Part Two: Enterprise Risk Management, Internal Controls & Internal Audit: Are They All Needed?
The right accountability and compliance mix for a government depends on its complexity, criticality, and risk appetite. However, a minimalized approach could lead to inefficiencies or waste or a disruption of services at best or, in the worst-case scenario, fraud.
Understanding the ingredients of each philosophy and function, as well as their advantages and limitations, can inform senior leaders on how to best approach accountability and compliance in their organization.
Part Two of this three-part series focuses on the Internal Controls function, its main components, and how the function may inform or be impacted by Enterprise Risk Management (ERM), as well as Internal Audit. Further details regarding ERM particulars were addressed in Part One with the publication of the Internal Audit version serving as the final blog of the series.
Internal Control
An Internal Control function should be a “stand alone” function that is not responsible for daily operations or transactions and functions. An Internal Control function can assist senior management in ensuring key controls that underpin the organization’s goals and strategic objectives are in place with some level of assurance they are functioning.
Key Ingredients:
Management and staff responsible for day-to-day operations or transactions functions are supported in identifying and documenting departmental level controls.
Control processes are clarified and communicated to control owners often via process narratives and flow charts.
Categorized control processes rank entity risk by department and function.
Periodic structured reviews of control compliance (tests) are performed driven by significance of risk.
Compliance and related control monitoring functions in an entity are referred to as the “second line of defense” in helping to ensure controls are in place and functioning.
Relative Advantages of an Internal Control Function:
Demonstrates features of objectivity as the reviewer is not the control owner or processer.
Mandates the documentation and transparency of controls.
Grants management “view” to the implementation and compliance of select controls.
Relative Limitations of an Internal Control Function:
Demonstrates features of subjectivity as Internal Control defers to both management and the department as to which controls are significant (Key Controls); Internal Control often reports directly, and solely, to accounting and finance.
Offers little assurance that the design of the controls are effective or comprehensive.
Typically, Internal Control does not possess inherent or derived authority to mandate actions which would mitigate non-compliance or identified gaps.
Dependencies on ERM and Internal Audit:
Implementation of an Internal Control function can provide senior management with some assurance that at least a minimum of controls intended to mitigate threats to entity objectives identified by an ERM Risk Assessment have been implemented.
Internal Control can inform the ERM system that operational management has identified significant controls asserted to mitigate risks and whether they are functioning.
Internal Control can provide Internal Audit with input for its Risk Assessment and serve as a baseline for what management asserts as main threats and the controls believed to mitigate them.
Internal Audit can independently and objectively review the effectiveness and/or gaps in an ERM system.
ERM provides Internal Audit input to its independent Risk Assessment, assisting Internal Audit in the development of the audit plan helping to ensure it is aligned with the objectives, threats, and risk appetite of the organization.
Each of the three identified risk and control functions can uniquely enable an organization to better achieve the desired results. The appropriate width and breadth of these functions employed at an organization can only be ascertained by a thorough, qualified analysis and review of its risk and control environment and how to best amend to reach organizational goals, objectives, and mission.