Controle e Auditoria Governamental

Prévia do material em texto

Evolução da doutrina de controle e auditoria governamental no Brasil – as linhas de defesa da gestão pública 
Componentes e Práticas de Governança
Primeiras Palavras
Controle
Monitoramento
Avaliação
Auditoria
Fiscalização
CGU
Tribunal de Contas da União
Controle Interno
Controle Externo
Controladorias-Gerais do Estados 
Tribunais de Contas Estaduais
Tribunais de Contas municipais
Controladorias-Gerais do Município
União Federal
26 Estados e o Distrito Federal
5.570 Municípios
ÓRGÃOS DE CONTROLE INTERNO E EXTERNO 
O Controle no Ciclo da Gestão Pública 
Lei 10.180/2001
A função controle é operada apenas no Sistema de Controle Interno?
Sistema de Planejamento e Orçamento
Sistema de Administração Financeira	
Sistema de Contabilidade
Sistema de Controle Interno
Tem como finalidade formular e gerenciar o processo de planejamento e orçamento federal ecompatibilizar as normas e tarefas das diversas esferas (federal, estaduais, distrital e municipais)
Compreende as atividades de elaboração, acompanhamento e avaliação de planos, programas e orçamentos.
Órgão Central: Ministério do Planejamento, que exerce a orientação normativa dos órgãos setoriais e específicos
Órgãos Setoriais: unidades de planejamento e orçamento dos Ministérios
Órgãos Específicos: SOF, SEPLAN
Sistema de Planejamento e Orçamento
Destinação do Gasto
Administra os haveres financeiros e mobiliários
Elabora a programação financeira, gerencia a Conta Única e subsidia a formulação da política de financiamento da despesa pública
Gere a dívida pública mobiliária federal e a dívida externa.
Administra as operações de crédito 	
Edita normas sobre a programação financeira e a execução orçamentária e financeira
Promove o acompanhamento, a sistematização e a padronização da execução da despesa pública
Órgão Central: Secretaria do Tesouro Nacional (STN)
Órgãos Setoriais: unidades de programação financeira dos Ministérios
Sistema de Administração Financeira
Equilíbrio Financeiro
Registra os atos e fatos relacionados com a administração orçamentária, financeira e patrimonial e elabora os balanços gerais da União
Mantém e aprimora o Plano de Contas Único da União e estabelece normas e procedimentos para os registros contábeis 	
Com base em apurações de atos e fatos inquinados (qualificados) de ilegais ou irregulares, efetua os registros pertinentes e adota as providências necessárias à responsabilização do agente, comunicando o fato à autoridade a quem o responsável esteja subordinado e ao órgão ou unidade do Sistema de Controle Interno. 
Realiza tomadas de contas dos ordenadores de despesa e demais responsáveis por bens e valores públicos e de todo aquele que der causa a perda, extravio ou outra irregularidade que resulte dano ao erário. 
Órgão Central: STN	
Sistema de Contabilidade
Evidenciação e registro de atos e fatos
Realiza auditoria sobre a gestão dos recursos públicos federais. 	
Apura os atos ou fatos inquinados (qualificados) de ilegais ou irregulares, praticados por agentes públicos ou privados, na utilização de recursos públicos 
Realiza auditorias nos sistemas contábil, financeiro, orçamentário, de pessoal e demais sistemas administrativos e operacionais. 	
Avalia o desempenho da auditoria interna das entidades da Administração Indireta Federal. 	
Elabora a Prestação de Contas Anual do Presidente da República. 	
