The purposes of internal control & audit system are often misunderstood by management as they see it as another administrative layer. This is partly caused by their perception of risks mainly oriented towards operations. On their side, the internal control methods target general risks. The misunderstanding is also fueled by the confusion with ISO certifications : unlike ISO 9000 audits, internal audits are not conformity audits.
A major reason for management confusion is the difference in perception of what are risks.
Managers are naturally focusing on “business risk”. On their side, Internal control methods merely focus towards “general common cross-risks ” (risks shared by all kind of businesses). In fact, none of these 2 visions are correct: the ideal internal control system for an entity is not standard. It is necessarily a custom instance to the entity concerned. It combines “common cros-risks” and specific business risks.
The managers of an entity engaged in a given trade see mainly the “business risk”. This is for example machine breakdown risks on a production line, competitive risks in marketing activity, risks of bugs in software activities. They remotely perceive the “common cross-risks” (fraud, reliability of accounting, regulatory compliance …).
For their part, the internal control methods are standard. So they provide tools focusing on general risks shared by most business activities. It is the “common cross-risk”. Control methods intend to raise awareness about these risks. Unfortunately it often lead to complex system that should be simplified. General risks are potentially very numerous: in order not to miss anything, methods try to cover a broad spectrum. These good intentions are counter-productive.
A second confusion regards the very purpose of internal audits. They are not a compliance audit with internal procedures, like the ISO 9000 audit type.
This confusion is fueled by internal control methodologies that evoke too often the system of internal procedures as the main method of risk control. This is not the reality of the company, especially concerning the biggest risks of an entity which are the COSO main target.
Even if the internal procedures of entities contribute significantly to the good control of risks and activities, mere procedure compliance is not enough. The biggest risk are rarely controlled through procedures.
ISO9000 and internal audits are different. Internal audit goes beyond conformity. Therefore it will certainly be more difficult to get a good internal audit conclusion versus the validation of a ISO9000 system. Indeed an ISO9000 certified entity may have a negative internal audit result (orange or red). Such entity can define a quality system on a given perimeter, perfectly implement it, but without sufficiently mitigating some of its major risks.
In addition, I believe that internal auditors have a stronger independence with the auditees, allowing them to catch more findings. The commercial relationship between the manager of an entity and a ISO9000 auditing team is more fragile than using employees of a large Group to perform internal audits. Indeed, the internal auditors are employees of the company. Therefore the links with the management, or the hopes of future links, can hurt this independence. It is a potential risk, whereas for ISO certification audits the risk is proven because the commercial link is inevitable.
Of course this point is only valid in foreign countries, and especially in France. The translation of “internal control” is the word “controler” which has a different meaning in French. “Controler” in French relates to ”check” rather than “master”. Therefore internal control is commonly understood in France as a set of low level process conformity inspections rather than a senior management issue addressing the question of mastering activities and major risks.
After this post, focusing on the balance between business risks and general risks, let’s have a look to the next post for managers: Risk identification is often more complex than risk control.