The Internal Control Matrix is a tool arising from the imperative need to act proactively in order to suppress and / or significantly reduce the multitude of risks to which the different types of organizations have been affected, whether private or public, with or non profit.
The numerous norms and regulations, be these of a tax, labor, ecological, consumer, accounting, banking, corporate, stock exchange, among others, originating from national (federal), provincial (state) and municipal organizations, oblige the administrations of the organizations to be very alert to the risks that the lack of compliance with them pose to their assets.
To these must be added the need to verify compliance with both internal regulations, as well as various standards on security and internal control, as well as to verify the subjection of the various areas or sectors to company policies.
As can be seen from the foregoing and despite not having made detailed mention of all the regulations, the risks to which companies are exposed are many and they must imperatively be brought under control.
The constant progress made in the various countries by the state and para-state bureaucracy on private entities, has led them to search for tools or instruments that allow, as stated at the beginning, “to suppress and / or significantly reduce risks to which they are exposed ”.
A company is exposed on the one hand to internal errors of good faith, but also to actions that accidentally or not expose it to losses. If we take a bank as an example, it is exposed to the bad faith actions of its staff, as well as that of its clients and suppliers, the possibility of committing breaches of legal regulations, the actions of scammers or thieves, the lack of Provisions regarding internal security (such as fires, or the loss of files in the computer system). Any of these events cause economic losses for the entity. Losses that in many cases can put the very continuity of the company at risk. Let us think about what the subtraction of formulas or plans concerning manufacturing processes or products implies,or the illegal sale of customer databases to competitors.
No less important are the losses that due to defects in the production processes affect the quality of the products and services, and with it the costs (reprocessing, guarantees, waste) as well as the degradation in the reputation of the company.
Very few companies have policies, plans and methodologies that are systematically established to avoid the risks mentioned above. They generally act on experience, intuition, or plan in a partial way.
Today no serious company, whether or not it aspires to excellence, can continue to operate in such a way. One of the very serious shortcomings of external audits is precisely in not controlling and properly evaluating internal controls in their entirety, as well as not evaluating the audited companies from a systemic point of view. Let us think about the effects that the loss of ultra-confidential information has on the economic value of a company, such as the development of a pharmaceutical product not yet patented.
For these reasons, this control tool is also very useful for external audits.
What is the Internal Control Matrix?
It is a way of thinking, planning, delegating, making decisions and solving problems, and seeing the organization as a whole.
It is a way of thinking, because analyzing the interrelation of the various products, services and areas of the company with the external and internal regulatory provisions, as well as with the principles of internal control and security, leads both the officials and the internal (or external) auditors and the management of the various areas to ask themselves how, if at all, the various regulations affect their processes and activities, or inquire about the existence or not of standards that relate to the same.
One might wonder how many times organizations are liable to financial penalties for failure to comply with formal duties just for not having carried out the inquiries or for not having planned the controls and the respective actions.
It is a way of planning because the officials of the organization establish the number of controls to be executed per period of time, what elements or resources are going to be available, what questionnaires are to be used and who will prepare them. Through delegation, on the one hand, those who are responsible for carrying out the controls are assigned.
As the matrix system makes use of efficiency scores, the aspects or areas of greatest risk, which arise from the lowest scores, are those in which adjustments and corrections have to be prioritized, in addition through the analysis of the reasons. From the low scores, it is possible to know the reasons that originate them and thus adopt the best actions aimed at their resolution.
How is this Matrix and how does it work?
In said Matrix we have that in the columns the External and Internal Regulations are recorded, as well as the Principles and Policies whose application must be verified.
On the row side we have the Products, Services, Areas / Sectors - Activities / Processes that take place in the company.
Thus, once the column and row titles have been placed, they must be interrelated (Example: Sales / National Taxes "Point 1.1") based on the regulations and principles to which the areas, activities and products must comply. If there is no interrelation between the item in the row and the item in the column, this space is canceled (shaded) (Example: Research and Development does not have the Central Bank's application rule).
The points assigned to each box correspond to the applicable control questionnaires and the Audit Manual, thus they will also serve to allocate resources in the control budget, as well as to establish the number of controls by periods and delegate responsibility for the respective control.
Starting from this matrix, these points are disaggregated. In the case of Sales, they are subject to national tax provisions, having on the one hand those related to the regulations on billing and on the other hand those related to perceptions, value added tax and those related to documentation corresponding to customers. Then, based on this, the questionnaires will be formed to verify that the various points of the matrix are being duly completed.
