Changing External Environment—A changing regulatory or economic environment can result in increased competitive pressures, changes in operating requirements, and significantly different risks. Large-scale operations, reporting, and compliance failures by one entity may result in the rapid introduction of broad new regulations. For instance, the release of harmful materials near populated or environmentally sensitive areas may result in new industry-wide transportation restrictions that impact an entity's shipping logistics; the external information that is viewed as having poor transparency may result in enhanced regulatory reporting requirements for all publicly traded companies; and the poor treatment of elderly patients in a care facility may prompt additional care requirements for all care facilities. Each of these changes may require an organization to closely examine the design of its internal control system.

Changing Physical Environment—Natural disasters directly impacting the entity, supply chain, and other business partners may result in elevated risks that an entity needs to consider to sustain its business. An organization, for example, may need to find alternative sources of raw material or move production.

Changing Business Model—When an entity enters new business lines, alters the delivery of its services through new outsourced relationships, or dramatically alters the composition of existing business lines, previously effective internal controls may no longer be relevant. The composition of the risks initially assessed as the basis for establishing internal controls may have changed, or the potential impact of those risks may have increased so that prior internal controls are no longer sufficient. Some financial services organizations, for example, may have expanded into new products and concentrations without focusing on how to respond to changes in the associated risks of their products.

Significant Acquisitions and Divestitures—When an entity decides to acquire business operations, it may need to review and standardize internal controls across the expanded entity. Controls in place in the pre-acquisition operations may not be well developed, suitable for the newly combined entity, or scalable to operation in the new business. Similarly, when an operation is disposed of, the level of acceptable variation may change in operations, and materiality may decrease. In addition, certain entity-level controls at the disposed business operation may no longer be present. Both the acquisition and divesture of a business may require the organization to review and possibly revise its internal controls to support the achievement of objectives as appropriate to the restructured entity.

Foreign Operations—The expansion or acquisition of foreign operations carries new and often unique risks. Developing business in new geographies or outsourcing operations to foreign locations may help the business to grow and/or reduce costs, but it may also present new challenges and alter the type and extent of the risks. Operating in unfamiliar markets poses risk because there are different customs and practices. For instance, the control environment in a new environment is likely to be influenced by the local culture and customs. Business risks may result from factors unique to the local economy and regulatory environment and channels of communication.

Rapid Growth—When operations expand significantly and quickly, existing structures, business processes, information systems, or resources may be strained to the point where internal controls break down. For instance, adding manufacturing shifts to meet demand or increasing back-office personnel may result in those responsible for supervision being unable to adapt to the higher activity levels and maintain adequate control.

New Technology—When new technology is incorporated into production, service delivery processes, or supporting information systems, internal controls will likely need to be modified. For instance, introducing sales capabilities through mobile devices may require access controls specific to that technology as well as changes in controls over shipping processes.

Significant Personnel Changes—A member of senior management new to an entity may not understand the entity's culture and reflect a different philosophy or may focus solely on performance to the exclusion of control-related activities. For instance, a newly hired chief executive officer focusing on revenue growth may send a message that a prior focus on effective internal control is now less important. Further, high turnover of personnel, in the absence of effective training and supervision, can result in breakdowns. For instance, a company that reduces its staffing levels by 25% in an attempt to reduce costs may erode the overall internal control structure.