The three lines of defense, a practical vision for corporations

It is very common in governance, audit, risk or internal control professional meetings to have presentations about three lines of defense model. As you may know, this model emerged with the publication on September 21, 2010 by FERMA and ECIIA in the Guidance on the 8th EU Company law as a recommendation to implement the requirements of the law for monitoring the effectiveness of the internal control system, internal audit and risk management.

As the IIA statement of position on the subject points out:

"The Three lines of Defense model is a simple and effective way to improve risk management and control communication by clarifying key roles and responsibilities." 

The main point in this model is the transparency of the responsibilities for each one of the stakeholders in the conduction of the business in order to organize the process, mitigating existing gaps due to the lack of understanding of the real responsibilities of each one in this governance process.

Of course, it is important that governance and control professionals understand and discuss this model, since they are the agents of change. In fact, they are the professionals who will motivate managers to adopt this model as the basis for their activities.

In summary:

• The first line of defense is the management responsible (high and medium management, and other decision makers) as executors of the risk management process and the organization's internal control systems.

• The second line is the area and staff that aims to support the management to fulfill their responsibilities of the first line, providing the knowledge and appropriate tools for this process. In this line are specialists in internal controls, risk management, processes, compliance and other support professionals.

• The third line is the internal audit, which aims to provide an independent assessment of whether management is fulfilling its first-line governance responsibilities, based on best management practices.

This article has the objective to discuss some observations that I have made during the projects of governance. Those observations demonstrate that, despite everything, this model is not yet adequately understood by the organizations, whether they are private or governmental

Let's look at some points that lead me to this conclusion:

•      Lack of knowledge and understanding of the dynamics of the model by senior management (Board, president and its direct reports). Some even mention that they have heard about the model, but that they do not know its essence,

•      Areas of control, risk, compliance and sometimes even internal audit taking first-line responsibility. Including a confusion of understanding of each of these areas as to their responsibility. It is common to see overlapping activities, duplicities of evaluation, execution of control, between these areas.

•      Lack of a structured and coordinated corporate risk management process. Having a risk matrix or risk inventory is not managing risks. Risk management is the basis for any governance process.

•      Weak internal environment, outdated policies and procedures, lack of attention to the skills management process, lack of vision of the value chain or business cycles, etc.

It is necessary to understand that in the current world where the organizations are inserted the challenges are immense and complex. The way we do business has changed dramatically, innovations are disruptive; convergence to the virtual world is a reality without a return, and if the organization is not prepared, structured, and with the appropriate competence to manage these challenges, it is doomed to failure and disappear.

We are still trying to run companies in the same way as we were managing post-industrial revolution.

Thus, adopting the three-line defense model in a comprehensive manner, aligned with existing information technology will allow the organization to have proactive positions and actions in a lean and optimized structure with economic operational processes, thereby minimizing the application of its capital in the structure, and consequently the loss of its competitive advantage.

In a simple way, in order to solve that, the management must make a diagnosis of its structure and organization considering the four points indicated above and based on the result, define actions to eliminate them or to mitigate them.

Also, a process of sensitization of the structure through lectures, workshops, e-learning, or other forms of knowledge transfer is essential for the strengthening and maturation of the organization, so that the different levels of management are prepared to understand and execute their responsibilities in a clear and coordinated manner as suggested in the three lines of defense model.

Be happy!

Um mundo disruptivo e seu impacto na sociedade, empresas e profissionais

É visível que estamos passando por transformações profundas em todos os sentidos. Seja em nossa vida pessoal ou no mundo corporativo, a convergência para o mundo virtual é uma realidade sem volta.

Mais e mais concentramos nossas atividades neste novo mundo; nos relacionamos através das mídias de relacionamento, comercializamos, estudamos, trabalhamos, viajamos, tudo pelo mundo virtual, sem a necessidade de deslocamento físico. 

Me lembro que Alvin Toffler, escritor e futurista, em sua obra A terceira onda, mencionava que em um certo momento existiria a "cabana eletrônica", pois bem chegamos nesta época. 

