The Illusion of Security: Why Your Internal Control Might Be a House of Cards

 

Once, during a consulting project, a manager told me something that sounded reassuring: "We have control for outgoing goods; it’s done every single day." However, as I dove into the process, I discovered the harsh reality behind those words. That "control" was merely an employee jotting down what left the warehouse in a notebook, no verification, no signature, and no oversight. In the manager's mind, the risk was covered; in practice, he had a hollow procedure, but not an effective control.

Many people confuse control with bureaucracy, and I often hear that "bureaucracy kills business." But that isn't true. 

Bureaucracy, in its essence, is not a bad thing. If we look at Max Weber’s theory, we understand that it was conceived as a form of human organization based on rationality, ensuring impersonality, a clear hierarchy, and meritocracy. It ensures that the process depends on the rule, rather than the mood of whoever is executing it. 

I always say that bureaucracy is simply the formalization of what is already working.

The real problem isn't bureaucracy itself, but "bureaucratic excess", when the ritual becomes more important than the result. 

An internal control system based on best practices, right sized to keep risk factors within acceptable levels, is essential for operational efficiency. It creates order and prevents the "rigidity" that often blinds an operation.

We know that internal control is an action designed to mitigate the cause of a risk before it materializes. It manifests in the "doing": in the review, the verification, the recalculation, and the careful approval. If there is no confrontation between "what should be" and "what is," the risk continues to walk freely through your company’s hallways.

For a control action to be more than just figurative, it requires four non-negotiable attributes:

• First, the Objective, which is the very reason for its existence and must target the risk factor. For example, if the risk is the use of incorrect labor hours, the objective is to ensure that the hours in the payroll system are consistent with the time-tracking system.

• Second, Practical Action, such as a data verification. It is vital to formalize how this action is performed so that a "prudent person" could re-perform it.

• Third, the Evidence, because a control without a trail is invisible. It could be a sign-off, a system log, or an email. To an auditor or an internal controls specialist, a lack of evidence implies the control does not exist. Finally, the Frequency, which must match the speed of the risk, whether it be daily, monthly, or per event.

 

When we talk about Control Modeling, the starting point is knowing the risk factor and the magnitude of what we are mitigating, allowing us to define the necessary attributes to keep the operation within the organization's risk appetite. 

These same attributes allow us to evaluate Design Efficiency, concluding whether the control has the theoretical capacity to mitigate the risk.

 Once we move to Effectiveness Evaluation—the actual control testing—the focus shifts to two crucial points: discipline, observing if the evidence exists within the defined frequency; and quality, re-performing the action to ensure it wasn't just a formality. 

This is why these attributes must be formalized, at the very least, in an Internal Control Matrix.

 It is also fundamental to understand that control is neither absolute nor infallible, as it is designed and executed by people. And where there are humans, there is vulnerability—whether through errors in judgment or, in grave cases, omission, fraud, and collusion. Therefore, the effectiveness of a control does not reside solely on paper, but in the discipline and ethical stance of its execution.

Recently, the market witnessed a testimony that serves as a stark warning. A former bank director admitted to signing documents without reading them. More than a momentary lapse, his confession revealed a void: despite heading the department, he did not perform monitoring or prevention duties.
Here we have the perfect "Window Dressing Control"—the evidence and frequency exist, but the execution of the action is null.

Unfortunately, this is not an isolated case; it is present in many corporations where management still mistakenly views control as mere bureaucracy.

To conclude, I leave you with a thought for reflection:

"The effectiveness of a control depends on action, evidence, and frequency, but it only stops being a house of cards when the integrity of the person executing it is greater than the convenience of simply signing."

Be happy!

Courage: The Foundation of Objectivity in Auditing – Are You Prepared?

 Auditing is an essential pillar of corporate governance, requiring professionals to commit fully to objectivity. Objectivity represents the auditor's independence in expressing their opinion without being influenced by external forces or personal conflicts. However, this objectivity cannot be sustained without a fundamental component: courage. When conducting their work, auditors must be prepared to face challenges, resist external pressures, and communicate their conclusions with unwavering ethics and transparency.

Courage and Independence: Inseparable in Auditing

An auditor’s independence goes beyond rules and regulations. It manifests in a resolute stance against attempts at influence and manipulation. In many instances, auditors encounter conflicting interests that seek to mitigate or even conceal critical information. In this scenario, courage becomes the anchor that ensures a rigorous and impartial assessment, protecting stakeholders and safeguarding the integrity of financial reports.

According to Domain II of the Global Auditing Standards, objectivity and courage are fundamental ethical principles for auditors. This domain establishes that auditors must maintain independent thinking and demonstrate resilience in the face of challenges that could compromise their professional integrity. Thus, courage becomes an essential element in ensuring that professional judgment is exercised freely and impartially.

