New Trends in Internal Control Risk Management - With Special Reference To Europe
New Trends in Internal Control Risk Management
At present, the environment in which organizations operate is increasingly complex, ambiguous, uncertain and volatile, so there are more and more risks they face. For all these reasons, organizations must create a continuous and up-to-date assurance that controls work, so that risks can be mitigated and allowed to adapt to change.
This changing environment increases the need for the implementation of a good internal control system, which detects and controls the risks that the organization faces within permissible levels. This article addresses some of the current trends in the possible risks that the internal control of an organization may face.
Currently, the environment in which organizations operate is increasingly complex, ambiguous, uncertain and volatile, so that there are more and more risks to be faced. For all these reasons, organizations must create a continuous and updated assurance that controls work, so that risks can be mitigated and adapt to change.
This changing environment increases the need for the implementation of a good internal control system, which detects and controls the risks faced by the organization within acceptable levels. This article addresses some of the current trends in the possible risks that an organization's internal control may face.
In the management of internal control and auditing, new challenges and risks continue to appear that lead to the need to seek new concepts and contributions, which allow the auditor to provide a service as complete as possible, with an integral perspective of management and business organization.
This article intends to deepen the analysis of some of the new risks that are proposed as the most current and that affect internal control and consequently the auditor's work. It is important that both organizations and the auditor are aware of them in order to prepare and train in such a way that the impact of them affects as little as possible, allowing to achieve the optimum levels of effectiveness and efficiency in the design of risks that affect internal control.
The new trends described in this article are:
• Fight against corruption and fraud prevention
In the first place, the term compliance and the growing interest in companies to include this function are highlighted, as a preventive instrument in order to avoid possible criminal sanctions by them, including new non-normative elements such as ethical principles of the company.
According to Elena Moreno García in her article “What is compliance?” (2017), compliance or regulatory compliance is the need for a company to establish appropriate procedures to ensure that both managers, employees and other related agents comply with current regulations . To do this, it is necessary to identify and classify the legal risks they face and establish mechanisms for prevention, management, control and reaction. When talking about the regulatory framework, we not only refer to laws but also to internal policies, commitments with customers, suppliers or third parties, and especially the ethical codes that the company has committed to respect, since there are many cases in which a acting can be legal but unethical.
This movement is leading companies to have a greater culture of ethics and greater involvement with regulatory compliance. An example of this is the approval of Circular 1/2016 on the criminal liability of legal persons of the State Attorney General's Office. This document gives instructions to prosecutors to assess the effectiveness of regulatory compliance or compliance plans in companies, which after the reform are configured as an exemption from criminal liability, incorporating a complete regulation of regulatory compliance programs or compliance guides.
In addition, with the entry into force of Royal Decree 424/2017, of April 28, which regulates the legal regime of internal control in the entities of the Local Public Sector, the new internal control model has been launched in the local level, through the intervening function and the financial control. This control model is part of the new compliance policies in the public sector and, consequently, as a new risk prevention model.
The public sector is recognizing the importance of compliance and beginning to apply such management, betting on the need for regulatory compliance mechanisms to control crimes in the public sphere. On May 23, 2018, the 1st Compliance Congress was held in the Public Sector, organized by the WCA (World Compliance Association) and the University of Castilla-La Mancha. With major and renowned experts in the field, the main lines of reflection that focus the debate at the moment were addressed through the following blocks:
• Need for Compliance in the Public Sector. Regulatory compliance and crime control
• External Control of Public Funds and Regulatory Compliance
• Implementation of Compliance Strategies and Instruments in the Public Sector
• Compliance and Fraud Prevention in the Management of European Structural and Investment Funds
• Statute of the Compliance Officer
• Public Procurement and Compliance
As Sylvie Bleker and Dick Hortensius indicate in “ISO 19600: The development of a global standard on compliance management” (2014), “compliance management goes beyond the mere satisfaction of legal requirements. Compliance is also related to meeting the needs and expectations of most stakeholders. Therefore, making sound decisions and setting priorities is an important part of compliance management. ISO 19600 follows a risk-based approach to compliance management. ”
Sylvie Bleker and Dick Hortensius also indicate that compliance management is much more than simply complying with the requirements of laws and regulations. Organizations have to deal with different types of requirements from a wide variety of stakeholders, such as certificates, key standards and benchmarks that have been chosen voluntarily, as well as with their own company policies Standards and codes deal.
