The Illusion of Security: Why Your Internal Control Might Be a House of Cards

 

Once, during a consulting project, a manager told me something that sounded reassuring: "We have control for outgoing goods; it’s done every single day." However, as I dove into the process, I discovered the harsh reality behind those words. That "control" was merely an employee jotting down what left the warehouse in a notebook, no verification, no signature, and no oversight. In the manager's mind, the risk was covered; in practice, he had a hollow procedure, but not an effective control.

Many people confuse control with bureaucracy, and I often hear that "bureaucracy kills business." But that isn't true. 

Bureaucracy, in its essence, is not a bad thing. If we look at Max Weber’s theory, we understand that it was conceived as a form of human organization based on rationality, ensuring impersonality, a clear hierarchy, and meritocracy. It ensures that the process depends on the rule, rather than the mood of whoever is executing it. 

I always say that bureaucracy is simply the formalization of what is already working.

The real problem isn't bureaucracy itself, but "bureaucratic excess", when the ritual becomes more important than the result. 

An internal control system based on best practices, right sized to keep risk factors within acceptable levels, is essential for operational efficiency. It creates order and prevents the "rigidity" that often blinds an operation.

We know that internal control is an action designed to mitigate the cause of a risk before it materializes. It manifests in the "doing": in the review, the verification, the recalculation, and the careful approval. If there is no confrontation between "what should be" and "what is," the risk continues to walk freely through your company’s hallways.

For a control action to be more than just figurative, it requires four non-negotiable attributes:

• First, the Objective, which is the very reason for its existence and must target the risk factor. For example, if the risk is the use of incorrect labor hours, the objective is to ensure that the hours in the payroll system are consistent with the time-tracking system.

• Second, Practical Action, such as a data verification. It is vital to formalize how this action is performed so that a "prudent person" could re-perform it.

• Third, the Evidence, because a control without a trail is invisible. It could be a sign-off, a system log, or an email. To an auditor or an internal controls specialist, a lack of evidence implies the control does not exist. Finally, the Frequency, which must match the speed of the risk, whether it be daily, monthly, or per event.

 

When we talk about Control Modeling, the starting point is knowing the risk factor and the magnitude of what we are mitigating, allowing us to define the necessary attributes to keep the operation within the organization's risk appetite. 

These same attributes allow us to evaluate Design Efficiency, concluding whether the control has the theoretical capacity to mitigate the risk.

 Once we move to Effectiveness Evaluation—the actual control testing—the focus shifts to two crucial points: discipline, observing if the evidence exists within the defined frequency; and quality, re-performing the action to ensure it wasn't just a formality. 

This is why these attributes must be formalized, at the very least, in an Internal Control Matrix.

 It is also fundamental to understand that control is neither absolute nor infallible, as it is designed and executed by people. And where there are humans, there is vulnerability—whether through errors in judgment or, in grave cases, omission, fraud, and collusion. Therefore, the effectiveness of a control does not reside solely on paper, but in the discipline and ethical stance of its execution.

Recently, the market witnessed a testimony that serves as a stark warning. A former bank director admitted to signing documents without reading them. More than a momentary lapse, his confession revealed a void: despite heading the department, he did not perform monitoring or prevention duties.
Here we have the perfect "Window Dressing Control"—the evidence and frequency exist, but the execution of the action is null.

Unfortunately, this is not an isolated case; it is present in many corporations where management still mistakenly views control as mere bureaucracy.

To conclude, I leave you with a thought for reflection:

"The effectiveness of a control depends on action, evidence, and frequency, but it only stops being a house of cards when the integrity of the person executing it is greater than the convenience of simply signing."

Be happy!

Corporate Context and Governance: The Importance of Systemic Alignment in Generating Real Value

 

At the start of this year, I immersed myself in a deep review of the fundamental concepts of management and auditing. Reflecting on what separates resilient companies from those that merely "appear" organized, many still confuse compliance manuals with effective management. 

