal controls needed to support the functioning of the internal controls. Obviously when we set up the internal controls we then need to have the good communication in order for people to understand those internal controls in terms of what is expected of them as well as what the reason is to some degree because that'll give them some incentive to follow through and make sure that they are implementing the internal controls and possibly the feeling of well-being and self-worth as they go through the internal controls, some processes which can seem like they're gonna be something that's not contributing to the performance but actually is when you think about it out on the bigger picture level. So principle number three, business communications with external parties regarding issues affecting the functioning of internal controls. Next we're gonna take a look at monitoring activities, principles related to it. Principle number one, business selects, develops and performs ongoing and or separate evaluations to determine whether the components of internal controls are installed and functioning. So you'll of course, we're thinking about the internal controls here in terms of what are the risks? We come up with a plan for internal controls. We then implement that plan with the control activities. We communicate that information and then of course we monitor that information to see if the internal control processes are set up well, if they're implemented well, if they're doing what we would expect them to do. Principle number two, business evaluates and communicates internal control problems in a timely manner to parties responsible for taking corrective action. There's problems in the internal controls in terms of either the way the internal control is set up, not well designed or in the way it's being implemented, not being implemented or followed through with. Then we go to the appropriate level of management and discuss the implementation and or design at that point. Parties include senior management and the board of directors as appropriate. Obviously if it's to the point where we can discuss this with senior management and take care of it, then that would be it. If it's something that's gonna be a serious flaw in the internal controls and have substantial risk, then of course we would want to include the board of directors as well. Audit risk model. You'll recall that the audit risk model represents in a formula type format. Audit risk equals the inherent risk, the inherent risk within basically inherent in the organization or the type of business that we're in line with. The control risk, control risk, what we are talking about now and then we have the detection risk. This is the auditors basically whether the audit will pick up any problems within the auditing process. These two recall are kind of on the business side of things. What industry they're in, what's inherently risky about the business ventures that they are in, that's their decision to be in that business and take on those inherent risks. The control risk is what they are designing in their bureaucratic system as they set up their business model. That of course is the component that we're focusing on here when we consider the overall audit risk model.