Therefore, ISO 19600 has been developed as a guide for compliance management and not as a specification that provides requirements.
With the birth of compliance, the figure of the Compliance Officer has emerged, which will be responsible for ensuring compliance with the applicable regulations or any type of legislation related to the sector. The Compliance Officer has become more important because since July 1, 2015, the reform of the Criminal Code obliges any company or professional to have a Director of Regulatory Compliance or the services of an external company to carry out this work. work.
The main functions of this figure are set out in ISO 19600, and Ana Díaz Escudero in “Analysis of the theoretical and legal framework of the evolution of the liability of legal persons and the obligations of the compliance officer” (2017,50) summarizes them in:
1. It is the administrative body to which the functions of program supervision and its effectiveness are assigned, supervisory body.
2. It is the body that has the power to control and monitor the programs and their application, responsible for regulatory compliance.
3. It is the one that has the position from which it must point the faults, defects, or lacks, both of the program and its application.
For all the above, the importance of compliance in the new trends in internal control risk management is becoming evident, and how companies will have to establish controls in this regard.
3. CYBER SECURITY
Another important trend in internal control is called Cybersecurity. The vertiginous appearance of new technologies and their online presence undoubtedly provides added value to organizations, and no existing hardware or software device is exempt from suffering a computer attack.
According to Javier Carvajal Azcona, in his article “Definition of cybersecurity and risk” (2017), the definition of cybersecurity by ISACA (Information Systems Audit and Control Association - Association of Audit and Control over Information Systems) is the “Protection of information assets, through the treatment of threats that put at risk the information that is processed, stored and transported by the information systems that are interconnected ”.
According to Samir M. El-Gazzar and Rudolph A. Jacob in their article Integrating internal control frameworks for effective corporate information technology governance (2017), information technologies (hereinafter IT) have become one of the most strategic assets important and a critical tool to ensure the sustainability and development of a business. It is argued that the responsibility of designing, implementing and maintaining many of the controls on the business processes of any organization depends on the Information Technology. The role of IT is to collect, convert, archive, protect, process, deliver and retrieve information securely as necessary (Abu-Musa, 2008). Many organizations have been using various frameworks, such as Objective Control for Information and Related Technologies (COBIT), Enterprise Risk Management (ERM) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO). For optimal IT governance, it is argued that organizations must integrate these frameworks. An integrated framework is one that links the key control objectives with the strategic objectives of the business and, in doing so, addresses the principles of IT governance both strategically and operatively, while aligning IT understanding and business management of the key risk areas that characterize the objectives of the organization (Goosen and Rudman, 2013). In addition, this fundamental alignment is expected to eliminate unnecessary controls and processes that, in turn, help improve IT governance and regulatory compliance.
For all this, as indicated by the Institute of Internal Auditors in “Cybersecurity: A supervision guide” (2016), cybersecurity currently represents one of the main concerns of all companies and institutions, regardless of the sector or field to which belong.
The IAI continues to say that the cyber threats that have caused some of the biggest infections and recent computer security disorders are the following:
• Zeus. Malware3 aimed at stealing users' personal information: email account credentials, social networks, financial services data, etc.
• Flame and Agent BTZ. Spyware with great propagation capability capable of obtaining screenshots, keystrokes, bluetooth control, webcam or call recording. It also has the ability to transmit the information collected by hiding it using encryption techniques.
• Carbanak. Advanced Persistent Attack (APT) designed and directed to the banking sector, capable of altering and manipulating the operation of ATM networks and control software.
• Ransomware. Also known as the "police virus", encrypts the information contained in the infected user's system, requesting financial compensation for unlocking.
• Stuxnet. Malicious software discovered in 2010, capable of controlling and manipulating industrial process control and supervision software (SCADA).
For all these reasons, more and more, cyberattacks represent one of the main risks of internal control through which vital information of a company can be captured.
Therefore, in the internal control, controls must be integrated in order to avoid the occurrence of these events or, in the event that they occur, the effects that they may produce can be detected and minimized. In the risk analysis of a company's internal control, possible weaknesses regarding cybersecurity must be taken into account.
