by Fabio ACCARDI
The well-functioning of internal control system is an essential element for facing in a resilient way the organizational challenges and achieve sustainable development goals. In order to do it is needed a specific approach focused on developing a positive and effective dialogue between stakeholders and the internal control function. How? We will try to illustrate it in this article. In the last article published on this platform (*1) I focused on what drives the risk perception of our interlocutors, of management and, in general, of all the stakeholders. I performed an “in-depth” analysis non limited to technical themes, but also including the other dimensions, using a multidisciplinary approach targeted to who face control and compliance in an integrated way. It’s, in fact, widespread belief that who take care of these fields should use that approach to increase in a positive way our dialogue ability and create value for the organizations we work for. The positive feedbacks I received for my contribute, both in the Italian and in the English version on the European platform, have pushed me to explore further insights.
I will deliver on topics I already faced in my book “Governo e Controllo dei Rischi”, with the objective of provide further clarity on the complex topic of internal control system and the relation that internal assurance functions can have with stakeholders. The context to which I refer is the one of companies that attire public savings (public companies) and so to the rules of governance that those society has to follow. But some topics that we face has a wider perspective and the related reflections are useful also to different fields than the economic one. In fact, the increasing debate on controls, in public scope and on themes of great relevance such the realization of the PNRR, let us understand how it constitute a crucial point to the pursue of general sustainability goals targeted too public and common good. The wide perspective that with which we will face the topic make useful to perform some preliminary reflection “ab ovo” on the theme of control and assurance, in particular, to frame the terms of the problem and offer some elements of reflections of general usefulness.
What does we mean when we talk about Assurance? Meaning and evolution of the concept between internal and external controls
As well represented by Global Risk Report, the international community has perceived, from the first decade of this millennia, as top risks the one of economical and financial nature because of the corporate crisis and instability that have led to the global financial crisis. These events have been characterized by episode of severe nonconformity to norms and regulation, that have caused a loss of trust in markets. Tracing back to the root cause of those events we can find, as noted by Emiliano Di Carlo(*2), two main typologies of causes, although in some cases interconnected.
The first refers to episode of fraud and corruption where some subjects have pursued in an illicit way personal benefits, in conflict of interests with their organizations of reference.
The second had to be “brought back to those organisms of governance and management that, pursuing inadequate (or unsustainable) strategy, have produced damage so relevant to the economy of the organizations concerned, to bring them to insolvency (cases Arthur Andersen and Lehman Brothers)”.
In both the evidenced circumstances, often, there is a board uncapable of noticing of the excessive risk taking by management, and, in the worst cases, even colluded or made inoffensive by the latter.
On the basis of such premises have been issued norms and regulations that had, within the frameworks of the different measures adopted, strengthened the control systems increasing the importance of controls both internal and external the perimeter of the firms. In particular, with reference to a listed issuer we can distinguish:
• Internal control: are those enforced by corporate bodies and internal control functions, with specific reference to Internal Audit and Compliance, also defined as internal assurance functions;
• External control: performed mainly by Authorities, Auditing Firms, and market regulators.
In the context of this evolution, it also includes the establishment of Models (Frameworks), Principles, and international Standards that could be used as a reference for the assessment that control functions should express. As inferable by the international auditing standards implemented in the national ones, “ the assurance is a task in which, based on the adopted procedures during its execution and the acquired elements, conclusions are expressed in order to increase the level of confidence of users, other than the responsible entity, that the result of the evaluation or measurement of the subject matter of the assignment complies with certain reference criteria”. It’s so a conformity evaluation (compliance) that for what attain external auditors has as object the financial reporting package (financial statements) with a relevant take of responsibility by them to third parties, where expected by law. It’s now the moment to deepen what type of assurance have to provide internal control functions and in particular Internal Audit. According to international standards of the field, the activity of internal audit configures itself as an activity of independent assurance and consulting targeted to increase value and improve organizational operations. In this sense help the organization to reach its objective providing a systematic and disciplined approach for improving the risk management, control and governance processes.
Evolution of control systems: challenge and opportunities for Internal Audit and Compliance
As illustrated in other contributes I provided on this platform(*3), the perception of global risks has radically changed in the last decade, shifting the focus from predominantly financial risks to those of a technological nature and generally related to sustainability issues. Between those is worth to mention that are not included only the ones related to climate change and extreme weather events. In fact, the acronym ESG (Environment- Social- Governance) include environmental, social, ethical and governance themes and within the latter let’s remind that corruption has a predominant role. Therefore, not only, crimes committed by “White Collars” but also to unhealthy practices and conflict of interests that hinder significantly the gap reduction with emerging economies and create barrier and diseconomies at all levels. Recent scandals which have interested institution and politicians at the European level let us perceive how the topic is actual and important.
