Wednesday, February 11, 2026

Corporate Context and Governance: The Importance of Systemic Alignment in Generating Real Value

 


At the start of this year, I immersed myself in a deep review of the fundamental concepts of management and auditing. Reflecting on what separates resilient companies from those that merely "appear" organized, many still confuse compliance manuals with effective management. 

Many organizations boast robust Governance, Risk, and Compliance structures, yet when crises strike or the market faces disruption, these pillars collapse because they prove irrelevant in practice.

The reason behind this phenomenon is a deep-seated corporate myopia: the inability to view the context in a comprehensive and logically integrated way. The corporate context is not a static scenario; it is a living dynamic composed of culture, market shifts, and interconnected objectives. When management fails to visualize the organization in an aligned manner—connecting Mission-Strategy-Processes-Risks-Controls—it operates in a distracted and disaggregated fashion. Governance is treated as an aesthetic accessory, a "picture on the wall," rather than the central nervous system that should process every environmental stimulus to generate precise responses.

This disconnect begins at the foundation: the Mission. It is not a marketing exercise, but the society's reason for existence and the compass that guides management. When strategy detaches from the mission, the company loses its authenticity and its social license to operate. For strategic objectives to become more than just wishes, an intelligent organizational architecture is required, where limited resources—people, finance, and technology—are not wasted on activities that do not feed the core purpose. This demands clear business cycles and operational processes where every task has logic, and every delivery generates real added value.

This is where many fail: by attempting to identify risk in isolation and without knowledge of the objectives of the object being evaluated. The reality is simple: risk is any event that impacts the company’s ability to achieve its objectives. If you have an objective, you inherently have risks. Therefore, risk management is not a support function, but a proactive tool that maps what might prevent the fulfillment of the mission. We do not treat risk in the abstract; instead, we address its factors and causes, measuring probability and impact to define whether the response should be to mitigate, transfer, or accept.

When the response involves mitigation, internal control takes the stage. It is only effective when it targets the risk factor with precision, ensuring that the residual risk remains aligned with the organization's appetite. Spending fortunes on complex systems that do not communicate with real risks only generates expensive and fragile bureaucracy.

For the modern internal audit professional and the control specialist, understanding this logical alignment—Mission-Strategy-Process-Risk-Control—is what allows for the delivery of real value. Without this systemic vision, any assessment will be superficial. With it, the professional moves beyond merely validating checklists and begins to evaluate the effectiveness and efficiency of the organization, diagnosing whether the gears are generating value or if the company is simply suffering from analysis paralysis.

Organizational success stems from the understanding that the corporation is a living gear. When the mission guides the strategy, the strategy shapes the processes, and the processes are protected by risk-aligned controls, a dynamic resilience is created that transforms compliance into a competitive advantage.

To conclude, reflect on this:

"Management that ignores corporate dynamics and alignment is the same management that remains ignorant of its risks and negligent of its controls. For such leadership, success is not a strategy; it is merely a matter of luck."

Be happy!

 

Posted by at No comments:

Friday, January 9, 2026

Back to Basics: Why AI Won't Save an Audit Without a Solid Foundation



Happy 2026 Everyone!

As we kick off 2026, the buzz in the hallways of every organization is the same: Artificial Intelligence. We are talking about predictive analytics, automated reporting, and real-time monitoring. But as auditors, we need to have a moment of intellectual honesty.

There is no point in talking about Artificial Intelligence if we are still failing at the basics.

Disruptive innovation has indeed changed the way we work, but the pillars of a high-impact internal audit remain unchanged. Whether you are in the public or private sector, the value we provide isn’t just in the tools we use, but in the rigor of our methodology.

The "Shiny Object" Trap

It is easy to get distracted by the latest software, but a sophisticated algorithm applied to a flawed audit plan will only produce "high-tech" errors. High-impact auditing is born long before the first line of code is written; it is born from:

  • Respect for Standards: Adhering to professional norms is what gives our work legal and institutional weight.