Órgão Central: CGU
Sistema de Controle Interno
Avaliação dos outros sistemas
1994
SFC
Foco na ação de governo
2000
SFC
Recentra-lização
2003
CGU
Ampliação das áreas de atuação
IGF
Instituição do Sistema
1967
Secin
Centrali-
zação
1979
STN
Foco nas Finanças
1984
CGR
Contabi-lidade
1921
Os órgãos de CI eram vinculados aos gestores e tinham foco nas questões de conformidade
O órgão de CI amplia sua abordagem para avaliação de desempenho
Um pouco de história
Atribuições Constitucionais do
Sistema de Controle Interno
Artigo 70 da Constituição Federal:
“A fiscalização contábil, financeira, orçamentária, operacional e patrimonial da União e das entidades da administração direta e indireta, quanto à legalidade, legitimidade, economicidade, aplicação das subvenções e renúncia de receitas, será exercida pelo Congresso Nacional, mediante controle externo, e pelo sistema de controle interno de cada Poder.”
o cumprimento das metas previstas no plano plurianual;
a execução dos programas de governo;
a execução dos orçamentos da União;
a legalidade e avaliar os resultados da gestão orçamentária, financeira e patrimonial;
o controle externo, no exercício de sua missão institucional.
o controle das operações de crédito, avais e garantias, bem como dos direitos e haveres da União;
Atribuições Constitucionais do
Sistema de Controle Interno
CF Artigo 74
Avaliar
Comprovar
Exercer
Apoiar
Gestão
Gestão de Riscos 
Desenho e Implementação dos Controles Internos
Auditoria
Mapeamento de Riscos 
Avaliação dos Controles Internos
Assessoramento à Gestão
Foco no Atingimento dos Resultados
Apoio Especializado
PR, MRE, MD
CGU
Órgão Central - Supervisão geral e orientação normativa do Sistema
Sistema de Controle Interno – atividades de gestão 
e de auditoria
Controles internos da gestão
Auto controle
SFC
Administração Direta e Indireta
Auditorias Internas
Estatais, Fundações
AECI
CISET
Riscos e Controles
Controles Internos
Práticas, protocolos, procedimentos, processos, sistemas para conter as incertezas ou seus efeitos
Riscos
Incertezas que podem comprometer o alcance dos objetivos
Missão Institucional
Objetivos da organização
Processo conduzido para atingir objetivos
Meio para um fim: não um fim em si mesmo
Realizado por pessoas
Segurança razoável, mas não absoluta
Adaptável à estrutura da entidade
Internal Control – Integrated Framework (Estrutura) do COSO, 2013
Controles internos (da gestão)
15
Internal Control – Integrated Framework (Estrutura) do COSO, 2013
Framework COSO
16
Mapear incertezas
Avaliar probabilidade (causas dos eventos) e impacto (efeitos dos eventos)
Decidir (o que pode incluir aceitar a ocorrência dos eventos e/ou aceitar seus efeitos)
Revisar/monitorar
Gestão de riscos
17
Linhas de defesa
Declaração de Posicionamento do IIA: As Três Linhas de Defesa do Gerenciamento Eficaz de Riscos e Controles, 2013
CGU
Linhas de defesa
Declaração de Posicionamento do IIA: As Três Linhas de Defesa do Gerenciamento Eficaz de Riscos e Controles, 2013
Gerentes de nível intermediário
Identificam, avaliam e controlam os riscos
Proprietários dos Riscos
Linhas de defesa
Declaração de Posicionamento do IIA: As Três Linhas de Defesa do Gerenciamento Eficaz de Riscos e Controles, 2013
Funções de monitoramento dos controles de 1ª linha
Visão sistematizada dos Riscos de toda a organização
Monitoramento de riscos relevantes específicos
Linhas de defesa
Declaração de Posicionamento do IIA: As Três Linhas de Defesa do Gerenciamento Eficaz de Riscos e Controles, 2013
Avaliação da 1ª e 2ª linhas
Avaliação da Governança, Gestão de Riscos e Controles Internos 
Independência/Reporte – Instância moderadora da gestão
Fonte: Febraban
Governança e linhas de defesa
Como as avaliações feita por auditores governamentais podem retroalimentar a gestão e a 1ª e 2ª linhas de defesa?