Many organizations boast robust Governance, Risk, and Compliance structures, yet when crises strike or the market faces disruption, these pillars collapse because they prove irrelevant in practice.

The reason behind this phenomenon is a deep-seated corporate myopia: the inability to view the context in a comprehensive and logically integrated way. The corporate context is not a static scenario; it is a living dynamic composed of culture, market shifts, and interconnected objectives. When management fails to visualize the organization in an aligned manner—connecting Mission-Strategy-Processes-Risks-Controls—it operates in a distracted and disaggregated fashion. Governance is treated as an aesthetic accessory, a "picture on the wall," rather than the central nervous system that should process every environmental stimulus to generate precise responses.

This disconnect begins at the foundation: the Mission. It is not a marketing exercise, but the society's reason for existence and the compass that guides management. When strategy detaches from the mission, the company loses its authenticity and its social license to operate. For strategic objectives to become more than just wishes, an intelligent organizational architecture is required, where limited resources—people, finance, and technology—are not wasted on activities that do not feed the core purpose. This demands clear business cycles and operational processes where every task has logic, and every delivery generates real added value.

This is where many fail: by attempting to identify risk in isolation and without knowledge of the objectives of the object being evaluated. The reality is simple: risk is any event that impacts the company’s ability to achieve its objectives. If you have an objective, you inherently have risks. Therefore, risk management is not a support function, but a proactive tool that maps what might prevent the fulfillment of the mission. We do not treat risk in the abstract; instead, we address its factors and causes, measuring probability and impact to define whether the response should be to mitigate, transfer, or accept.

When the response involves mitigation, internal control takes the stage. It is only effective when it targets the risk factor with precision, ensuring that the residual risk remains aligned with the organization's appetite. Spending fortunes on complex systems that do not communicate with real risks only generates expensive and fragile bureaucracy.

For the modern internal audit professional and the control specialist, understanding this logical alignment—Mission-Strategy-Process-Risk-Control—is what allows for the delivery of real value. Without this systemic vision, any assessment will be superficial. With it, the professional moves beyond merely validating checklists and begins to evaluate the effectiveness and efficiency of the organization, diagnosing whether the gears are generating value or if the company is simply suffering from analysis paralysis.

Organizational success stems from the understanding that the corporation is a living gear. When the mission guides the strategy, the strategy shapes the processes, and the processes are protected by risk-aligned controls, a dynamic resilience is created that transforms compliance into a competitive advantage.

To conclude, reflect on this:

"Management that ignores corporate dynamics and alignment is the same management that remains ignorant of its risks and negligent of its controls. For such leadership, success is not a strategy; it is merely a matter of luck."

Be happy!

 

Back to Basics: Why AI Won't Save an Audit Without a Solid Foundation

Happy 2026 Everyone!

As we kick off 2026, the buzz in the hallways of every organization is the same: Artificial Intelligence. We are talking about predictive analytics, automated reporting, and real-time monitoring. But as auditors, we need to have a moment of intellectual honesty.

There is no point in talking about Artificial Intelligence if we are still failing at the basics.

Disruptive innovation has indeed changed the way we work, but the pillars of a high-impact internal audit remain unchanged. Whether you are in the public or private sector, the value we provide isn’t just in the tools we use, but in the rigor of our methodology.

The "Shiny Object" Trap

It is easy to get distracted by the latest software, but a sophisticated algorithm applied to a flawed audit plan will only produce "high-tech" errors. High-impact auditing is born long before the first line of code is written; it is born from:

• Respect for Standards: Adhering to professional norms is what gives our work legal and institutional weight.

• Rigorous Planning: Understanding the object of evaluation, defining clear scopes, and setting realistic timelines.

• Quality of Evidence: Collecting evidence that is not just abundant, but sufficient, reliable, relevant, and useful.

Returning to the Foundations

For a truly effective audit, it is essential to "work the basics." This means mastering the core cycle of our profession:

1. Planning with Purpose: Truly knowing the entity and its risks before defining objectives.

2. Execution with Precision: Applying the right techniques—be it physical inspection, circularization, or analytical review—and documenting them in flawless working papers.