  • Rigorous Planning: Understanding the object of evaluation, defining clear scopes, and setting realistic timelines.

  • Quality of Evidence: Collecting evidence that is not just abundant, but sufficient, reliable, relevant, and useful.

Returning to the Foundations

For a truly effective audit, it is essential to "work the basics." This means mastering the core cycle of our profession:

  1. Planning with Purpose: Truly knowing the entity and its risks before defining objectives.

  2. Execution with Precision: Applying the right techniques—be it physical inspection, circularization, or analytical review—and documenting them in flawless working papers.

  3. Communication with Impact: Reporting not just "what happened," but providing a professional opinion that helps management improve through actionable recommendations and consistent follow-up.

Looking Ahead to 2026

My invitation to you this year is to review your foundations. Masterfully executing the basics is, ironically, the greatest competitive advantage an auditor can have in a world obsessed with automation.

AI can process data, but it cannot replace the professional judgment of an auditor who knows how to apply a materiality lens or evaluate the "design and discipline" of an internal control system.

Let’s embrace the future, but let’s keep our feet firmly planted on the bedrock of our profession.


Be happy! 

Posted by at No comments:
Labels: , , ,

Thursday, June 5, 2025

How to Turn Process Mapping into an Effective Evaluation Tool

 


One of the fundamental activities carried out by internal control specialists and internal auditors is the mapping of operational processes that will be evaluated.

First of all, it is important to understand that an operational process is a set of tasks logically organized with the aim of delivering products or services that add value. It allows management to better allocate resources, actions, and decisions to achieve strategic goals and objectives. Thus, it becomes clear that a process only makes sense if it is connected to the company's strategy.

Another important point is that each process must have a responsible manager who handles the management functions — that are planning, organizing, directing, executing, and monitoring. This manager is also responsible for risk management and the internal control system of the process.

Process mapping is an essential practice both when modeling new processes and when assessing existing ones, to verify if they are efficient, effective, and economical. Additionally, mapping is indispensable for analyzing whether the internal control system is sufficient to keep risks at acceptable levels, aligned with the organization's risk appetite.

In a performance or operational audit, mapping is part of the planning phase.

Nowadays, it is very common to use the BPM methodology to design processes, but it does not clearly distinguish between a task and an internal control. As a result, the outcome often looks more like a block diagram than a flowchart that is useful for a more precise evaluation.

This article aims to propose a reflection: how can we improve this mapping, making it simpler and, at the same time, more effective for evaluating both the process and the internal control system?

The first point concerns the way the process is mapped. It works better when conducted through planned interviews with those who perform the tasks on a daily basis. In these interviews, the specialist or auditor needs to have the skills to clearly identify what a task is and what is a control.

Put simply:

  • An internal control is an action aimed at reducing the probability of a risk materializing. For example: reviewing, checking, recalculating, approving, authorizing, among others.
  • A control is a decision point: if everything is correct, the process continues; if not, it returns for correction. In the flowchart, the control should be represented by a diamond shape (also known as a gateway).

On the other hand:

  • A task is an execution action, such as recording, demonstrating, archiving, or relating information. In the flowchart, it is represented by a rectangle.

With this, notice how we can simplify: it is enough to use three symbols to create the flowchart:

  • A circle to mark the beginning and end of the process,
  • A rectangle for the tasks,
  • And a diamond for the controls.

This model makes the flowchart clearer, more objective, and easier to use in the evaluation.

I personally like to use the "swimlane" format in the flowchart, where horizontal bands indicate the roles or functions involved in the process. This helps to better visualize whether there is a good segregation of responsibilities, which is essential to avoid failures.

Keep in mind: the flowchart must always represent the process as it is currently carried out, not as we would like it to be. Therefore, after mapping, it is essential to validate it through a "walkthrough", that is, walking through the process together with the person responsible, to confirm that what is described is accurate.

In the end, we will have a clear view of:

  • All the tasks of the process,
  • All the existing internal controls.

These elements are the basis for assessing:

  • Whether the process is efficient and effective,
  • Whether the internal control system is sufficient and effective.