Projetos, iniciativas e controles
Ampliar
Modificar
Descontinuar
Definição de Auditoria Interna
Auditoria Interna é uma atividade exercida nas pessoas jurídicas de direito público, interno ou externo, e de direito privado, que compreende os exames, análises, avaliações, levantamentos e comprovações, com vistas à avaliação da integridade, adequação, eficácia, eficiência e economicidade dos processos, dos sistemas de informações e de controles internos integrados ao ambiente, e de gerenciamento de riscos, com vistas a assistir à administração da entidade no cumprimento de seus objetivos. (NBC T 12 – CFC)"A auditoria interna é uma atividade independente e objetiva de avaliação (assurance) e de consultoria, desenhada para adicionar valor e melhorar as operações de uma organização. ” (The Institute of Internal Auditors)
1. As organizações precisam melhorar o modo como medem o quanto o gerenciamento de riscos traz de retorno sobre o seu investimento e como comunicam seu processo, seu valor e sua efetividade aos stakeholders. 
2. Avaliar a exposição ao risco em toda a organização ainda é um grande desafio para executivos. 
3. Os altos executivos vêem o gerenciamento de risco como fator crítico, mas poucas organizações definem o seu apetite ao risco.
4. A pressão regulatória e as mudanças no ambiente regulatório representam a maior ameaça para os entrevistados; a instabilidade político-econômica global é vista como principal cenário de risco.
Pesquisa KPMG sobre Governança, Risco e Compliance (2012/2013)
5. Os entrevistados acreditam que as unidades de negócios são mais aptas do que uma área de gerenciamento de riscos, de compliance ou a auditoria interna para a avaliação e gerenciamento de riscos. 
6. A falta de talentos profissionais e/ou expertise tem impedido a convergência das funções de risco e de controle.
7. Estruturas de incentivo frágeis impedem tomadas de decisão baseadas no risco.
8. Investimentos para melhorar a gestão do risco continuarão a crescer nos próximos três anos.
Pesquisa KPMG sobre Governança, Risco e Compliance (2012/2013)
Qual das opções a seguir melhor reflete a sua opinião sobre a contribuição do gerenciamento de risco para a sua organização?
Qual dos fatores abaixo tem a maior influência sobre o interesse da sua organização em promover a convergência das responsabilidades de gerenciamento de risco em todas as linhas de defesa? 
Sistema de Controles Internos em uma Organização – Abordagem COSO
30
Conexões
We first need to think about what we are trying to control. In order for there to be a control, we must be trying to control something, i.e., a risk to an identified objective. So, we need to start with our objectives; what are we trying to achieve in our organization and the departments we work in? Once we establish those objectives, we can identify what risks might exist to achieving our objectives and from there, we can determine what controls we might be able to put in place to control those risks. For example, an objective at UNC Charlotte might be to increase efficient use of resources. A risk to achieving that goal might be theft of University assets. So, an internal control to put in place to mitigate that risk is key card access to buildings, where access is only given to authorized employees. Remember, without a risk, there is no need for an internal control.
30
Objetivos
O que a organização pretende alcançar?
Riscos
O que pode frustrar os esforços da organização?
Controles
Como a organização pode lidar com seus riscos?
31
Objetivos de Controle Interno
A gestão tem responsabilidade fundamental pelo desenvolvimento e manutenção de controles internos efetivos
Now we move on to a formal definition of internal control: INTERNAL CONTROL is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to: 
Operations, including the effectiveness and efficiency of those operations, and the safeguarding of assets necessary to carry out operations; 
Reporting, including the reliability, timeliness, and transparency of reporting, both internal and external, and both financial and non-financial reporting (for example, reporting that the Office of Institutional Research performs and makes available in the Fact Book); 
and Compliance with our regulatory environment. 
So, for UNC Charlotte, that includes the State and its various administrative bodies (OSBM, OSC, OSA, DOA, etc.), as well as federal regulations related to financial aid, regulations related to grants and contracts, tax law, Export Controls, Payment Card Industry standards, etc. 
There are some people that say the objectives in this definition should be even more far-reaching and less confined to just operations, reporting, and compliance, since an entity’s objectives could reach beyond these three categories. For example, the University’s commitment to sustainability might be considered a strategic objective, rather than an operational or compliance-driven objective.