O ponto mais importante que até aqui, as inovações seguiam um padrão lógico, possibilitando que as pessoas fossem adicionando-as em seu dia-a-dia de forma sistemática, entretanto, o que vemos agora é a inovação disruptiva, a qual simplesmente muda tudo, de uma hora para outra, em uma velocidade espantosa. 

Este fenômeno, se assim posso chamar, ao mesmo tempo que parece complexo vivencia-lo, tem sua base transformadora em fazer algo diferente do que esta sendo feito, conduto de uma forma mais simples, econômica e acessível.

Observem quantas atividades hoje você faz via web que no passado precisava se deslocar para fazer, gastando tempo e dinheiro.

É preciso compreender que as organizações estão inseridas neste mundo, o que traz desafios imensos e complexos para ajustarmos a forma de operar e fazer negócio dentro dos novos requisitos de mercado.

Imagine que hoje seu concorrente pode estar somente no mundo virtual, com pequena estrutura física, em algum lugar do mundo que seja mais viável economicamente falando.

Se sua organização estiver ainda operando nos moldes da pós-revolução industrial, com certeza terá uma grande e mortal desvantagem competitiva. Não tenho duvidas em afirmar que quem ainda não acordou para isto, tem seus dias contados.

Incluo também neste rol os profissionais que teimam em gerir seus processos e negócios de forma ultrapassada, com atitudes e habilidades não mais condizentes neste novo mundo corporativo.

Para ajudar neste processo de adaptação, descrevo abaixo alguns atributos que podem ser considerados:

1. As organizações tendem a ser bem menos hierárquicas, mais matricial, de forma que em alguns momentos você será líder e em outros liderados;
2. Elas terão uma estrutura mais virtual, com acessos mais remotos, operando de forma descentralizada;
3. Serão empresas globais operando de forma colaborativa e através de parcerias;
4. As empresas industrializadora terá sua base de produção em países que ofereçam bom custo e beneficio, contudo, ela poderá estar espalhada em diversos locais com pequenos e eficientes núcleos de produção, isto para os produtos que puderem ser entregues via web através de uma impressora remota;
5. O uso apropriado da tecnologia, incluindo a inteligencia virtual, será a base para toda operação.

Logicamente que o impacto de tudo isto para a sociedade é significativo, entretanto para o profissional também é muito significativo, e com certeza irá requerer, uma reinvenção na forma de trabalho, comportamento, atitude e de gestão.

As empresas precisaram de profissionais com visão generalista, inserido no mundo digital, flexíveis e auto-motiváveis, com percepção de criação de valor, altamente éticos, com boa comunicação e interação nas mídias virtuais, desapegado quanto a local de trabalho, boa gestão de projetos, lideres e motivadores. 

Não tenho duvidas que parte do desemprego que existe no mundo é estrutural, consequência destas mudanças. Para aqueles profissionais que ainda não perceberam isto, não deixe para depois, pode ser tarde!

Seja feliz  

Momento Crossover - A estrutura COSO ERM 2017 - O que mudou?

Momento Crossover - Entendendo a Fraude

Compliance is much broader than just corruption prevention!

Momento Crossover - Missão e Definição de Auditoria Interna

Participem de nosso canal no Youtube

The attributes of the internal auditor that adds value to the business

As we know, the primary purpose of the internal audit activity is to add value to organizations and it does this through its recommendations for improvement of the risk management process and the internal control system, which are basic activities for good corporate governance. 

To make this possible, auditors should drive its activities based on the IIA's international framework of professional practice, also known as IPPFs, which outlines the key principles that must be observed in managing the audit organization as well as conducting audit work.

As part of these practices, the auditor's code of ethics is one of the most important instruments for an adequate positioning of the auditor in the organization in which it operates. The auditor's attitudes and behavior based on these ethical principles is basic to his professional recognition by the corporate organization. We must not forget that internal auditors play a key role in promoting an ethical business and internal environment guided by best management and control practices.