All internal controls identified must be recorded in the internal control matrix, where they will be organized to facilitate analysis.

I am often asked: “Is it necessary to identify risks in the flowchart?” My answer: it is not mandatory, but there is also no problem in doing so. If you wish, you can include this information, linking it to the process risk matrix.

I hope this article has helped you reflect on the topic and, perhaps, improve your process of mapping operational processes.

I wish you great success and, Be Happy!

Posted by at No comments:
Labels: , , , , ,

Wednesday, May 28, 2025

Managing the Internal Audit Function: What You Need to Know About Domain IV of the New Global Internal Audit Standards

 


Since January 9, 2025, the Global Internal Audit Standards (GIAS) have officially replaced the 2017 IPPF. 

This transition marks an important evolution in the way internal audit is practiced worldwide,  not a revolution, but an elevation of the profession.

These standards provide an essential technical and ethical framework for internal auditors, ensuring consistency, quality, and credibility in their work. Among the most critical updates is Domain IV: Managing the Internal Audit Function.

While some elements of Domain IV were present in previous frameworks, it now brings a sharper focus on strategic management, resource optimization, effective communication, and continuous quality improvement.

Domain IV clarifies the role of the Chief Audit Executive (CAE) in ensuring that the internal audit function is:

  •      Aligned with the organization's strategy
  •         Efficient in resource management
  •         Transparent and effective in communicating with stakeholders
  •          Committed to continuous improvement

Perhaps the most significant new element is Principle 9, emphasizing that internal audit must have a strategic plan as its primary driver.

Internal audit is no longer just about executing an annual or multi-year audit plan. The CAE must approach audit planning strategically, ensuring that internal audits support the organization's long-term success.

This requires:

  •        A deep understanding of the audit mandate
  •         Full awareness of the Organization's operational and financial dynamics
  •         Knowledge of governance, risk management, and internal controls

In other words, the CAE must understand how the organization operates, makes decisions, and sets its long- and medium-term strategic goals.

How can audit leaders implement this effectively? Here's a simple roadmap:

  1. Start with the Organization’s Strategy
    Your internal audit strategy must support the organization’s strategic objectives.
  2. Engage Key Stakeholders
  3. Align your strategy with the expectations of the Board, senior management, and other key stakeholders.
  4. Define the Vision
    While your mission is set by Domain I of the GIAS, your vision articulates the desired future state of internal audit. For example:

“To be a catalyst for change and innovation, driving operational and financial efficiency.”

  1. Set Strategic Objectives
    Define specific goals linked to your vision.     For instance:
    • Ensure auditors have the necessary competencies to address emerging risks
    • Secure resources for predictive analytics and innovation-related audits
  2. Conduct a SWOT Analysis
    Identify your function’s strengths, weaknesses, opportunities, and threats to develop a practical roadmap for achieving your objectives.
  3. Monitor and Adjust
    Continuously monitor action plans and progress toward strategic objectives, adjusting as needed to remain relevant and effective.

Why does this matter more than ever?

  • Strategic planning is no longer optional; it’s essential for internal audit to:
  • Allocate resources efficiently
  • Ensure audit work adds tangible value
  •  Anticipate and respond to organizational changes
  • Strengthen governance and risk management processes

It transforms internal audit from a compliance-focused activity into a strategic partner within the organization.

Final thoughts for audit leaders:

In my point of view Domain IV is a cornerstone of the new standards, reinforcing the need for internal audit to operate strategically and systematically.

As internal auditors and leaders, embracing this approach will elevate your function’s relevance, impact, and value within the organization.

Let’s make internal audit a true driver of strategic success!

What steps are you taking to align your internal audit function with these new standards? Share your thoughts and experiences in the comments!

I’d like to close with this reflection:

“Always strive for simplicity — it is a competitive advantage. But remember being simple does not mean being superficial.

Be Happy!

This article was written with the help of human intelligence

 

Posted by at No comments:
Labels: ,
Subscribe to: Comments (Atom)