31
Operações
Efetividade
Eficiência
Reporte
Confiabilidade
Conformidade
Com arcabouço regulatório
Prontidão
Transparência interna e externa
Integridade dos Ativos
32
Atributos essenciais dos controles internos
Internal Controls also have the following characteristics. They are:
Continuous, since they are not just one single event but built directly into operations, and they are dynamic to accommodate for an ever-changing environment;
Effected by people; in other words, internal controls aren’t going to happen by themselves. It’s like the US Forest Service’s old campaign slogan, “Only you can prevent forest fires.” If we’re introducing the risk to the process, then we also have to introduce and implement the control.
Able to provide reasonable assurance, not absolute assurance. Even the best designed controls are subject to other limitations that we’ll talk about later. 
Adaptable to the entire entity or to a particular division, business process, or other level of the organization. 
So, to recap, internal control is a process designed to help achieve objectives, and the controls themselves should be continuous, effected by us, able to provide reasonable assurance, and adaptable to different levels of the organization. As you can see, this definition is intentionally broad since internal controls can take on a variety of flavors.
32
Continuidade
Parte das operações
Não são um evento isolado
Operacionalizados por pessoas
Fortemente relacionados a comportamentos
Razoável Segurança
Segurança Absoluta tem custo elevado
Adaptáveis
À organização como um todo, ou a divisões, processos ou atividades específicas
Dinâmicos
Fator humano
33
Fragilidade nos controles pode ocasionar
Erros em informações publicadas
Perdas
Fluxo de informações inconsistente ou inoportuno para a gestão
Fraude
Comprometimento da reputação
Falta de sustentabilidade das iniciativas
Não atingimento dos objetivos
As I mentioned earlier, we should identify objectives first, and then risks, and then controls. But it can be easier for some people to think about the risks first… I wouldn’t say these people are pessimistic; they just may be risk averse or cautious! In reality, I think many people find it easy to identify risks to broad objectives; this can actually help us to then go back and more accurately identify specific objectives. For instance, a broad objective I might have is to survive. A risk to that survival is getting in a car wreck. So a more specific objective might be to drive safely. We can then identify a control for that risk: seatbelts, air bags, etc.
In any case, here are some examples of risks of weak internal controls. I think you could easily think of the goals associated with these risks, and by the end of this presentation, hopefully you’ll be able to identify some of the controls we can put in place to mitigate these risks as well.
33
34
O Cubo do COSO 2013
Here we can see what is called the COSO “cube.” It has five integrated components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring, which are pervasive at all levels of the organization, from the most comprehensive – at the entity level – down through each operating unit and to the most discrete level, the process function. And, as we discussed earlier, these components all operate along the three main objectives identified by COSO: operations, reporting, and compliance. 
We’ll now talk through each of these internalcontrol components, starting with the control environment.
34
35
1. Ambiente de Controle
Conjunto de padrões, processos e estruturas que oferecem a base para a implementação e operacionalização dos controles internos
Compreende a integridade e os valores éticos da organização
Tone at the top 
Tone from the top
Padrões de conduta reforçam e retroalimentam os comportamentos de todos dentro da organização
The first component of the internal control framework is the Control Environment, a set of standards, processes, and structures that provide the basis for carrying out internal control. 
The control environment comprises the integrity and ethical values of an organization, as well as:
Management’s philosophy and operating style
Organizational structure
How management assigns authority and responsibility (both along functional and administrative reporting lines)
The competence of the entity’s people
Personnel development (including training and support)
As part of the control environment, the board of trustees and senior management must establish tone at the top. What exactly is tone at the top? One definition is: a visible willingness by senior management to let values drive decisions, to prioritize those values above other factors – including financial results – and to expect all others in the organization to do the same. This tone helps to establish expected standards of conduct and reinforce expectations of employees. This, in turn, establishes parameters that enable the Board to carry out its governance oversight responsibilities.
[cut to NC GS]
For example, North Carolina General Statute 138A is the State Government Ethics Act. This, arguably, helps set a tone at the top for the State, setting expectations for state employees and others acting in service to the state, and also allowing the state to address any violations of these standards. As another example, University Policy 804, Standards of Ethical Conduct, was approved in October of 2013 and sets forth UNC Charlotte’s commitment to ethical, legal, and professional behavior for all members of the University community.