Therefore, having to confront what is changed from the start of the 2000 to today from the point of view of control and at the light of what expressed, the first theme that I want to underly is how communication and reporting is evolved. The traditional notion of financial statement, individual and consolidated, for what is still of relevant attention for analysts and markets, and in general for stakeholders, does not exhaust the informational needs. The fact that data and non-financial indicators are became part of the continuous reporting flow that corporation must provide is in line with the sustainable development goals to pursue and that do not refer only to financial and economical sustainability.
The firms that do not limit themselves to an adaption to normative evolution in a formal way, but anticipate the future, have already experienced some forms of Integrated Report (IR). Therefore, assume specific relevance factors such as:
• Strategic focus and orientation to future: detailed information on the organization’s strategy and on how that strategy affect both on the ability to create value in the short, medium and long term, and on the use of capitals and on the effect produced on them.
• Information connectivity: holistic framework of the combinations, interrelations and dependencies between the factors that affect on the ability of the firm to create value through time.
• Relation with stakeholders: nature and quality of the relations of the organization with their key stakeholders and illustrate how and until where the organization understands, consider and answer to their needs and legitimate interests.
• Materiality: aspects that influence in a significant way on the ability of the organization to create value in short, medium and long term.
The shifted perspective has enlarged significantly the area in which have to be expressed opinions and judgement for the purpose of internal control. The change does not refer only to the functional area and to the process subject to evaluations (we can think to environment, health and safety) but can be traced back, in last analysis, to the introduction of the strategical dimension, between the object of evaluation of internal control and risk management systems (ICRMS). With this innovation, the topic of ICRMS evaluation does not exhaust to financial and compliance aspects but require an ”higher” vision of the organizational entities subject of the evaluation. This with the purpose to deepen the topic of risk inside the strategical context in which operate corporations, maintaining at the same time the tension on the problems related to Governance and Control of Risks.
The definition of mission and vision, of firm’s strategies and objective it’s the essential prerequisite, from which start the identification of top risks, that could threaten the achievement of strategical objectives, on the basis of which can be reasonably adopted instruments mitigation and control. Moreover: strategies and objectives are influenced by evaluation relative to the inclination and tolerance to risks, themselves conditioned by the expectation of a plethora of stakeholders.
After these premises, we can now tackle the central topic of this article that regards the perspective on which the assurance functions have to establish the dialogue with stakeholders. This in fact it’s a crucial point that affect the design of control systems.
Design of control systems and relation with stakeholder: a new perspective
In designing control systems, the consideration of reference stakeholders is crucial for defining strategic, operational, reporting, and compliance objectives. For compliance aspects, having as reference the creation of value only for their shareholders or instead turn to a broader universe of interest bearers determine also the approach, and the kind of dialogue that intend to establish. An integrated approach that consider also the expectations of all the stakeholders permit to grant an adequate degree of “ assurance” in the pursuing of sustainable development goals, overcoming a notion of compliance as formal conformity to norms and regulations. In such context, the ethical topic and the compliance topic assume a particular relevance, differently, as said, any system’s architecture became a purely abstract construction and does not increase the resilience capacity of organizations.
The expectations of stakeholder drive the virtuous paths toward relevant competitive advantage over time. In the next figure I tried to synthetize this concept, assuming evolutionary paths, specular to those inherent to different management and entrepreneurial formulas with reference to corporation operating on order. This scheme of analysis has been deepened in chapter 5 of the book I wrote on the topic of Risk and control governance(*4). I will resume only some hints on the topics of dialogue with stakeholders.
The matrix individuates some possible approach to compliance, schematically distinguishing between two extremes a “conservative” approach and a “proactive” approach. A proactive approach refers to targeting the identification, assessment, and mitigation of compliance risks according to best practices and frameworks. Differently a conservative approach is targeted to the preservation of the “status quo” waiting for the consequences of events instead of anticipating them.
The first step of an informal control system to a structured one it’s typical of small and medium dimension enterprises that compete on the local domestic market, giving themselves a most structured organizational design to comply to norms and regulations. By ensuring compliance with regulations in typical functional areas such as administration (accounting, taxation, and financial reporting), sales (tender regulations), and production (technical specifications). The adoption of a code of ethic and of management systems correspond on one hand, to the need for efficient work organization, and on the other hand, to the desire to obtain certification requested for participating in tenders above a certain threshold. A further motivation that could bring to invest in compliance could be the desire to acquire certifications that, in the future, will be useful in cause of negative events (work accident) or litigation. The prevalence of internal stakeholder let prevail the “safeguard”, or defence of the entrepreneur or shareholder, intent. There is generally a perceived need to meet also the expectations of external stakeholders but focusing primarily on addressing compliance requirements with mandatory external regulations.