Internal auditors should be aware of the importance of their attitudes as an agent for disseminating ethics and good practice. In addition, it is very important that the auditor be viewed by the organization as a high-level, trustworthy professional and that their recommendations for improvement add real value to the corporation.

For this to be possible, in addition to the independence of the internal audit activity in the organization, the auditor should be proficient in the application of audit procedures and techniques, as well as having the objectivity necessary to always express an unbiased opinion and without conflict of interest.

The auditor's efforts and attitudes should always be guided to build a trust structure between auditor and management, and this is simple to explain: No one follows a professional who does not inspire confidence or take into account any information or opinion that does not come from recognized source.

If the auditor does not emanate confidence, how will his recommendations be observed and met?

At this point you can ask and how to achieve that level of trust within the organization?

And the answer is simple: Through professional attitudes!

The auditor should be clear, transparent, knowledgeable of the organization's corporate and business context. Auditor must act responsibly, observe laws and regulations, without exception, and disclose any information that is important and necessary for a clear understanding of the subject by management. Also, the auditor needs to have a good deal of humility to recognize that his recommendations are not always the best or at least factivies.

In connection, auditors also need to be prudent with the use of information obtained during the course of the audit work, protecting them and never using them for personal gain. Confidentiality is extremely important because the manager can be assured that all information will be handled by the auditor with the utmost discretion and his report will only be finalized after discussion and involvement with the manager responsible for the audited activity.

It is also necessary that the auditor has knowledge of the subject matter of the evaluation, as well as the ability and experience to conduct the work. Under no circumstances can the auditor compromise in evaluating an activity that is not knowledgeable enough to do so, would be very foolish if that happened, and would certainly jeopardize his judgment and reputation.

In this regard, the auditor should be efficient and effective in complying with audit standards and continually improving their proficiency in audit and management issues.

Note that it is only after all these criteria met that the auditor can truly solidify his or her position as a professional recognized by the organization, capable of adding value to the organization's business environment and committed to promoting best management practices in line with ethical values ​​and attitudes.

The auditor should note that their behavior outside the professional environment should follow the same pattern, especially now that social networks are present in the professional environment.

Building a good professional reputation takes time and a lot of work, but to destroy it is very fast.

Be happy!

Simplifying the application of the risk-based audit methodology.

It is very common today that audit professionals have doubts about the application of the risk-based audit methodology. 

Another day in the CONBRAI 2018, I heard a prominent speaker put in doubt the real need to have a plan and / or audit planning.

That is why I was motivated to write this article where I present my vision about the methodology that should be applied in an audit work, in line with the IIA audit definition.

The definition given by the IIA for Internal Audit indicates that:

"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

This systematic and disciplined approach we call the audit methodology. In order to facilitate understanding, I will divide this methodology into two phases: the first as the preparation of the Annual Audit Plan and the second is the Execution of the audit. Both should always be applied in a risk-based view.

It is important to mention that risk-based auditing is nothing a new approach, it has always existed. I remember when I was an audit trainee in a big 10 audit company, in 1980, in Brazil, that this approach was already used, so, it is not new or neither a different audit approach.

Anyway, the first phase is when we build an audit plan for a predetermined period, which normally, but not necessarily, for 12 months, based on a corporate risk view, considering business cycles, operational processes, programs, projects or transactions which will be assessed for compliance or performance. The concept here is simple, since the audit has limited its activity by the available hours and budget, in order to demonstrate effectiveness by managing audit resources, those resources should be applied in objects which bring higher risk to the company; risk of not achieving its strategic objectives.

Once the plan is defined, we move to a second phase. This phase may be divided into three distinct stages: 

• Work planning, 
• Execution and collection of evidence,
• communication of results. 

Those steps will be applied for all kind of audit job: compliance, accounting or performance, also known as operational.