[cut back]
In the same way, all leaders at the University are responsible for setting the tone at the top of their departments and units. This “tone” should match that set by senior management but can be tailored to specific needs of business units. 
35
36
1. Ambiente de Controle - efeitos sobre os objetivos de reporte
This is one diagram depicting the control environment as it relates to financial reporting. As you can see, the control environment serves as an umbrella for the entity’s internal control framework. Good internal controls will not be effective without a sound control environment. Or another way to look at it is, a really good control environment is the foundation for really good internal controls. If you could truly inculcate a culture where no theft occurred, would you even need locks on the doors?
36
37
Deve garantir que os controles estão no devido lugar, cobrindo temas como:
Recrutamento
Programas de treinamento
Políticas de recepção e suporte ao denunciante
Código de Ética
Clareza dos limites de responsabilidade e autoridade
1. Ambiente de Controle
As we said, the board and senior management are in charge of setting the stage for the entity-wide control environment. However, departmental managers should establish departmental policies as necessary in light of their unique objectives and risk factors in the absence of any central policies. Listed are some specific areas that the control environment should cover. In addition, as part of your regular business processes, you should continually monitor and update your Control Environment for dynamic changes.
37
38
Em um ambiente de controle satisfatório os valores e a visão da organização são alinhados com todos os funcionários e a confiança é depositada em todos os gestores da organização e não apenas nos advogados e compliance officers
1. Ambiente de Controle
As we said, the board and senior management are in charge of setting the stage for the entity-wide control environment. However, departmental managers should establish departmental policies as necessary in light of their unique objectives and risk factors in the absence of any central policies. Listed are some specific areas that the control environment should cover. In addition, as part of your regular business processes, you should continually monitor and update your Control Environment for dynamic changes.
38
39
O Ambiente de Controle deve ser documentado:
Narrativas e descrições de processos
Fluxos
Questionários
Checklists	
1. Ambiente de Controle
Finally, in order for the control environment to be effective, it must be documented. The first step in ensuring proper internal control is to ensure business processes are properly identified and documented.
Types of documentation that can be used include
Process Narratives
Organizational charts
Flowcharts
Questionnaires
Memorandums
Checklists	
 
39
40
1. Ambiente de Controle - Princípios
1. A organização demonstra ter comprometimento com a integridade e os valores éticos.
2. A estrutura de governança demonstra independência em relação aos seus executivos e supervisiona o desenvolvimento e o desempenho do controle interno.
3. A administração estabelece, com a supervisão da estrutura de governança, as estruturas, os níveis de subordinação e as autoridades e responsabilidades adequadas na busca dos objetivos.
4. A organização demonstra comprometimento para atrair, desenvolver e reter talentos competentes, em linha com seus objetivos.
5. A organização faz com que as pessoas assumam responsabilidade por suas funções de controle interno na busca pelos objetivos.
Finally, in order for the control environment to be effective, it must be documented. The first step in ensuring proper internal control is to ensure business processes are properly identified and documented.
Types of documentation that can be used include
Process Narratives
Organizational charts
Flowcharts
Questionnaires
Memorandums
Checklists	
 
40
41
2. Avaliação de Riscos
A Direção da Organização
Estabelece objetivos nos diferentes níveis da Organização
Deve considerar toda a organização
Deve levar em conta riscos (incertezas) que produzem incertezas (efeito domino)
Estabele seu grau de tolerância aos riscos
Risco: Incerteza que, se ocorrer, pode afetar de forma adversa o atingimento dos objetivos.
The second component of the internal control framework is Risk Assessment, which involves a dynamic and iterative process for identifying and assessing risks. 
A Risk is the possibility that an event will occur and adversely affect the achievement of objectives.
Risks can be introduced by changes – for instance, new leaders and managers, new markets and products, growth, and emerging technologies.
