As stated earlier in the section about Controls and the testing of controls, the system allows the Internal Auditors to maintain a record of their own views about how well controls are deployed; clearly, if this view differs from the view under Self-Assessment, then individual risks will have different "Actual" control environments. This report is designed to show the control environment for each risk as viewed by Self-Assessment and Internal Audit:
Where a risk appears to have a better control environment according to the Internal Auditors it may well be that they have not yet tested the controls mitigating that risk.