The planning the audit could be subdivided into three moments:

1. Moment 1 - Elaboration of the planning memorandum, where we define the objectives and scope of the audit, determine the team and, if it is the case, the need for specialists, budget the costs of the work, prepare an audit time schedule. In this moment we search and collect all the information about the audit object that is available in the corporate environment, like policies and procedures, risk matrix, organization chart, IT system applications, and etc.
2. Moment 2 - It is to get more detailed understanding of the object under evaluation. It may be done through interviews with who executes the transactions. The idea is to have a complete picture of the process under review, transaction by transaction. The formalization of the understanding may be by narrative or by the graphical form using flowchart. In this step, the risk matrix (inherent, IT, fraud) and the control matrix (identifying all existing controls) are prepared.
3. Moment 3 - It is the preparation of the audit program, where, based on risk and control matrix, are defined the audit procedures and techniques which will be applied to get evidence of the effectiveness of the control or conformity of the audited process.

At this level of the work, we will have the following working papers: audit memorandum, flow chart or narrative of the evaluated object, risk matrix, control matrix and audit program.

The next stage is the audit execution, also known as fieldwork job. In this stage where we apply the audit procedures and techniques defined in the audit program to collect and formalize the necessary evidence which will be base to achieve the pre-defined audit objectives. At this point, all audit findings should be listed in the findings matrix. This matrix is the support for the preparation of audit recommendations.

Once the execution is completed, we proceed to the stage of reporting the results. This is the moment where the audit report will be prepared. The suggestion is to divide the report into three documents: Audit opinion, executive summary and audit recommendations (with action plan aligned with the manager).

After submission of the final report, the implementation of the action plan should be monitored to verify that it has been implemented as agreed with the audit.

All audit documentation in those various stages are considered as a workpaper, all of them must be appropriately reviewed by an experienced auditor and referenced and organized in folders, even in electronic or physical format.

Of course, the planning stage of the audit work is the most important, since the better the work is planned, the more efficient the execution will be, and better will be the quality of the auditor's opinion and consequently the results of the audit, thus fulfilling its mission of adding value to the company.

Finally, I recall that an audit work will only be finalized when all actions regarding the recommendations are properly implemented.

Be happy!

The importance of the whistleblower Channel for an effective integrity program.

Nowadays, implementing an integrity program should be listed on the C-Level agenda of any business that wants to survive and thrive in the new business world, regardless of size, industry, or activity.

We have seen a number of laws, regulations and standards being enacted with the objective of strengthening corporate governance, especially with regard to the process of combating corruption and fraud.

Within all the necessary requirements for an effective integrity program, the whistleblower channel has a special place. This channel allows greater transparency and creates the possibility that any employee, service provider, suppliers and others stakeholders may report any fact of their knowledge that is in disagreement with the ethics, values and behavior of corporation policy.

Unfortunately, I believe that for the lack of knowledge, corporates in Brazil still do not use this tool in the way they should. Some organizations mistakenly include the whistleblower channel in to the ombudsman, or even with the consumer service channel.

This view is embodied in Kroll's Global Fraud and Risk Report 2016/17, which shows that globally 44% of frauds are identified through the whistleblower channel, however, this same report indicates that in Brazil the whistleblower channel is responsible by only 17% of the findings.

In this report, the whistleblower channel in Brazil ranked at the last position as a fraud detection tool. the most interesting is that the external audit appears in the first place as responsible for 43% of the fraudulent activities discoveries, which does not make any sense. 

Well, with the corporate governance maturing processes, aimed at strengthening ethics and values ​​in Brazilian corporations, in the medium-term the perception of the importance of having a robust whistleblower channel in place for the prevention of fraud and acts of corruption should change.

Now, let's look at some attributes of excellence which must be considered for whistleblower channel in order to really fulfill its mission:

1. The channel must be available 24 hours, 7 days a week, and can be accessed by different ways by whistleblowers,
2. It is best to be operate through an independent company with the technical and professional requirements for proper receipt of the complaint,
3. The protection of the whistleblower's anonymity is of utmost importance for the success of the channel,
4. There must be a way of exchanging the message with the denouncer, without breaking the anonymity,
5. The company contracted to operate the whistleblowers channel must have the technical capacity and knowledge to carry out the first review of the complaint received,
6. The complaint received must be sent to at least three different bodies, such as: Legal, Human Resources, fraud prevention or internal audit. It will improve the assurance that all complaints received will be properly dealt with,
7. A strong and constant communication and training process should be part of this process so that all employees, service providers, suppliers and others know how to use the channel correctly, without worrying about possible retaliation.