One way to categorize risk is along 4 key risk areas:
Strategic – including Political risk, talent and succession planning risk, and risk from dependencies on other organizations
Financial – including risk of audit findings and other things that would undermine reporting integrity
Compliance – including Fraud and non-compliance with fair employment practices
Operational – including the risk that Programs fail to meet their objectives, natural disasters, and lack of technology availability
The board of trustees and senior management must establish objectives linked at different levels of the entity, as we’ve already discussed, and then determine the risks to those objectives. By taking a holistic view of the organization's objectives, management should then be able to apply internal control to achieve multiple objectives and prevent domino effects, for example, a weakness in financial reporting that jeopardizes ongoing operations.
Risk assessment is especially important when resources are constrained, since risk assessment allows for a more strategic use of resources.
41
42
Gestão de riscos é um processo transversal e estratégico, destinado a identificar e tratar osriscos para garantir que a organização se mantenha no seu níve de tolerência a riscos desejado, no que se refere ao atingimento de metas e objetivos
A avaliação dos riscos oferece a base sobre a qual as atividades de controle serão desenhadas e operacionalizadas
2. Avaliação de Riscos
One thing to note is the difference between risk management and risk assessment.
Risk Management is
A process applied in a strategic setting and across the entity, designed to identify and manage risks to stay within a risk appetite or tolerance level, to provide reasonable assurance about achieving entity goals and objectives.
Risk Assessment is
An element of internal control within the risk management process that enables management to identify and assess key risks to achieving its objectives; this assessment forms the basis on which control activities are determined.
42
43
2. Avaliação de Riscos - Princípios
One thing to note is the difference between risk management and risk assessment.
Risk Management is
A process applied in a strategic setting and across the entity, designed to identify and manage risks to stay within a risk appetite or tolerance level, to provide reasonable assurance about achieving entity goals and objectives.
Risk Assessment is
An element of internal control within the risk management process that enables management to identify and assess key risks to achieving its objectives; this assessment forms the basis on which control activities are determined.
43
44
Avaliação no nível dos processos
Baixo
Médio
Alto
1. Materialidade
Em termos de R$
Em termos de volume de transações
2. Complexidade
Capacidade interna limitada
Uso de múltiplas bases de dados
Alto grau de tecnicidade
3. Histórico de erros e falhas
4. Propensão a erros e falhas
Fatores de avaliação
Pode ocorrer no nível dos processos/atividades ou no nível da entidade
2. Avaliação de Riscos
As we’ve noted, risk assessment should occur at the business process level as well as the entity level. Once you have identified your objectives, apply these four risk assessment factors:
Materiality of the amounts in question
Complexity of the process
History of accounting adjustments
Propensity for change in the processes or controls
This should help us to assess risk for the process in question in terms of likelihood and impact.
Internal considerations to assess risk:
Use of qualitative/quantitative methods
Change in management responsibilities
Weak or unresponsive tone at the top
Human capital – quality of personnel hired/retained
Employee sabotage
System security weaknesses
Rapid growth
Changes in processes or access to assets
External considerations:
Technological advancements (more tools available, as well as existing tools we are using are outdated)
Changing/evolving client/constituent needs or expectations
Changing legislative requirements and new laws/regulations
Decentralized organization operations
Natural disasters
Impact of program, political, and economic changes
44
45
2. Avaliação de Riscos
Here we see a risk map where the x axis shows Likelihood, where:
A-Almost impossible
B-Remote
C-Low
D-Reasonably possible
E-Probable
F-Very High
And the Y axis shows Impact:
I-Marginal 
II-Significant
III-Severe
IV-Catastrophic
So, once we have assessed risk, we can consider the organization’s risk tolerance and risk appetite related to the risk response. If the likelihood is low and the impact is marginal, then that falls within the green area on this chart, and management may decide that resources should be directed elsewhere, for more pressing needs. However, if a risk has a likelihood of reasonably possible and an anticipated impact of severe, then that falls within the red area on this chart, and management may decide to direct resources towards the mitigation of this risk.
Keep in mind that a risk assessment is meaningless without specific criteria to apply to each rating. For example, what is the difference between an impact of significant v. severe? These definitions, along with the organization’s risk tolerance (that is, what areas are considered green, yellow, or red) need to be set before a meaningful assessment can take place.
