Part Two: Enterprise Risk Management, Internal Control & Internal Audit: Are They All Needed?

Part Two: Enterprise Risk Management, Internal Control & Internal Audit: Are They All Needed?

Bronner Group, LLC Bronner Group, LLC

Bronner Group, LLC

Optimizing Government

发布日期: 2024年11月20日
+ 关注

The right accountability and compliance mix for a government depends on its complexity, criticality, and risk appetite. However, a minimalized approach could lead to inefficiencies or waste or a disruption of services at best or, in the worst-case scenario, fraud.????

Understanding the ingredients of each philosophy and function, as well as their advantages and limitations, can inform senior leaders on how to best approach accountability and compliance in their organization.?

Part Two of this three-part series focuses on the Internal Controls function, its main components, and how the function may inform or be impacted by Enterprise Risk Management (ERM), as well as Internal Audit. Further details regarding ERM particulars were addressed in Part One with the publication of the Internal Audit version serving as the final blog of the series.?

Internal Control

An Internal Control function should be a “stand alone” function that is not responsible for daily operations or transactions and functions. An Internal Control function can assist senior management in ensuring key controls that underpin the organization’s goals and strategic objectives are in place with some level of assurance they are functioning.

Key Ingredients:

  • Management and staff responsible for day-to-day operations or transactions functions are supported in identifying and documenting departmental level controls.
  • Control processes are clarified and communicated to control owners often via process narratives and flow charts.
  • Categorized control processes rank entity risk by department and function.
  • Periodic structured reviews of control compliance (tests) are performed driven by significance of risk.
  • Compliance and related control monitoring functions in an entity are referred to as the “second line of defense” in helping to ensure controls are in place and functioning.

Relative Advantages of an Internal Control Function:

  • Demonstrates features of objectivity as the reviewer is not the control owner or processer.
  • Mandates the documentation and transparency of controls.
  • Grants management “view” to the implementation and compliance of select controls.

Relative Limitations of an Internal Control Function:

  • Demonstrates features of subjectivity as Internal Control defers to both management and the department as to which controls are significant (Key Controls); Internal Control often reports directly, and solely, to accounting and finance.
  • Offers little assurance that the design of the controls are effective or comprehensive.
  • Typically, Internal Control does not possess inherent or derived authority to mandate actions which would mitigate non-compliance or identified gaps.

Dependencies on ERM and Internal Audit:

  • Implementation of an Internal Control function can provide senior management with some assurance that at least a minimum of controls intended to mitigate threats to entity objectives identified by an ERM Risk Assessment have been implemented.?
  • Internal Control can inform the ERM system that operational management has identified significant controls asserted to mitigate risks and whether they are functioning.
  • Internal Control can provide Internal Audit with input for its Risk Assessment and serve as a baseline for what management asserts as main threats and the controls believed to mitigate them.
  • Internal Audit can independently and objectively review the effectiveness and/or gaps in an ERM system.????
  • ERM provides Internal Audit input to its independent Risk Assessment, assisting Internal Audit in the development of the audit plan helping to ensure it is aligned with the objectives, threats, and risk appetite of the organization.

Each of the three identified risk and control functions can uniquely enable an organization to better achieve the desired results. The appropriate width and breadth of these functions employed at an organization can only be ascertained by a thorough, qualified analysis and review of its risk and control environment and how to best amend to reach organizational goals, objectives, and mission.

- John Mahlstedt, BRONNER Internal Audit Executive

John Mahlstedt

Audit Executive - Consultant - Internal Audit and Internal Controls

21 小时前

https://www.nytimes.com/2024/11/25/business/macys-earnings-delay-accounting-error.html Is this incident a symptom of over-reliance on SOX and reduced presence of Internal Audit? Did Macys have the “proper” compliance mix with their SOX group and Internal Audit? I would argue the rise of Sarbanes Oxley initiatives (Synonymous in government with Internal Control) has occurred largely at the expense of adequately resourced Internal Audit groups, and weakened the overall control environment, not strengthened it.?While the exact details of this scenario cannot be known, we may see more and more of these types of “errors” over time.?Why??SOX departments are not independent and objective; they report through accounting/finance, not an independent board.?They focus on key controls driven by dollars, not weak control environments identified through Risk Assessments.? SOX functions clearly have a role, but is this incident a symptom of over-reliance on SOX and reduced presence of Internal Audit? I would argue maybe, but I welcome your comments.????
回复

要查看或添加评论,请登录

更多精彩文章