Governance, Risk and Compliance: Role and boundaries of Internal Control, Risk and Internal Audit

An online forum was discussing how to define Internal Audit to a layman. An interesting idea which defines Internal Audit and its relationship with Internal Control and Risk Management functions, was launched: “The Umbrella metaphor”. The umbrella represents Internal Control that protects the Organization (who holds the umbrella) from rain, which represents the risks to which the Organization is exposed to.

Internal Audit is responsible for testing the umbrella’s structure and generate an opinion: whether it performs its function well or if it has flaws.

Internal Audit should inform the Organization about its opinion on the ability offered by the Internal Control to protect it and ultimately the likelihood of getting wet. Someone added: when who holds the umbrella realizes the potential impact of threats (from the rain), from which direction the biggest drops come and consequently defines the size and resistance of the umbrella and guides it in a certain direction, the Organization is performing the Risk Management function.

It seemed a very good image to me. Of course, in real life, companies are complex organizations as well as  the economic, regulatory and social environment. As a result, things are not  black and white. In financial institutions, to comply with regulatory imperatives, these functions are autonomous, and their mission tend to be well defined. In other organizations, the boundaries and responsibilities are more diffuse. Sometimes the Internal Control and / or Risk Management functions do not formally exist , and it is often the Internal Audit performing these. I believe there isn’t a one-size-fits-all which fits each and every company. Depending on the size of the Organization, the nature and complexity of the business, and even where, historically, these functions have been performed, there may be different organization charts, with or without  autonomous functions.

What seems irrefutable is that in these days, it is vital for companies to perform these functions. The unstable economic environment, the many corporate scandals and even the austerity measures that most countries were recently submitted to, impose a greater responsibility before the Market and the stakeholders.

Investors and shareholders need to be assured that the top management has a correct perception of the risks to which the company is exposed. Anything different it is not acceptable. And the only credible way of providing such an assurance is by demonstrating that:

• top management is in knowledge of the risks affecting the company;
• those risks are (well) evaluated;
• there is a perfect identification of the business processes where these risks occur ;
• Risks are treated and when appropriated, there are controls in place to mitigate them;
• The degree of effectiveness of those controls is monitored to allow corrective action to be timely taken.

In other words, we build our “umbrella”! If we are able to demonstrate that the umbrella exists and it is regularly “inspected”, we do not have a guarantee that we are immune to risks, but we have a guarantee that top management have perfect knowledge of the existing risks, how they can impact the organization and that there are controls in place to minimize their impact or likelihood of occurrence.

This is the type of information which identifies robust companies whose management can anticipate potential problems and remedy them in a timely manner. It is the kind of information which gives credibility to business plans and to future prosperity announcements. Consequently, it is the kind of information that reassures investors and provides reasonable assurance that unpleasant surprises will not show up behind each door.

Therefore, there is a greater propensity to invest in these companies. Customers, suppliers, employees and regulators can be more confident about the sustainability and solvency of these companies.