One overall question to keep in mind is, what is the impact to stakeholders?
45
46
Tratamento dos riscos
2. Avaliação de Riscos
Once a risk assessment is completed, and the impact and likelihood are determined, we can then determine which strategy to choose to deal with the risk. 
The first is avoidance, which means that the process in question would not be pursued. This would be a likely option to choose if the risk likelihood was found to be very high, and the impact to be catastrophic, in other words, risks that fall within the red area of the risk tolerance map we just looked at.
The second strategy is mitigation, where we would improve controls to reduce the likelihood and impact of the process. This is where many control activities will be done.
The third strategy is transfer, where responsibility is shifted to an external party.
Another strategy is acceptance, where the organization simply accepts the risk. This would make sense if the risk likelihood was found to be remote, and the impact to be marginal. In general, we should accept risks only if in green area of the risk tolerance map.
The final strategy listed is creation, where risk activities are strategically sought to maximize opportunities. These types of decisions should lie with senior management only.
We must be cautious when choosing these strategies. For example, Transferring too much responsibility to third parties is a risk in itself. This should only be done if it is known that the organization would introduce more risk by taking on the task itself.
46
Evitar
Não agir!
Mitigar
Aprimorar controles para reduzir probabilidade e impacto
Transferir
Mover a responsabilidade para agente externo
Aceitar
Accept the risk!
Perseguir
Atividades de risco (oportunidades) para maximizer resultados
47
Políticas e Atividades de Controle destinadas a mitigar riscos
Executadas em todos os níveis dentro da organização
Tipos:
Preventivas
Detectivas e corretivas
Compensatórias
Manuais e automatizadas
Exemplos:
Aprovações e autorizações
Conferências
Conciliações
Revisões independentes
Segregação de Funções
Seguro de Ativos
3. Atividades de Controle
The third component of the internal control framework is Control Activities, which are the actions established through policies and procedures that help ensure management’s directives to mitigate risks are carried out. These activities are performed at all levels of the entity.
There are certain types of control activities, including preventive, detective, and corrective; compensating; and manual and automated. We will go over the difference between these control types.
Control activities are exactly what they sound like– the activity part of the internal control framework. While the control environment and risk assessment set the stage for good controls, the control activities are where the meat of the control work is done.
Examples of control activities include:
Approvals & Authorizations
Embedded verifications
Reconciliations
Independent Reviews
Asset security
Segregation of duties
47
48
3. Atividades de Controle - Princípios
One thing to note is the difference between risk management and risk assessment.
Risk Management is
A process applied in a strategic setting and across the entity, designed to identify and manage risks to stay within a risk appetite or tolerance level, to provide reasonable assurance about achieving entity goals and objectives.
Risk Assessment is
An element of internal control within the risk management process that enables management to identify and assess key risks to achieving its objectives; this assessment forms the basis on which control activities are determined.
48
49
Controle Preventivo
Previne ocorrência dos eventos negativos de forma proativa
Exemplo:
Regime de alçadas para compras
Uso de senhas de acessoUso de salas-cofre
Sistemas de vigilância eletrônica
Uso de documentos eletronicamente numerados
Controle Detectivo
Constata a ocorrência de eventos negativos de forma reativa
Exemplos:
Aprovação do Supervisor
Relatório de atividade de um usuário do Sistema corporativo
Conciliação da antecipação de fundos
Contagem física
Revisão de cheques faltantes
3. Atividades de Controle
The first way we can categorize control activities is between preventive and detective controls.
Preventive Controls prevent the occurrence of a negative event in a proactive manner.
[click]
Examples here at UNC Charlotte include:
Approval required for purchases greater than $5,000
Passwords required for access to Banner
Petty cash that must be held in a lockbox
Security and surveillance systems in high-risk areas, and
Pre-numbered checks
Detective Controls Detect the occurrence of a negative event after the fact in a reactive manner
[click]
Examples here at UNC Charlotte include:
Supervisor review & approval
Reports that are run showing user activity
Reconciliation of petty cash
Annual Physical inventory counts, and 
Review of missing and voided checks
[click]
Preventive controls are stronger that detective controls. It is more effective and less costly to prevent something from happening rather than to attack it on the back end; sometimes it is hard to stop something that is already in motion, similar to a snowball effect.