Facing Pressures and Ethical Dilemmas

Internal and external pressures can arise from various directions, from managers attempting to downplay irregularities to clients seeking to influence opinions. Without the necessary courage to resist these pressures, audit objectivity is undermined. Therefore, auditors must align their ethical stance with emotional resilience, ensuring that their work remains uncompromised by adverse circumstances.

Transparent Communication: A Reflection of Courage

Courage is not limited to resisting pressures; it also manifests in the clarity and firmness with which auditors communicate their findings. Audit reports often contain sensitive information that may be uncomfortable for those involved. However, truth and transparency must always prevail, regardless of potential retaliation or dissatisfaction from the audited parties.

Building a Culture of Courage in Auditing

To strengthen objectivity in auditing, organizations must foster a culture of courage. Continuous training, institutional support, and guidelines that protect auditors from retaliation are fundamental elements of this process. Furthermore, audit leadership must set an example, demonstrating that ethics and truth are non-negotiable values.

Final Reflection

Complete objectivity in auditing can only exist when accompanied by courage. The auditor who stands firm in their ethical and professional principles significantly contributes to the reliability and transparency of governance processes, even if this stance may cost them adversaries or even their job.

Therefore, it is important for you to reflect: How is your objectivity? How do you escalate your findings or opinions? Are you prepared to face the challenges that auditing imposes and maintain your unwavering integrity?

Remember: ethics and truth are non-negotiable values.

Be happy!

 

Let's make enterprise risk management simple!

 

Today I want to bring to our reflection a fundamental theme for the consolidation of corporate governance.

Let's talk about enterprise risk management.

I was preparing the course, and I came across a slide that I use to explain, the structure applied to risk management, and I felt motivated to bring this topic to our discussion.

Anyone who follows me on social media knows that I always try to bring a simple view to important topics related to management and governance, facilitating understanding and their application in corporate activities.

Simplicity is currently a competitive advantage for the organization, but understand that being simple does not mean being superficial.

Well, let's get back to our topic, which is risk management.

In a simple way, I can say that:

“Managing risks is a proactive activity, looking to the future, understanding the events, external and/or internal, that may materialize and adversely impact the company's or process's ability to achieve its objectives; evaluates them for their magnitude, and treats them based on the acceptable levels of risk defined by the corporation.”

The primary objective of risk management is to allow the corporation, in the pursuit of fulfilling its mission, to conduct, direct and maintain its activities, actions and decisions, within its acceptable level of risk, defined by risk appetite.

The starting point for risk management is the correct understanding of objectives, whether strategic, corporate and/or operational. If we do not know the objectives clearly, it is difficult to know the risks in a comprehensive way.

Not using objectives as a basis for identifying risks is the most common mistake I find in corporations, causing time and resources to be spent in a wrong and ineffective way.

Remember that the risk event directly impacts the ability to achieve the objectives.

Regarding the operational objectives, those that relate to the various existing processes for the operationalization of the organization's activities, I recommend the definition of the objectives inherent to each of the processes, as well as the objectives related to legal compliance, objectives related to moral values of the organization, and objectives related to the consistency, integrity, confidentiality and recoverability of the processed data.

The better the definition of objectives, the more effective the identification of risks tends to be.

Well, since we have already determined the objectives, we now begin the process of identifying the events, external and/or internal, that may impact the corporation.

Then, in a simple way, we begin to identify the risks that, if materialized, will adversely impact the organization's ability to achieve its objectives. We can see risk as the negative view of the objective, for example: If one of the inherent objectives of a purchase process is to buy only products and/or services necessary for the operation of the corporation, the risk may be the purchase of products and/or or services not necessary for the operation.

Based on the understanding of the objectives, try to identify all risk events that relate to it. This is a brainstorming activity. There is no Cartesian way of doing this.

Once all the perceived risks are related, the next step is to know their causes, that is, the events that could materialize the risk.

It is the risk factors (causes) that we assess the magnitude of and that we treat, so it is important to be judicious in identifying them.

To illustrate, let's go back to the example of the purchasing process, why can the corporation buy products and/or services not necessary for the operation? The answers to this question will allow us to identify the risk factors. Example: a. A wrong purchase requisition, b. Lack of inventory planning, c. A fraud.

This procedure must be performed for all identified risks, without exception.

Very well, at this point, our risk matrix already has three basic columns: Column of objectives, column of risks related to each of the objectives and column of risk factors related to each of the identified risks.

The next step is the analysis and assessment of risk factors through the matrix reading of probability (frequency) and impact (in several dimensions, such as financial, image, market-share and others).

At this point, it is important that the corporation has metrics, approved by senior management, to assess the magnitude (probability and impact) of risk factors.

