A structured view of the attributes and nature of Internal Controls.


In the literature on internal controls, there is no standardization for the attributes and classification of internal control. Each professional institution and/or each author ends up using their understanding of the categorization of control, which does not necessarily follow the same pattern.

This lack of standardization generates some misunderstandings, which negatively impacts the understanding of the first line of management about this important instrument for the mitigation of risk factors.

This article aims to bring to our reflection a more structured view of the topic of internal controls, and who knows how to start a conceptual standardization.

So, we can start this journey, reviewing the definition of internal control, based on the COSO ICF.

It says that:

"Internal control is an event or action, formalized in policies and procedures, which aims to mitigate the probability of the risk event materializing and adversely impacting the process's ability to achieve its objectives."

Looking at this definition, two points become clear:

  •         The existence of an internal control is closely related to its alignment in mitigating one or more risk factors, and
  •      That it is only effective when there is a condition of probability management. It is neither adequate nor effective for impact mitigation.

Now let's understand the difference between a control and a task. I still find a lot of confusion in the understanding of these concepts in organizations. It is very important, for the quality of risk and process management, to know how to clearly identify the control, differentiating it from a task, especially when we are modeling or mapping an operational process.

Let's look at the concept of tasks:

  •           Task – By concept, a task is an activity that must be performed to help the operational process achieve its objectives and deliverables. It can be a registration, calculation, listing, filing, elaboration, filling and others,

Now, let's look at the control:

  •          Control – It is an action that aims to mitigate the materialization of a risk event that will adversely impact the performance of a task, data and/or information processing, or the quality of the product object of the process. It can be a review, conference, recalculation, approval, validation, authorization and others.

In theory, the control activity is the action that confirms that the task or processing was performed in accordance with the pre-established procedures.

Any nonconformity in the performed task is promptly identified by the control, thus requesting that the task be reworked. Not allowing this non-compliance to contaminate the process and impact the quality of the product of the process.

This dynamic of “Doing” and “Reviewing”, during the processing of activities, increases the ability of the process to achieve its objectives and deliver products with the required quality.

Continuing on our journey, we now need to know the attributes of internal control. These attributes are important for us to model or evaluate an internal control, mainly in the evaluation of the design (efficiency) of the control.

Objectively, the basic attributes of control are: objective, action, evidence and periodicity.

Let's look at these attributes in a little more detail:

Attribute I - Objective: It relates to the risk factor that it mitigates, it is possible to say that it is the positive view of the risk factor, for example:

o Risk Factor: wrong registration of the invoice information in the system.

o Control Objective: Ensure the consistency of the invoice registration in the electronic system.

Attribute II - Action: it is the control execution activity, it can be a review, a check, a recalculation, an approval and so on. Taking into account the example in item I, we can exemplify the action:

o Control action: Checking the data recorded in the system against the invoice.

Attribute III - Evidence: it is the “mark” that demonstrates that the control has been executed, which can be a stamp, a check, a tick, a check box in the system, a log, an e-mail and others. Considering the example above, we can say that the evidence is:

o Evidence: Checked mark, in a check box on the system screen where the invoice is registered.

Attribute IV - Periodicity: It refers to when the control needs to be executed, which can be daily, weekly, monthly, by event and others.

o Frequency: The verification of the invoice registration in the system must happen at each registration event.

Note that these attributes provide us with a more detailed view of the control, which for professionals specializing in internal controls and/or internal auditors, is essential so that they can model, evaluate the efficiency and/or effectiveness of the control.

Now, to complement this understanding, it is also important to define the types of control, based on and performance characteristics. We can classify the control in: manual, electronic and automatic.

  •           Manual control is the one that only needs the individual to be executed,
  •          While electronic control needs the individual interacting with the electronic system
  •          And automatic control, it ony needs the system to run.

Before electronic systems, controls were manually done. With the application of electronic systems in corporate processes, controls migrated to electronic controls. Now, with the convergence of automation and digitization of operational processes, we are experiencing the second wave of controls, also converging towards automated controls, based mainly on algorithms.

Now, to complement our study of internal controls, we need to work on understanding the nature of control.

The view that we bring about the nature of control is based on a process view, which has the beginning access, the processing and at the end the delivery of its products.

Considering this, we define the nature according to the essence of control, which can be: preventive, detective and corrective.

Let’s take a look at the concept and definition of each one:

  •           Preventive controls are those located before the start of the process. They aim to prevent access by people without a profile or authorization, incomplete or wrong documents, unauthorized data or information, etc,
  •       Detective controls are controls in place during the processing of process activities, after the beginning of the process until the end of the process. The purpose of these controls is to mitigate the probability of the task being performed outside the schedule and/or of information or data being processed without consistency and/or integrity. They detect, and request correction, before moving on to the next task. 
  •      Corrective controls, on the other hand, are controls performed on the product originating from the process, which aim to request the correction of the product of the process, if any anomaly or problems of quality, integrity and/or consistency of the product are identified. of the process.

Remember that the effectiveness of internal control is related to its ability to bring the risk factor to an acceptable level of risk, which must be aligned with the risk appetite defined by the corporation.

Now we have a more structured view of the attributes and nature of internal controls, however, it is important to point out that these controls must be part of a systemic and integrated set applied to the operational process, which we call system and internal control, but this will be topic for another article

I hope this article will help you to delve deeper into the study of internal control and thereby consolidate your understanding of the subject, but at the end of the day, what matters is that you,

Be happy!

Share this:

Comentários

0 comentários:

Postar um comentário