3. Communication with Impact: Reporting not just "what happened," but providing a professional opinion that helps management improve through actionable recommendations and consistent follow-up.

Looking Ahead to 2026

My invitation to you this year is to review your foundations. Masterfully executing the basics is, ironically, the greatest competitive advantage an auditor can have in a world obsessed with automation.

AI can process data, but it cannot replace the professional judgment of an auditor who knows how to apply a materiality lens or evaluate the "design and discipline" of an internal control system.

Let’s embrace the future, but let’s keep our feet firmly planted on the bedrock of our profession.

Be happy! 

How to Turn Process Mapping into an Effective Evaluation Tool

 

One of the fundamental activities carried out by internal control specialists and internal auditors is the mapping of operational processes that will be evaluated.

First of all, it is important to understand that an operational process is a set of tasks logically organized with the aim of delivering products or services that add value. It allows management to better allocate resources, actions, and decisions to achieve strategic goals and objectives. Thus, it becomes clear that a process only makes sense if it is connected to the company's strategy.

Another important point is that each process must have a responsible manager who handles the management functions — that are planning, organizing, directing, executing, and monitoring. This manager is also responsible for risk management and the internal control system of the process.

Process mapping is an essential practice both when modeling new processes and when assessing existing ones, to verify if they are efficient, effective, and economical. Additionally, mapping is indispensable for analyzing whether the internal control system is sufficient to keep risks at acceptable levels, aligned with the organization's risk appetite.

In a performance or operational audit, mapping is part of the planning phase.

Nowadays, it is very common to use the BPM methodology to design processes, but it does not clearly distinguish between a task and an internal control. As a result, the outcome often looks more like a block diagram than a flowchart that is useful for a more precise evaluation.

This article aims to propose a reflection: how can we improve this mapping, making it simpler and, at the same time, more effective for evaluating both the process and the internal control system?

The first point concerns the way the process is mapped. It works better when conducted through planned interviews with those who perform the tasks on a daily basis. In these interviews, the specialist or auditor needs to have the skills to clearly identify what a task is and what is a control.

Put simply:

• An internal control is an action aimed at reducing the probability of a risk materializing. For example: reviewing, checking, recalculating, approving, authorizing, among others.
• A control is a decision point: if everything is correct, the process continues; if not, it returns for correction. In the flowchart, the control should be represented by a diamond shape (also known as a gateway).

On the other hand:

• A task is an execution action, such as recording, demonstrating, archiving, or relating information. In the flowchart, it is represented by a rectangle.

With this, notice how we can simplify: it is enough to use three symbols to create the flowchart:

• A circle to mark the beginning and end of the process,
• A rectangle for the tasks,
• And a diamond for the controls.

This model makes the flowchart clearer, more objective, and easier to use in the evaluation.

I personally like to use the "swimlane" format in the flowchart, where horizontal bands indicate the roles or functions involved in the process. This helps to better visualize whether there is a good segregation of responsibilities, which is essential to avoid failures.

Keep in mind: the flowchart must always represent the process as it is currently carried out, not as we would like it to be. Therefore, after mapping, it is essential to validate it through a "walkthrough", that is, walking through the process together with the person responsible, to confirm that what is described is accurate.

In the end, we will have a clear view of:

• All the tasks of the process,
  
• All the existing internal controls.

These elements are the basis for assessing:

• Whether the process is efficient and effective,
• Whether the internal control system is sufficient and effective.

All internal controls identified must be recorded in the internal control matrix, where they will be organized to facilitate analysis.

I am often asked: “Is it necessary to identify risks in the flowchart?” My answer: it is not mandatory, but there is also no problem in doing so. If you wish, you can include this information, linking it to the process risk matrix.

I hope this article has helped you reflect on the topic and, perhaps, improve your process of mapping operational processes.

I wish you great success and, Be Happy!