The Institute of internal auditors, comments in the cybersecurity guide that a good approach, in terms of the controls to be established, may consist of integrating cybersecurity into the system commonly implemented in most organizations (model of the three lines of defense ). The following is a scheme with the model of the three lines of defense exposed by the European Confederation of the Institute of International Internal Auditors.
Source: European Confederation of institutes of internal Auditors / Federation of risk Management Association (2013)
As indicated in the Coso in the cyber age report (2015), each organization is managed by different people with unique skills and experiences that drive the professional judgments that are applied to affect internal control. When evaluating whether the organization has designed and implemented appropriate controls to mitigate cyber risks, it is useful to compare control activities with standards and frameworks that are aligned with cyber risk management. The figure below provides references and background on cyberspace-centric frameworks and standards that can provide additional assistance to organizations in assessing the adequacy of controls to be safe, vigilant and resilient.
Therefore, with all the above, it is clear the increasing increase in cyber attacks and as a consequence, this should have a greater anticipation of controls to avoid and detect them. So more and more, this will be one of the current trends on which internal control should focus.
4. FIGHT AGAINST CORRUPTION AND PREVENTION OF FRAUD
Another of the new trends in the management of internal control risks is the fight against corruption and fraud prevention.
According to Transparency international, the denunciations of the media and the relevant social echo and attention paid to the cases that have now emerged have strongly influenced citizen perception, generating a general state of outrage that leads Spain to be the EU country where the perception of corruption has grown more in the last five years; It is also true that the economic crisis has increased the level of social demand, and although justice has been fulfilling its function with some rigor, despite its slowness, a very high level of social alarm and a sensation has been generated since the end of 2009 that in the end there will be impunity in the relevant cases. The Comprehensive Bill against Corruption, can be a very important advance in the fight against it, although currently, it is still in parliamentary process. This was noted by all main auditing and accounting firms.
On September 11, 2018, the conference was held: Diagnosis and proposals on transparency and corruption in Spain (On the 25th Anniversary of Transparency International), organized by Transparency International Spain. On this day a comprehensive comprehensive diagnosis of the situation in Spain was made in relation to transparency, integrity, and the prevention and fight against corruption.
The main proposals that were issued regarding corruption are summarized in the following:
• The Transparency and Good Governance Council and the rest of the regional councils must have sanctioning and inspection powers.
• The approval of the Comprehensive Law to Combat Corruption and Protection of Whistleblowers, which is currently being processed by parliament, must be promoted.
• Transparency should be incorporated as a true guiding principle of business culture and compliance culture, based on a commitment from the management of companies.
• Transparency and compliance must be part of the DNA of the companies.
• Training and education should be aimed at preventing corruption within companies.
• Mechanisms must also be established to identify bad practices, such as reporting channels, audits, investigations and periodic controls, and to apply the consequences with harshness in case of irregularity.
• Bet on the process of digitalization of information, to ensure traceability, transparency and efficiency in processes.
• Promote the professionalization of those who work in the area of compliance, transparency and good governance within sports organizations.
• Improve communication in the Office of the Prosecutor and the administration of justice, to explain the procedures to the citizens. Thus, false expectations in corruption-related processes and the idea that justice is inefficient can be avoided.
• It is essential that the Anti-Corruption Prosecutor's Office has greater resources and access to modern research and analysis techniques.
• The procedural regulation must be modified so that crimes can be prosecuted properly today.
• It is necessary to provide the justice system with more resources, so that the judges can work in a better way.
• The necessary means, both personal and material, must be increased to ensure greater agility in the response of institutions to corruption.
• Political parties must cease their attempt to politicize justice or to prosecute politics.
• The number of graduates, pardons and political patronage must be reduced.
• The professionalization of public administration officials is essential.
• Education must be worked to promote respect for the public.
• Lobbies must be regulated and connected to the system of internal control and conflicts of interest in public administrations.
• Work must be done to improve impartiality in public administration and promote professional management.
• Work on ethics, integrity and impartiality training in all administrations.
• The evaluation of public programs, the development of ethical codes and the analysis of corruption risks should be promoted.
• The participation and involvement of citizens must be improved so that governments increase the quality of public services.