It is also important that the company already has a risk appetite defined by top management. As a suggestion, to facilitate the risk management process, guide senior management to define the risk appetite based on the heat map resulting from the metrics, indicating the quadrant that should be considered as the accepted level risk.

I like to use metrics with five levels of probability and five levels of impact, so that the heat map has quadrants from 01 to 25. In this case, risk appetite can be defined as being one of the existing quadrants, for example the high management can direct your risk appetite to quadrant six, so anything above will need to be addressed.

One of the problems that I come across, in this evaluation stage, is in relation to the use of complex metrics, with the inclusion of weights, weighted average and other calculations that only bring complexity and delay to the process.

Note that, more important than the accuracy of the risk factor measurement, is the action that management takes to address it. It doesn't matter if the risk is 15,234 or 15, what really matters is the action that management takes to mitigate the risk factor.

The calculation is simple: probability x impact = gross risk

Another important point at this stage of the evaluation is the definition of impact, that is, if the event materializes, what impact will it bring to the organization. Some corporations seek to assess impact through a weighted average across the various dimensions. The suggestion is to work with the dimension that receives the primary impact, and not with a weighted average of the impact in the different dimensions, because, note that this is not how it happens in reality. Example: if the event materializes and impacts the image, it will not necessarily impact, simultaneously, the other dimensions measured, so it is best to focus on treating the effect on the image, ensuring that it does not affect secondarily the other dimensions.

Okay, now that we know the magnitude (gross risk) for all risk factors, whether inherent, compliance, fraud, or IT, the next step is to compare the magnitude obtained with the risk appetite, and based on in this, determine the best treatment to align the raw risk with the risk appetite determined by the organization.

Keep in mind that the primary objective of risk management is to enable the corporation to act within its acceptable level of risk, formalized through the definition of risk appetite.

Risk factor treatment can be: Accept, Share, Avoid and Mitigate.

We can accept the risk, when the gross risk is already aligned or below the risk appetite, however accepting the risk does not mean doing nothing, but monitoring the risk factors, because today it is low, tomorrow it may change and with this change our treatment.

Another important point is in relation to who can accept the risk, and my suggestion is that it need to be accepted by the statutory managers, since legally they are the ones who take the risk for the company, including their private assets.

Sharing risk is a process where another corporation, be it a financial institution or an insurance company, accepts to take part of the risk for the company. Example: Insurance policies, or foreign exchange hedge. Note that this is an answer on impact and not probability.

Another form of treatment for risk factors is risk avoidance. It is one of the most difficult answers to work with, because in order to avoid risks, the organization can no longer be exposed to risk, which means, in most cases, strategic decision-making, such as the company's exit from a market, or closing a unit, or not carrying out an operation, etc.

Finally, we have the possibility of mitigating the risk factor, which operationally speaking, requires the implementation of an internal control to mitigate the probability of the risk event materializing.

Just remembering that internal controls are:

“Actions, formalized in policies and procedures, aimed at mitigating the probability of materialization of the risk event. These are actions of review, checking, certification, validation, authorization, approval, etc.”

Depending on the materiality and nature of the risk, in addition to the probability response, it will be necessary to prepare a contingency plan, which aims to minimize the effect of the impact, when the risk event materializes.

Once the responses have been determined and implemented, the next step is to calculate the residual risk, which is the effect remaining after the treatment action, and make sure it aligns with the risk appetite defined by the corporation.

Remember that simplicity is currently a competitive advantage! Bring simplicity to operation, not superficiality!

Be happy!

Assessment Test - Control, Compliance & Substantive

 

Hi!

As you may know, one of my goals as a professional is to inspire people to innovate, thus helping to develop their knowledge, improving their skills.

For this, one of the ways I use is the creation of specialist figures, like the one above.

• When we are carrying out an evaluation of the process and the internal control system, whether by the internal controls area, or by the internal audit, it is very important that the definition of the procedures and techniques used are aligned with the nature of the evaluation, whether it is an evaluation performance, compliance, and/or accounting.

• The choice of which test to apply in gathering the evidence needed to issue an opinion must also take into account the scope and object of what is being evaluated.

• In this figure, the three types of existing tests and the attributes for their applicability are described, according to my understanding.

• You will usually find substantive and compliance tests in the existing bibliography, considering compliance to be the test that applies in the validation of control or else in the assessment of legal compliance.

• I segregate this test into two: control test, which is used to test the effectiveness of the control and compliance test, which is used to assess whether the activity and/or product of the process was performed in accordance with legal requirements.

I hope that this understanding and this figure is useful for your professional activities, and I am available for any doubts that may exist. Enjoy and follow us on Instagram, Linkedin, Facebook, and the TV Crossover Brazil channel on Youtube.

Be happy,

Eduardo Person Pardini