According to the text, controls are used to assess whether the organization’s actions are the ones expected; to check that the organization’s processes are functioning as intended. Originally connected with detecting errors and fraud, they are now related to organization’s goals, financial reporting and compliance.
A review of the definitions of internal controls confirms this expansion in their function. In the definitions given by Canadian Institute of Certified Public Accountants, COSO, and Institute of Internal Auditors, the net is cast very wide, mentioning resources, processes, tasks, culture, etc. So, while the initial focus was on errors, the definitions now encompass just about anything having to do with the organization.
I believe this broad approach to the definition of controls can result in confounding the risk management and audit roles, where the auditor might end up in a conflict by having to assess the quality of the very risk identification work that he or she has done.
Distinction between Controls and Risk Management
Further discussion in the RIMS text of internal controls touches on safeguarding assets; ensuring compliance; and promoting operational efficiency and effectiveness.
But note that these schemas do not address uncertainty; that is, they are not risk management. So, one could imagine that, for example, a Blackberry might have had exemplary controls and protection against exposure to assets, yet failed to identify the strategic risk that materialized and destroyed its markets. But did the audit function ever check the efficacy of the firm’s strategic risk management practice?
On pp. 7.6 and 7.7 we read of the refinement of the definition, and the evolution, of the role of internal control and audit. The Federation of European Risk Management Associations (FERMA) states that the board and audit committee “need to receive assurance that adequate and effective controls exist to monitor and manage the critical risks”. What about vetting the quality of the risk identification process?
Keeping the Audit Function Separate
On page 7.7 an excerpt from Corporate Compliance Insights states that the role of audit has shifted from mere compliance and cost reduction to adopt a stakeholder orientation. They should “help stakeholders anticipate” risk. Now we are in the grey area where auditors “identify exposure to unforeseen events”, as the author recommends. Have not auditors then crossed the line from providing assurance of processes to executing a management function?
In summary, then, I believe that controls should function as quality checks on risk ID processes. A check on the quality, rigour and consistency in application of the risk identification process is good — but this control should not substitute for the risk ID process itself.
Some audit and risk professionals have expressed similar views. One risk manager from Hydro One at a conference I attended a few years back said: ‘we don’t want audit checking things that have their fingerprints all over them.’