What are the activities and responsibilities of the internal control area in a corporation?

There is a lot of confusion about the Internal Control area activities and responsibilities in a corporate environment. At least it is truth in Brazil, which is natural, since the internal control subject still recent for Brazilian corporations.

In this article I would like to address the main attributes that may be a guide for the activities of a modern internal control department. Those attributes are based on best practices, my experience and also in the studies of the ICI Internal Control Institute.

I would like to start by mentioning what I always say in class that internal control, as a department, are not control and are not part of the organization's internal control system. The IC activities is an agent of governance and is embedded in the organization's corporate governance structure.

Although working with a similar audit methodology, the area of ​​internal controls may not to be confused with internal audit. First, because there is no need for independence, which is the main requirement for internal auditing, and secondly because IC activities direct its assessment to the efficiency of processes and the system of internal controls, while internal auditing mainly evaluates the effectiveness of the internal control system.

The internal control activity, as a function, represents specialized and professional support to corporate managers at all levels, including top management, allowing them to perform their daily responsibilities within the best governance practices. Recalling that risk management and internal control system management are the pillars for effective governance. 

We can not forget that, in principle, risk management and the internal control system is the responsibility of the operational managers, and this responsibility, can not even be delegated.

In summary, the internal control department has as main activity and responsibility to assist the corporation and its managers with:

• The modeling of new operational processes, as well as the reengineering of existing processes and activities,
• Evaluation of the efficiency of internal controls, based on risks, integrating the three levels of control (control environment, process control and transaction controls),
• Support in the structuring and management of corporate risks,
• Assistance in the process of rationalization and economicity of the various business cycles due to the existing portfolio vision in the department,
• Strengthening integrity policy and the corporate fraud prevention process,
• Support in maintaining operational processes aligned with the company's strategy and mission.

In order to carry out the above items, the internal control department must have a team of professional specialists with the necessary expertise to carry out these activities, always acting with the vision and concept:

Strategy - Process - Risk - Internal control.

In the chart below you can visualize the skills, knowledge, personal and technical ability that an internal control specialist should have:

In order to strengthen the governance process, it is important to have a proactive internal control department, which in it turn needs specialized internal control professionals, if possible with CICS certification.

Finally, the area of ​​internal controls should be linked hierarchically with the CEO or the board, not because of the need for independence in their evaluation, but to leave the existing political discussion line across the corporation, allowing internal control to access any cycle or business process.

Moreover, the CEO of any corporation has as its primary governance responsibility the creation of a robust control environment, in order to maintain a structured risk management and an effective system of internal control, so nothing better than the internal control department is connected to him.

Understanding the importance of the corporate internal control system

I have observed that companies or entities, private or governamental, large, medium or small, have not given due attention to its system of internal control.

The most of the time this is the result of the managers' lack of knowledge about how important is the internal control system for an effective and sucessful management of its corporate governance. Even in the C-Level I face this lack of knowledge. 

In my lectures on governance subject, it is common to face discussion in how internal control increase the bureaucracy making the operational processes slow, bring a problem for the business. in fact this may be a truth, not because of the internal control itself, but because of the mistaken way of managing its corporate risks. 

Normally,  when the management understand the "objective - risk - control" relationship and realize the importance to have a management atitude based on this relation, they change totally their vision about internal control. They realize that having an adequate system of internal controls increases the possibility of the organization achieve its operational and strategic goals. In addition, they recognize the possibility of allocated capital savings due to the alignment of internal control with risks.

First of all, internal control may be conceptualize as being:

"An integrated process of action, conducted at all levels of the organization, that helps it achieve its operational and strategic objectives with reasonable security."

Internal control is inherent to the human being. Even in companies with no maturity in the management of the fundamentals of governance, we may find several internal controls, but not necessarily with the quality required to respond to the risks. It is very common to find a system with more control than really needed.

The great challenge of management is to develop, implement and maintain an effective internal control system, balanced with its risk apetite, which must meet the needs of the organization in achieving its objectives, being flexible and economical. 

Justo to remember, a good internal control system must achieve three distinct objectives:

• Maintain the efficiency and effectiveness of operational processes, including safeguarding assets,
• Promote the integrity, consistency and reliability of information whether financial or non-financial, and
• Enable the company to comply with laws, regulations, and industry standards.

Also, we need to keep in mind that the system of internal controls is considered as the second line of defense. The first is the management and the third is the internal audit.

Thus, in order to modeling or assess the internal control system properly is important to consider the following:

• The existence of the internal control only makes sense if there is one or more risks associated with it;
• Internal control system has a hierarchy (control environment, process control and transaction controls) which need to be considered. Each of the levels are related and has its role and importance in the proper functioning of the internal control system. 
• for evaluation or modeling of the control system, the specialist must have a portfolio view, that is, to know all the existing controls, in the three levels of hierarchy;
• The internal control system aims to bring the gross risk associated with the process or transaction to the level of the organization's risk appetite, no more and no less;
• All internal control, in order to be effective, requires discipline and supervision, so that it achieves the proposed goal in its conception;
• The internal control system should be periodically evaluated in order to identify necessary changes necessary to keep pace with changes in the business environment.

The internal control system is the responsibility of all within the company, being the high management responsible for the control environment, the middle managers by the level of process control and the executors by the control of the transaction.

Both in the evaluation and in the modeling of the system of internal control its cost and benefit should be noted. Control can not cost more than the risk it is mitigating.

Organizations have failed to manage their system of internal controls by applying resources beyond what is necessary, thus, in order to effectively manage the internal control system, it is recommended that the company have in its organization professionals specializing in internal controls, who will provide support to the operational managers with the fundamentals of governance.

Having an effective and optimized internal control system is fundamental to the quality of management based on the best practices of governance, which is base for the success and the perenniality of the organization.

To conclude, I always say that there is no governance if the company does not have a robust process of risk management, which, in it turns, requires an aligned and effective internal control system.