If the most serious internal control violation is a failure to implement internal controls in the first place, the failure to monitor existing internal controls is a close contender. Identify where in the organization effective monitoring occurs and leverage those successes.
This last week, COSO published an Exposure Draft of its ERM Framework Update, freshly entitled Enterprise Risk Management – Aligning Risk with Strategy and Objectives. The COSO update is a significant moment for all risk practitioners. So I strongly recommend that everybody take the time to review and give careful consideration to the draft.