Internal controls, the responsibility of everyone!
Questioning who is responsible for internal controls is a common and recurring situation in the corporate world. When the company has an area of internal controls, it is attempted to wrongly attribute this responsibility to it.
Why does this happen?
In my opinion, this
behavior is a consequence of the lack of maturity in the management process in
relation to good practices, in line with the fragility of a university that
does not properly teach managers.
This weakness is
evident when, managers and other professionals, relate internal controls to
bureaucracy and / or “plastering” the business process. They fail to see and
associate that internal control is a response to the action of mitigating a
risk factor, which results in increasing the company's ability to achieve its
strategic objectives.
The maturity of
governance involves the improvement of the internal environment through the
strengthening of the culture in the use of good management practices and the
consolidation of awareness of risks and controls.
An essential point for
this to happen is the correct addressing of the responsibility of each person
within the organization in relation to the internal control system.
The model of the three management lines helps us to demonstrate these responsibilities, and was the basis for the construction of the diagram that I prepared to facilitate this understanding.
Let's see:
1. Governance Structure - I include here the Board and statutory committees,
which are responsible for promoting the appropriate environment for the culture
development and awareness of risks and controls. In addition, they must be
committed to good management practices, supervising and monitoring the
application of these concepts by the executive and operational management,
following up on the implementation and improvement of internal controls.
2. Executive and
Operational Management - In this case,
executive management is the president and his directs, while operational
management is the managers below the executive management line. The responsibility
lies in exemplifying the commitment to internal controls, and in defining,
implementing, executing and supervising the internal control system in order to
keep operational risks within acceptable limits, as defined by the corporate
risk appetite. This first line of management are the “owners” of risks and
control, with no exception.
3. Specialists - Responsible for supporting the executive and
operational management, first line, to apply the best management practices for
the modeling, implementation, maintenance and improvement of the process and
its internal control system integrated with the corporate risk management
structure. This group includes specialists in internal controls, specialists in
risk management, compliance and governance. They are the second line of
management.
4. Internal audit - It is an independent and objective activity,
usually reporting to the governance structure, with the objective of adding
value, through the application and execution of an independent and objective
evaluation on the internal control, risk management and corporate governance
systems.
As you may see, every
single person within an organization, without exception, has explicit
responsibilities regarding internal controls, either in their design,
implementation, execution or in their quality.
However, the greatest
responsibility is left to the executive management (president and its directs)
which must promote the properly environment, based in the ethics and best
practices, in order to create the culture where all managers and employees recognize
their responsibility for the existence of high quality internal control system.
I would like conclude
this article with this quote:
“The great enemy of truth is often not the lie - deliberate, contrived and dishonest - but the myth - persistent, persuasive and unrealistic” J.F.Kennedy
Always, be happy!