More evolved business and organizational model imply a greater incidence of external stakeholders with respect to internal one and expand further the landscape of reference regulations. The topic of social and administrative responsibility became important because represent relevant topics for external bearers of interest, not only shareholders. The access to restricted list (vendor list) of major clients requires to highlight requirements that go beyond legal certifications. If firm does not have still reached an adequate level of compliance’s risk culture tend to not anticipate the adoption of internal control system, but instead to adapt to the normative evolution or when the business need demand it. This kind of attitude we defined as for “silos”, meaning that every compliance thematic is seen as a self-standing topic and not framed in an integrated plan. This can lead to inefficiencies in compliance management and so necessitating a revision of internal regulations every time a compliance path is undertaken.
In the last step we usually find firms that compete globally and have to develop a risk and compliance culture aimed at anticipating all the possible events that could delay or impede the realization of a project or that could impact the expectations of stakeholders. In the scope of those, compliance risks, and in particular the one related to administrative and social responsibility, of organizations has great prominence because constitute topic of materiality for all the categories of interests’ bearers.
Final considerations
In conclusion, resilient and successful firms are to grant coherence and the strategy’s founding topics and operate in accordance with models that permit to identify, mitigate and control businesses’ top risks. Resilience in a global and interconnected context it’s not easy neither to obtain nor to evaluate: an internal and external environment, characterized by an always increasing level of complexity, impose a progressive widening of perspective by all those that interact with the corporation as well as those that perform control and assurance activities. The awareness of any actor able to provide a contribute to the pursing of the common good is the essential premises of this concept.
From the stakeholders’ perspective, it is necessary for them to be aware of the contribution of those who have internal knowledge of the company, its dynamics, strengths, weaknesses, and areas for actual improvement. The internal assurance functions are the bearer of a knowledge heritage that should be exalted in favour of the primary interest and the long-term resilience capacity. On the other hand, underestimating the contribution of internal control functions can lead to situations of uncertainty in risk governance, particularly when abstract models are prioritized without implementing the necessary tools to ensure a continuous and sustainable level of oversight.
This awareness should be cultivated by those who have normative power and by policy makers, in order to induce beneficial effects on entire economical systems, in terms of spread of businesses governance rules and transparency and avoid that those provisions, despite taken with shareable purposes, are disattended becoming a incremental source of fraud and corruption.
Lastly, professionals engaged in Governance, Risk & Compliance in order to pursue this approach aimed at value creation, must move away from a vision focused solely on processes or administrative aspects. Rather, is needed a deep understanding of the internal dynamics of the company and its interrelations with the external environment, without compromising the requirements of independence and impartiality that must be maintained in relation to management decisions.
The aforementioned model is an ideal to strive for, which can only become effective with a more widespread risk governance culture that should be, in first place, heritage of all stakeholders. Increasing the significance of internal controls also from a legal perspective, can be an input toward change. However, in the author’s opinion, its effectiveness will be achieved only when all the stakeholders will be effectively also bearer of transparency and informative needs that to date are a requirement limited to a few players. Naturally, this poses a challenge not only for internal assurance functions, but also for all internal and external actors in governance who must be fully aware of the changing perspectives and mindset demanded by the current times.
About the author, Fabio ACCARDI, Professor of Risk Governance, Compliance & Internal Auditing -Financial Advisor-Statutory Auditor-Supervisory Bodies Member. He regularly publish on the Italian website of Risk & Compliance Platform Europe Please check this link
https://www.riskcompliance.it/news/author/fabio-accardi/
The author thanks Luca Mastrofrancesco for the support in translation of Italian version of this article, published in Risk & Compliance Platform Italy, in English.
Notes
1) F. Accardi (2023) – Risk Perception, Awareness and Risk & Control Governance: How to improve the dialogue between the actors of control and compliance systems with internal and external stakeholders – Risk & Compliance Platform Europe
LINK: https://www.riskcompliance.biz/news/risk-perception-awarness-and-risk-control-governance-how-to-improve-the-dialogue-between-the-actors-of-control-and-compliance-systems-with-internal-and-external-stakeholders/
2) E. Di Carlo (2017) Interesse Primario dell’azienda come Principio Guida e Bene Comune. Giappichelli Editore
3) F. Accardi, F. D. Attisano (2022) – Evolution of global risks: Lessons to learn for resilient and sustainable choices – Risk & Compliance Platform Europe
LINK: https://www.riskcompliance.biz/news/evolution-of-global-risks-lessons-to-learn-for-resilient-and-sustainable-choices/
4) F. Accardi (2021) Governo e Controllo dei Rischi. Manuale per scelte consapevoli e sostenibili. Ed Franco Angeli
LINK: https://www.riskcompliance.it/books/governo-e-controllo-dei-rischi/