To conclude, the effectiveness of this tool requires an internal environment that is culturally prepared and maturity to understand the ethical values of the organization and consequently the top management has a great responsibility in this regard, since they must be the spokesperson and the example of the integrity program.

Audit and internal controls challenges on the use of "Data Analytics"

Corporations that are increasingly embedded in a digital convergence environment must build business processes based on reliable data processing frameworks. Today the competitive advantage of some organizations is based on their capacity for innovation and use of electronic processes.

In this digital environment both the internal audit as well as the internal controls area must have and be proficient in the use of Data Analytics tools in order to support data collection and also their evaluations.

I have observed, by participating in some events on the subject and also in some of our projects that audits are investing in the ability to collect data, but not so much, in their ability to analyze the data collected. I also see that most of the time auditors and internal control specialists are being spent behind a computer screen, which I think is a mistake.

There are excellent tools to perform the data collection in the format that the auditor wants parametrizable in various forms and models, however, this process will be effective if there is also capacity for analysis by the auditor. The investment must be in the tool and also in the human being to be proficient in the analysis of the data, including the peripheral data.

Now all of this will pay off if the organization's database is truly reliable. ERP platforms are great vectors for loss of integrity if not well structured, including your access process. In a survey conducted by KPMG in 2017 only 35% of respondents said they had a high degree of confidence in the use of various types of analysis in their organization, which to me came as a surprise, expecting a higher percentage even though large companies have experienced information integrity issues in their business processes.

Another interesting point in this research is that executives and managers are being asked to make decisions based on information generated by algorithms they did not create and that do not fully understand them either.

With this in mind, let's go back to internal audit and control and understand the challenges they must face to conduct your assessment work in this new digital environment.

First of all, it is very important that internal auditing and internal controls have in their team professional with information technology knowledge, in order to be able to act in the evaluation of governance and IT management as well as to support the operational professionals of internal audit and control.

The next point is to form an opinion about the degree of confidence that will be placed in the processing of information through digital systems, data management and its security, as well as in the analysis models used by the managers. For this my suggestion is to observe the three points below:

1. Assess whether database management has the appropriate governance and control system to quickly identify any possible breach of integrity, confidentiality, and completeness.

2. Evaluate whether the analysis models and the algorithms used are doing the right things in the right way, achieving the desired results.

3. Evaluate whether electronic accesses and interfaces between processes are consistent and appropriate for the context. Both analysis models and data sources must be able to be replicated in a sustainable manner.

I have no doubt that the use of more complex systems by corporations, including the use of Artificial Intelligence for business decisions, is an integral part of the new corporate environment, bringing new risks and new challenges to the whole management.

Auditors and internal control specialists should be aware of all of those changes and innovations, preparing themselves and getting the appropriate proficiency to create value for the corporation through the execution of their work

As cinco razões éticas para uma empresa transformadora.

Durante minha vida profissional tive a sorte e o privilégio de poder trabalhar em organizações excelentes, ao lado de profissionais de primeira linha. Em uma destas empresas, tive a honra de conhecer e trabalhar com uma das pessoas mais brilhantes do mundo corporativo, Sr. Roger Milliken, Chairman da Milliken Co, uma das maiores indústrias têxteis com sede na cidade de Spartanburg, Carolina do Sul.

Sua visão de negócio aliado à ética e aos valores morais, complementado pela sua humildade e carinho para com todos, construiu a base para uma empresa sólida, fundamentada pelas boas práticas de gestão e segurança. Por ironia do destino, a Milliken foi a minha última posição corporativa como CFO antes de fundar a Crossover, e posso dizer que foi uma das mais interessantes e desafiadoras.

Agora em fevereiro a Milliken foi novamente listada como uma das empresas mais éticas do mundo de 2018, segundo o Ethisphere Institute, líder global na definição e promoção dos padrões de práticas de ética nos negócios.

