Sometimes the world of internal control is associated with the color gray—an environment of repetitive, boring and ineffective activities. Creatively introducing and combining ideas from distant methodologies can bring a different light of greater trust and value. In particular, I have always been passionate about mixing Agile ideas, the use of the process paradigm seen as a service, the holistic approach of reviewing processes and their interactions and iterative improvement while always having the compass oriented toward simplicity in solutions.
In corporate governance, there are many processes that can add more value if more collaborative approaches are adopted. In our work we sometimes do activities in a mechanical, repetitive way, without knowing if they help or add value to other processes. Improving internal communication within the organization can help uncover these potential areas for collaboration.
With internal controls, the use of a structured approach helps bring out areas that suffer from excessive bureaucracy, such as those controls that we continue to do for a long time without remembering what benefits the organization derives from them. We often carry out controls dictated by legal impositions or standard requirements rather than having them introduced primarily to help business objectives.
One solution to this is having a single archive of all organization controls made available to all processes. Over time, this could make it possible to eliminate any redundancy and identify areas for improvement. Specifically, the Capability Maturity Model (CMM) can be modified to become a single repository for all business controls. Additional information has been added to the CMM, such as impact, likelihood and status of the remediation plan to help forge solid links with other processes.
The CMM is manageable with little stress because it assesses maturity (the opposite of weakness and vulnerability), a concept that is easy to understand for operational staff. Furthermore, the CMM, through vulnerability and information such as impact and probability, is closely linked to risk. The business risk is linked to business objectives and controls are linked to the objectives. The control and risk assessment are then used to generate the audit plan. Plus, the use of weights and numerical evaluations enables the organization to overcome limits in the aggregation and prioritization of results.
A control platform with a view of all business processes that enables the simultaneous management of risk scenarios, control performance and the audit plan has great potential. Thinking of each process as a service allows an organization to adopt service management techniques and consequently improve the collaboration between processes. The effectiveness of the control-risk-objective bond is the basis for the success of a sustainable business management system.
Editor’s note: For further insights on this topic, read Luigi Sbriz’s recent Journal article, “A Holistic Approach to Controls, Risk and Maturity,” ISACA Journal, volume 3, 2021.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!