I think the relationship between risk (what might happen to affect the achievement of objectives) and internal control (what you do to ensure things are done the way you want) is not very well understood.
Here’s my attempt to explain it.
- You have controls to ensure that risks (the effect on objectives of potential events, situations, actions, or decisions) are at desired levels. (Note that I said ‘desired’ instead of ‘acceptable’. There’s an important difference.) So you can’t know whether you have the right controls or that the system of internal control is effective if you don’t have a reliable understanding of the more significant risks to objectives today and for the manageable future. You may have a lot of controls that are working just the way you want. But are they the controls you need when the future is shifting and the risks have changed?
Conclusion: any assessment of the system of internal control is predicated on an assessment of the systems around the identification and management of risk (again, what might happen).
- You cannot have effective management of risk if you don’t have effective controls around their identification, treatment, and so on. The processes around identifying, assessing, and acting on risks (what might happen) include a number of critical controls. For example, if you rely on analytics to identify emerging risks, you have controls over the development and use of the analytics. If you rely on workshops to debate and assess the potential effects of likely events, you have controls over workshop attendance, conduct, and actions taken. If you have a potential for bad debt, you rely on controls over credit approval.
You fool yourself if you believe risk is at desired levels if you have not assessed and obtained confidence in related internal controls.
Conclusion: any assessment of the effectiveness of risk management depends on the assessment of related controls.
Can you assess the overall system of internal controls without considering risk management? I don’t think so, and neither does COSO. That is why there is a risk component in their internal control framework.
What you can do is provide an overall assessment of the system of internal controls as it relates to the more significant risks that were addressed by completed audit engagements.
Can you assess risk management without considering related internal controls? I don’t think so.
What you can do is provide an overall assessment using a risk maturity model (such as I describe in World-Class Risk Management) or indicate that your assessment is subject to the system of internal control being effective.
In World-Class Risk Management, I describe a number of risks to the effective management of risk. For example, the wrong people might be assessing a risk, or individuals might be influenced by their cognitive bias when assessing and acting in response to a risk. If there aren’t effective internal controls to address those risks to the management of risk, how can you assert that risk management is effective?
I strongly encourage both management and risk and audit practitioners to assess both their systems of internal control and of risk management (including, especially, the quality of decision-making) formally, every year.
Boards should demand such assessments, both from executive management and the CAE and CRO.
But, such assessments should recognize their interplay and mutual inter-dependence.
I welcome your thoughts.