Questioning who is responsible for internal controls is a common and recurring situation in the corporate world. When the company has an area of ​​internal controls, it is attempted to wrongly attribute this responsibility to it.

Why does this happen?

In my opinion, this behavior is a consequence of the lack of maturity in the management process in relation to good practices, in line with the fragility of a university that does not properly teach managers.

This weakness is evident when, managers and other professionals, relate internal controls to bureaucracy and / or “plastering” the business process. They fail to see and associate that internal control is a response to the action of mitigating a risk factor, which results in increasing the company's ability to achieve its strategic objectives.

The maturity of governance involves the improvement of the internal environment through the strengthening of the culture in the use of good management practices and the consolidation of awareness of risks and controls.

An essential point for this to happen is the correct addressing of the responsibility of each person within the organization in relation to the internal control system.

The model of the three management lines helps us to demonstrate these responsibilities, and was the basis for the construction of the diagram that I prepared to facilitate this understanding.

Let's see:

1. Governance Structure - I include here the Board and statutory committees, which are responsible for promoting the appropriate environment for the culture development and awareness of risks and controls. In addition, they must be committed to good management practices, supervising and monitoring the application of these concepts by the executive and operational management, following up on the implementation and improvement of internal controls.

2. Executive and Operational Management - In this case, executive management is the president and his directs, while operational management is the managers below the executive management line. The responsibility lies in exemplifying the commitment to internal controls, and in defining, implementing, executing and supervising the internal control system in order to keep operational risks within acceptable limits, as defined by the corporate risk appetite. This first line of management are the “owners” of risks and control, with no exception.

3. Specialists - Responsible for supporting the executive and operational management, first line, to apply the best management practices for the modeling, implementation, maintenance and improvement of the process and its internal control system integrated with the corporate risk management structure. This group includes specialists in internal controls, specialists in risk management, compliance and governance. They are the second line of management.

4. Internal audit - It is an independent and objective activity, usually reporting to the governance structure, with the objective of adding value, through the application and execution of an independent and objective evaluation on the internal control, risk management and corporate governance systems.

As you may see, every single person within an organization, without exception, has explicit responsibilities regarding internal controls, either in their design, implementation, execution or in their quality.

However, the greatest responsibility is left to the executive management (president and its directs) which must promote the properly environment, based in the ethics and best practices, in order to create the culture where all managers and employees recognize their responsibility for the existence of high quality internal control system.

I would like conclude this article with this quote:

“The great enemy of truth is often not the lie - deliberate, contrived and dishonest - but the myth - persistent, persuasive and unrealistic” J.F.Kennedy

 

Always, be happy!