In the literature on internal controls, there is no standardization for the attributes and classification of internal control. Each professional institution and/or each author ends up using their understanding of the categorization of control, which does not necessarily follow the same pattern.
This lack of standardization generates some misunderstandings, which
negatively impacts the understanding of the first line of management about this
important instrument for the mitigation of risk factors.
This article aims to bring to our reflection a more structured view of
the topic of internal controls, and who knows how to start a conceptual
standardization.
So, we can start this journey, reviewing the definition of internal control,
based on the COSO ICF.
It says that:
"Internal control is an event or action, formalized in policies and
procedures, which aims to mitigate the probability of the risk event
materializing and adversely impacting the process's ability to achieve its
objectives."
Looking at this definition, two points become clear:
- The existence of an internal control is closely related to its alignment in mitigating one or more risk factors, and
- That it is only effective when there is a
condition of probability management. It is neither adequate nor effective for
impact mitigation.
Now let's understand the difference between a control and a task. I
still find a lot of confusion in the understanding of these concepts in
organizations. It is very important, for the quality of risk and process
management, to know how to clearly identify the control, differentiating it
from a task, especially when we are modeling or mapping an operational process.
Let's look at the concept of tasks:
- Task – By concept, a task is an activity that
must be performed to help the operational process achieve its objectives and
deliverables. It can be a registration, calculation, listing, filing,
elaboration, filling and others,
Now, let's look at the control:
- Control – It is an action that aims to
mitigate the materialization of a risk event that will adversely impact the
performance of a task, data and/or information processing, or the quality of
the product object of the process. It can be a review, conference,
recalculation, approval, validation, authorization and others.
In theory, the control activity is the action that confirms that the
task or processing was performed in accordance with the pre-established
procedures.
Any nonconformity in the performed task is promptly identified by the
control, thus requesting that the task be reworked. Not allowing this
non-compliance to contaminate the process and impact the quality of the product
of the process.
This dynamic of “Doing” and “Reviewing”, during the processing of
activities, increases the ability of the process to achieve its objectives and
deliver products with the required quality.
Continuing on our journey, we now need to know the attributes of
internal control. These attributes are important for us to model or evaluate an
internal control, mainly in the evaluation of the design (efficiency) of the
control.
Objectively, the basic attributes of control are: objective, action,
evidence and periodicity.
Let's look at these attributes in a little more detail:
Attribute I - Objective: It relates to the risk factor that it
mitigates, it is possible to say that it is the positive view of the risk
factor, for example:
o Risk Factor: wrong registration of the invoice information in the
system.
o Control Objective: Ensure the consistency of the invoice registration
in the electronic system.
Attribute II - Action: it is the control execution activity, it can
be a review, a check, a recalculation, an approval and so on. Taking into
account the example in item I, we can exemplify the action:
o Control action: Checking the data recorded in the system against the
invoice.
Attribute III - Evidence: it is the “mark” that demonstrates that the
control has been executed, which can be a stamp, a check, a tick, a check box
in the system, a log, an e-mail and others. Considering the example above, we
can say that the evidence is:
o Evidence: Checked mark, in a check box on the system screen where the
invoice is registered.
Attribute IV - Periodicity: It refers to when the control needs to be
executed, which can be daily, weekly, monthly, by event and others.
o Frequency: The verification of the invoice registration in the system
must happen at each registration event.
Note that these attributes provide us with a more detailed view of the
control, which for professionals specializing in internal controls and/or
internal auditors, is essential so that they can model, evaluate the efficiency
and/or effectiveness of the control.
Now, to complement this understanding, it is also important to define
the types of control, based on and performance characteristics. We can classify
the control in: manual, electronic and automatic.
- Manual control is the one that only needs
the individual to be executed,
- While electronic control needs the individual interacting with the electronic system
- And automatic control, it ony needs the system to run.
Before electronic systems, controls were manually done. With the
application of electronic systems in corporate processes, controls migrated to
electronic controls. Now, with the convergence of automation and digitization
of operational processes, we are experiencing the second wave of controls, also
converging towards automated controls, based mainly on algorithms.
Now, to complement our study of internal controls, we need to work on
understanding the nature of control.
The view that we bring about the nature of control is based on a process
view, which has the beginning access, the processing and at the end the delivery
of its products.
Considering this, we define the nature according to the essence of
control, which can be: preventive, detective and corrective.
Let’s take a look at the concept and definition of each one:
- Preventive controls are those located before the start of the process. They aim to prevent access by people without a profile or authorization, incomplete or wrong documents, unauthorized data or information, etc,
- Detective controls are controls in place during the processing of process activities, after the beginning of the process until the end of the process. The purpose of these controls is to mitigate the probability of the task being performed outside the schedule and/or of information or data being processed without consistency and/or integrity. They detect, and request correction, before moving on to the next task.
- Corrective controls, on the other hand, are controls performed on the product originating from the process, which aim to request the correction of the product of the process, if any anomaly or problems of quality, integrity and/or consistency of the product are identified. of the process.
Remember that the effectiveness of internal control is related to its
ability to bring the risk factor to an acceptable level of risk, which must be
aligned with the risk appetite defined by the corporation.
Now we have a more structured view of the attributes and nature of
internal controls, however, it is important to point out that these controls
must be part of a systemic and integrated set applied to the operational
process, which we call system and internal control, but this will be topic for
another article
I hope this article will help you to delve deeper into the study of
internal control and thereby consolidate your understanding of the subject, but
at the end of the day, what matters is that you,
0 comentários:
Postar um comentário