The questionnaires have a first column corresponding to the number of the question in question, a second with the respective question, and the third and fourth correspond to YES or NO. (See Annex). The amount of SI for each questionnaire is divided by the total number of questions in the questionnaire and multiplied by 100, achieving a percentage of compliance or effectiveness, which will be applied on a basis of 10 in order to obtain the score per questionnaire.
Example: If a questionnaire has 8 questions of which 5 have YES, the percentage is 62.50%, while the score is 6.25 points. Similarly, if another questionnaire had 10 questions of which 5 were yes, the percentage would be 50% and the score would be 5. In this way, a fairly objective analysis is achieved. But not all questions are of equal importance, which is why the system can be improved by giving it a weight. In this way, minor aspects would be given a score of 1 point, medium level aspect 2 points and fundamental questions 3 points. Example: For a 10-question questionnaire, with 3 of value 1, four of value 2 and 3 of value three, the maximum score would be 20 points. If the positive answers were 2 of one point, 2 of two points and 1 of three points, the obtained amounts to 9 points,with which there is an effectiveness percentage of 45% and a score of 4.5.
The scores instead of one, two and three could be one, three and five, to make the final score more sensitive to the most important aspects.
The same reasoning is applied to obtain the score corresponding to each point of the matrix, thus if counting a certain point of the matrix with four questionnaires whose maximum score of answering all the questions positively would be 40 points and a total of 35 points, the percentage of effectiveness is 87.05% and the score is 8.71 points.
Finally, and since not all areas - activities or products are subject to the same number of control points, all control points are multiplied by 10 obtaining the maximum possible score, the points obtained according to the previous paragraph are added and It is divided by said maximum, obtaining the effectiveness score by area. Let's see: the area or activity "Sales" out of a total of 14 lockers, has 11 control points. If we multiply 11 by ten we have a maximum score of 110 points. Suppose that a maximum score of 80 points arises from the controls performed, the percentage of effectiveness is 72.72%, that is, a score of 7.27.
The same criterion is applicable to the columns, so we have that "Property Registry" has six scoring boxes out of a total of 12, so the maximum score is 60 points. If the score obtained is 60 points, we will have 100% effectiveness and a score of 10.
Based on the totals per row (areas, activities / processes, products / services), the totals per column, and the points per box, the level of priorities for the analysis and resolution of the problems is ordered.
Thus, a low score in the products and services boxes in relation to the ISO 9000 and ISO 14000 standards would be indicating problems in terms of quality controls, to which immediate attention should be paid.
It should be noted that the total number of columns in the Matrix is for example, depending on the quantity and content of the same to the regulations of each place or country, as well as the activities that the company under control develops. Thus, for example, the regulations regarding the provision of information to official Industrial Statistics entities could be added as appropriate.
Thus, from the total scores observed in this Matrix, problems are observed in the Purchasing area (product of a very ineffective compliance with the tax, quality and internal control provisions), on the regulatory side there is a low performance in compliance to the provisions of the ISO 9000 / ISO 14000 Regulations and those corresponding to the provisions of the Central Bank (creation of credit portfolios and special information required by the controlling body to access bank financing; which could result in a cut in the credit lines, or an increase in the interest rate).
Conclusions
In this way, we have that Senior Management can verify through the Control Matrix that all controls are being complied with, who are in charge of said verifications, when was the last time they performed the controls for each point and with what frequency. Depending on the relative importance of the different points and the problems they have, the priority of control and correction will be given.
Those in charge of Areas, and those responsible for control, whether they are internal or external auditors, can verify and reason on the basis of the matrix (matrix reasoning) compliance with the different provisions.
The matrix contemplates 100% of the risk factors, thus being a formidable vehicle to avoid or correct defects that damage the entity's assets and finances.
The Control Matrix places as much importance on compliance with tax regulations, as on control to avoid fraud, or safeguard the quality of products and services, as well as protecting human resources, among others. For this reason, a quick view of said matrix, printed or by monitor, by the Managers allows them to know the areas that compromise the company, and proceed to analyze the causes or reasons, and then apply the corresponding adjustment measures.
Ultimately, the Parent Company is a generator of profits inasmuch as it aims to eliminate or reduce losses caused by fraud, lack of insurance against risks, low quality levels, lack of compliance with legal provisions, lack of information. optimal among others.
As the North Americans say: "basketball games begin by winning with good defense." It is useless to score many points if the opponents convert us more. In the same way, it will be of little use to work hard and generate sales, if a good part of it is absorbed by losses caused by carelessness, waste and lack of controls.
Each sector or control point of the Matrix represents the link in a chain, and a chain is only as strong as its weakest link, hence the importance of preventively verifying compliance with various aspects concerning the company, correcting after the controls the aspects, areas, processes, activities, norms and principles with lower or unsatisfactory levels of effectiveness.
Download the original file