A Milliken sempre defendeu o alinhamento da transparência com os valores fundamentais de governança e como consequência a integridade sempre foi fundamental para suas práticas comercias.

Para reflexão sobre os atributos de uma empresa ética, quero compartilhar com vocês um artigo escrito pela Liz Morris no blog de inovação da Milliken, o qual explora as cinco razões pelas quais se acredita que infundir integridade em todas as facetas de uma empresa é transformador - pessoalmente e profissionalmente.

Vejamos então:

A integridade defende a transparência

Uma organização que celebra a integridade nos negócios, também enfatizará práticas comerciais transparentes.

A integridade alinha-se com os valores pessoais dos associados

Uma parte integrante da paixão pelo seu dia-a-dia é sentir-se confiante de que os valores da sua empresa se alinham com os seus. Isso cria uma carreira duradoura, onde seu crescimento é fundamental para o desenvolvimento geral da empresa.

Integridade exala confiabilidade e trabalho em equipe

Quando os associados adotam uma cultura ética, toda a organização se beneficia da capacidade de "fazer o que é certo". Por isso, os associados podem contar uns com os outros, com seus líderes e com a empresa como um todo, o que, por sua vez, promove um ambiente estável e seguro.

A integridade é um sucesso no sucesso

A forma como a empresa atinge o sucesso é tão importante quanto o sucesso alcançado. Em todos os aspectos, o sucesso de uma empresa deve levar em conta todos os elementos daqueles a que serve - dos associados empregados pela organização à comunidade em que reside.

A integridade se preocupa em fazer a diferença

Uma organização que acredita no comportamento ético também acredita em investir em nosso mundo através de promessas significativas de voluntariado e caridade, além de se comprometer com inovações e práticas sustentáveis.

Sou testemunha de que estes cinco pontos faz uma diferença muito grande para o sucesso da empresa, de seus associados e também para a comunidade em que esta inserida.

Além do que, posso afirmar que é muito confortável ser um executivo financeiro e gestor estatutário em uma empresa com esta visão.

Seja feliz!

What are the activities and responsibilities of the internal control area in a corporation?

There is a lot of confusion about the Internal Control area activities and responsibilities in a corporate environment. At least it is truth in Brazil, which is natural, since the internal control subject still recent for Brazilian corporations.

In this article I would like to address the main attributes that may be a guide for the activities of a modern internal control department. Those attributes are based on best practices, my experience and also in the studies of the ICI Internal Control Institute.

I would like to start by mentioning what I always say in class that internal control, as a department, are not control and are not part of the organization's internal control system. The IC activities is an agent of governance and is embedded in the organization's corporate governance structure.

Although working with a similar audit methodology, the area of ​​internal controls may not to be confused with internal audit. First, because there is no need for independence, which is the main requirement for internal auditing, and secondly because IC activities direct its assessment to the efficiency of processes and the system of internal controls, while internal auditing mainly evaluates the effectiveness of the internal control system.

The internal control activity, as a function, represents specialized and professional support to corporate managers at all levels, including top management, allowing them to perform their daily responsibilities within the best governance practices. Recalling that risk management and internal control system management are the pillars for effective governance. 

We can not forget that, in principle, risk management and the internal control system is the responsibility of the operational managers, and this responsibility, can not even be delegated.

In summary, the internal control department has as main activity and responsibility to assist the corporation and its managers with:

• The modeling of new operational processes, as well as the reengineering of existing processes and activities,
• Evaluation of the efficiency of internal controls, based on risks, integrating the three levels of control (control environment, process control and transaction controls),
• Support in the structuring and management of corporate risks,
• Assistance in the process of rationalization and economicity of the various business cycles due to the existing portfolio vision in the department,
• Strengthening integrity policy and the corporate fraud prevention process,
• Support in maintaining operational processes aligned with the company's strategy and mission.

In order to carry out the above items, the internal control department must have a team of professional specialists with the necessary expertise to carry out these activities, always acting with the vision and concept:

Strategy - Process - Risk - Internal control.