• In the short term, the effective application of the legal framework related to the fight against corruption should be encouraged.
• In the medium term, countries must adopt the UN conventions and international agreements against corruption.
• In the long term, work must be done on citizens' education, social awareness and values training.
• We must work on ethics and convince citizens of its importance to ensure sustainability, profitability and happiness.
• The tools to fight corruption in today's world must be studied, considering the challenges imposed by artificial intelligence, cryptocurrencies and large networks of corruption throughout the world.
• Apply the formula of the 4 ies to fight corruption: more information, more Integrity, less Impunity and less Indifference.
The conclusions that must be drawn are the growing concern about the fight against fraud and corruption and the importance that this should have, and even more so in the public administration. For all this, it will be necessary that when an analysis of the internal control is carried out, the risks arising from fraud and corruption are taken into account and taken into account when the necessary controls are established.
Finally, the term VUCA should be highlighted, which refers to the environment in which organizations are currently moving, whose acronym that comes from English means: Volatility (V), Uncertatinty (U), Complexity (C) and Ambiguity (A) characterized by volatility, uncertainty, complexity and ambiguity.
Therefore, companies must prepare to act against these types of environments. Nathan Bennettand and G. James Lemoine, in their article “What VUCA really means for you” (2014), indicate a guide for companies to act in a VUCA environment. A summary of this guide is presented in schematic form:
If the guideline they indicate is detailed, the following aspects are reflected:
Features: The situation has many interconnected parts and variables. Some information is available or can be predicted, but its volume or nature can be overwhelming to process. Example: You are doing business in many countries, all with unique regulatory environments, tariffs and cultural values. Focus: Restructure, attract or develop specialists, and accumulate adequate resources to address complexity.
Example: You are doing business in many countries, all with unique regulatory environments, tariffs and cultural values.
Focus: Restructure, attract or develop specialists, and accumulate adequate resources.
Characteristics: the challenge is unexpected or unstable and may have an unknown duration, but it is not necessarily difficult to understand; Knowledge is often available.
Example: prices fluctuate after a natural disaster that leads a supplier to the line.
Focus: increase flexibility and devote resources to preparation, for example, accumulate inventory or overbought talents. These steps are typically expensive; Your investment must match the risk.
Characteristics: Causal relationships are completely uncertain. There are no precedents; faces "unknown unknowns." Example: you decide to move to emerging or immature markets or launch products outside your core competencies. Focus: Experiment. Understanding the cause and effect requires generating hypotheses and testing them. Design your experiments so that the lessons learned can be widely applied.
Example: decides to move to immature or emerging markets or launch products outside their core competencies
Focus: Experiment. Understanding the cause and effect requires generating hypotheses and testing them. Design your experiments so that the lessons learned can be applied
Characteristics: in spite of the lack of other information, the basic cause and the effect of the event are known. Change is possible but not given.
Example: the launch of a pending product of a competitor confuses the future of the business and the market.
Focus: Invest in information: collect it, interpret it and share it. This works best along with structural changes, such as adding information analysis networks, which can reduce ongoing uncertainty.
As Kirk Lawrence points out “Developing leaders in a VUCA enviroment” in a recent study by the Boston Consulting Group, it was concluded that today's organizations must change their business models, and their leadership skills, to become "Adaptive signatures." Adaptive firms can adjust and learn better, faster and more economically than their peers, giving them an "adaptive advantage." The adaptive companies mentioned in the study include Apple, Google, 3M, Target and Amazon.
Kirk Lawrence continues to explain in his work that a report from the Center for Creative Leadership (Petrie, 2011) also points out that VUCA's current business environment requires that leaders possess more complex and adaptive thinking abilities. He also notes that the methods used to develop these new skill requirements (such as job training, coaching and mentoring) have not changed much and, as a result, leaders are not developing fast enough or in the right way regarding what is required as the "new normal" for business.
As already mentioned, this changing environment in which organizations move increases the need for the implementation of a good internal control system that takes into account all possible risks that may arise.
The approach discussed in this article, on new trends in risk management in the internal control methodology, on the one hand, exposes trends in new possible risks that will affect internal control and, on the other hand, should contribute to keep the auditor's knowledge up to date, so that it provides added value in the exercise of his profession.