What are the activities and responsibilities of the internal control area in a corporation?
There is a lot of confusion about the Internal Control area activities and responsibilities in a corporate environment. At least it is truth in Brazil, which is natural, since the internal control subject still recent for Brazilian corporations.
In this article I would like to address the main attributes that may be a guide for the activities of a modern internal control department. Those attributes are based on best practices, my experience and also in the studies of the ICI Internal Control Institute.
I would like to start by mentioning what I always say in class that internal control, as a department, are not control and are not part of the organization's internal control system. The IC activities is an agent of governance and is embedded in the organization's corporate governance structure.
Although working with a similar audit methodology, the area of internal controls may not to be confused with internal audit. First, because there is no need for independence, which is the main requirement for internal auditing, and secondly because IC activities direct its assessment to the efficiency of processes and the system of internal controls, while internal auditing mainly evaluates the effectiveness of the internal control system.
The internal control activity, as a function, represents specialized and professional support to corporate managers at all levels, including top management, allowing them to perform their daily responsibilities within the best governance practices. Recalling that risk management and internal control system management are the pillars for effective governance.
We can not forget that, in principle, risk management and the internal control system is the responsibility of the operational managers, and this responsibility, can not even be delegated.
In summary, the internal control department has as main activity and responsibility to assist the corporation and its managers with:
In order to carry out the above items, the internal control department must have a team of professional specialists with the necessary expertise to carry out these activities, always acting with the vision and concept:
In the chart below you can visualize the skills, knowledge, personal and technical ability that an internal control specialist should have:
In order to strengthen the governance process, it is important to have a proactive internal control department, which in it turn needs specialized internal control professionals, if possible with CICS certification.
Finally, the area of internal controls should be linked hierarchically with the CEO or the board, not because of the need for independence in their evaluation, but to leave the existing political discussion line across the corporation, allowing internal control to access any cycle or business process.
Moreover, the CEO of any corporation has as its primary governance responsibility the creation of a robust control environment, in order to maintain a structured risk management and an effective system of internal control, so nothing better than the internal control department is connected to him.
In this article I would like to address the main attributes that may be a guide for the activities of a modern internal control department. Those attributes are based on best practices, my experience and also in the studies of the ICI Internal Control Institute.
I would like to start by mentioning what I always say in class that internal control, as a department, are not control and are not part of the organization's internal control system. The IC activities is an agent of governance and is embedded in the organization's corporate governance structure.
Although working with a similar audit methodology, the area of internal controls may not to be confused with internal audit. First, because there is no need for independence, which is the main requirement for internal auditing, and secondly because IC activities direct its assessment to the efficiency of processes and the system of internal controls, while internal auditing mainly evaluates the effectiveness of the internal control system.
The internal control activity, as a function, represents specialized and professional support to corporate managers at all levels, including top management, allowing them to perform their daily responsibilities within the best governance practices. Recalling that risk management and internal control system management are the pillars for effective governance.
We can not forget that, in principle, risk management and the internal control system is the responsibility of the operational managers, and this responsibility, can not even be delegated.
In summary, the internal control department has as main activity and responsibility to assist the corporation and its managers with:
- The modeling of new operational processes, as well as the reengineering of existing processes and activities,
- Evaluation of the efficiency of internal controls, based on risks, integrating the three levels of control (control environment, process control and transaction controls),
- Support in the structuring and management of corporate risks,
- Assistance in the process of rationalization and economicity of the various business cycles due to the existing portfolio vision in the department,
- Strengthening integrity policy and the corporate fraud prevention process,
- Support in maintaining operational processes aligned with the company's strategy and mission.
In order to carry out the above items, the internal control department must have a team of professional specialists with the necessary expertise to carry out these activities, always acting with the vision and concept:
Strategy - Process - Risk - Internal control.
In the chart below you can visualize the skills, knowledge, personal and technical ability that an internal control specialist should have:
In order to strengthen the governance process, it is important to have a proactive internal control department, which in it turn needs specialized internal control professionals, if possible with CICS certification.
Finally, the area of internal controls should be linked hierarchically with the CEO or the board, not because of the need for independence in their evaluation, but to leave the existing political discussion line across the corporation, allowing internal control to access any cycle or business process.
Moreover, the CEO of any corporation has as its primary governance responsibility the creation of a robust control environment, in order to maintain a structured risk management and an effective system of internal control, so nothing better than the internal control department is connected to him.