In the chart below you can visualize the skills, knowledge, personal and technical ability that an internal control specialist should have:

In order to strengthen the governance process, it is important to have a proactive internal control department, which in it turn needs specialized internal control professionals, if possible with CICS certification.

Finally, the area of ​​internal controls should be linked hierarchically with the CEO or the board, not because of the need for independence in their evaluation, but to leave the existing political discussion line across the corporation, allowing internal control to access any cycle or business process.

Moreover, the CEO of any corporation has as its primary governance responsibility the creation of a robust control environment, in order to maintain a structured risk management and an effective system of internal control, so nothing better than the internal control department is connected to him.

Understanding the importance of the corporate internal control system

I have observed that companies or entities, private or governamental, large, medium or small, have not given due attention to its system of internal control.

The most of the time this is the result of the managers' lack of knowledge about how important is the internal control system for an effective and sucessful management of its corporate governance. Even in the C-Level I face this lack of knowledge. 

In my lectures on governance subject, it is common to face discussion in how internal control increase the bureaucracy making the operational processes slow, bring a problem for the business. in fact this may be a truth, not because of the internal control itself, but because of the mistaken way of managing its corporate risks. 

Normally,  when the management understand the "objective - risk - control" relationship and realize the importance to have a management atitude based on this relation, they change totally their vision about internal control. They realize that having an adequate system of internal controls increases the possibility of the organization achieve its operational and strategic goals. In addition, they recognize the possibility of allocated capital savings due to the alignment of internal control with risks.

First of all, internal control may be conceptualize as being:

"An integrated process of action, conducted at all levels of the organization, that helps it achieve its operational and strategic objectives with reasonable security."

Internal control is inherent to the human being. Even in companies with no maturity in the management of the fundamentals of governance, we may find several internal controls, but not necessarily with the quality required to respond to the risks. It is very common to find a system with more control than really needed.

The great challenge of management is to develop, implement and maintain an effective internal control system, balanced with its risk apetite, which must meet the needs of the organization in achieving its objectives, being flexible and economical. 

Justo to remember, a good internal control system must achieve three distinct objectives:

• Maintain the efficiency and effectiveness of operational processes, including safeguarding assets,
• Promote the integrity, consistency and reliability of information whether financial or non-financial, and
• Enable the company to comply with laws, regulations, and industry standards.

Also, we need to keep in mind that the system of internal controls is considered as the second line of defense. The first is the management and the third is the internal audit.

Thus, in order to modeling or assess the internal control system properly is important to consider the following:

• The existence of the internal control only makes sense if there is one or more risks associated with it;
• Internal control system has a hierarchy (control environment, process control and transaction controls) which need to be considered. Each of the levels are related and has its role and importance in the proper functioning of the internal control system. 
• for evaluation or modeling of the control system, the specialist must have a portfolio view, that is, to know all the existing controls, in the three levels of hierarchy;
• The internal control system aims to bring the gross risk associated with the process or transaction to the level of the organization's risk appetite, no more and no less;
• All internal control, in order to be effective, requires discipline and supervision, so that it achieves the proposed goal in its conception;
• The internal control system should be periodically evaluated in order to identify necessary changes necessary to keep pace with changes in the business environment.

The internal control system is the responsibility of all within the company, being the high management responsible for the control environment, the middle managers by the level of process control and the executors by the control of the transaction.

Both in the evaluation and in the modeling of the system of internal control its cost and benefit should be noted. Control can not cost more than the risk it is mitigating.

Organizations have failed to manage their system of internal controls by applying resources beyond what is necessary, thus, in order to effectively manage the internal control system, it is recommended that the company have in its organization professionals specializing in internal controls, who will provide support to the operational managers with the fundamentals of governance.

Having an effective and optimized internal control system is fundamental to the quality of management based on the best practices of governance, which is base for the success and the perenniality of the organization.

To conclude, I always say that there is no governance if the company does not have a robust process of risk management, which, in it turns, requires an aligned and effective internal control system.