This chart also shows corrective controls, but really I would deem these more as corrective ‘actions’, since the correction isn’t really a control itself.
49
50
Controles compensatórios
Compensam ausência de outros controles preventivos ou detectivos
Examplo: Se uma unidade não tem pessoal suficiente para a segregação de funções, pode providenciar:
Automatzação de transações que não possam ser alteradas pelo pessoal
Revisão pelo gestor de relatórios de transações iniciadas pelo pessoal
Seleção de amostra de documentos para conferência
There are also compensating controls, which may be relied upon to mitigate existing risks if a control activity that should otherwise be in place is not in place. Compensating controls can be either preventive or detective.
One common scenario is when a department or unit does not have the staff resources to establish an adequate segregation of duties. Potential compensating controls could include:
Automation of certain transaction data that then cannot be altered by the staff, that is, removing humans from the process altogether
Manager review of detailed summary reports of the transactions initiated by the staff. So, if one staff member is a requester in 49er Mart, and her supervisor is the approver, then the overall manager of that area should, on a periodic basis – say, monthly – separately review summary reports of these transactions.
Another option would be for Peer staff and/or a manager – someone separate from the personnel involved with making the transaction - to select a sample of transactions and vouch back to supporting documentation
In all these ways, we are compensating for the fact that the advisable control activity – segregation of duties – is not possible with current resources.
50
51
Requer ação das pessoas
Aprovação de Supervisor
Conciliação de registros e contas
Estabelecido nas regras de negócios
Senhas
Mecanismos de validação de dados de entrada
Batch controls (números sequenciais/somatórios)
3. Atividades de Controle
The final category of controls we’ll go over is manual v. automated controls.
Manual controls Require action to be taken by employees. Examples include 
Obtaining a supervisor’s approval for overtime
Reconciling bank accounts, and
Matching receiving to Purchase Orders
Automated controls are Built into the network infrastructure and software applications. Examples include
Passwords
Data entry validation checks, and
Batch controls
Automated controls are more reliable and cost effective than manual controls
51
Controle Automatizado
Controle Manual
52
4. Informação e Comunicação
Informação é necessária para estabelecer responsabilidades sobre controles e dar suporte ao alcance dos objetivos
Comunicação: processo contínuo e interativo de produzir, divider e obter informação que seja necessária
Informação deve ser oportuna e acessível para garantir prontidão para atividades de controle.
Ponto-chave: Comunicar a informação certa para a pessoa certa no tempo certo
The fourth component of the internal control framework is Information and Communication. This component is pretty straightforward but is also very important in ensuring a cohesive, sustainable framework. Accurate, timely information is necessary to properly carry out internal control responsibilities in support of the achievement of an organization’s objectives. And communication is the continual, iterative process of providing, sharing, and obtaining that necessary information. 
Management and employees must be able to obtain information from both internal and external sources as necessary, and communication paths must be viable to both internal and external parties. Information should be timely, accessible, and allow for successful control actions. 
Obviously, that is a very high-level statement that is harder to do than say, but the key is to try to keep communicating the right information to the right people at the right time.
52
53
4. Informação e Comunicação - Princípios
The fourth component of the internal control framework is Information and Communication. This component is pretty straightforward but is also very important in ensuring a cohesive, sustainable framework. Accurate, timely information is necessary to properly carry out internal control responsibilities in support of the achievement of an organization’s objectives. And communication is the continual, iterative process of providing, sharing, and obtaining that necessary information. 
Management and employees must be able to obtain information from both internal and external sources as necessary, and communication paths must be viable to both internal and external parties. Information should be timely, accessible, and allow for successful control actions. 
Obviously, that is a very high-level statement that is harder to do than say, but the key is to try to keep communicating the right information to the right people at the right time.
53
54
O que comunicar?
Iniciativas
Metas
Mudanças
Oportunidades
Feedback
Questões
Respostas
Políticas
Procedimentos
Padrões
Expectativas
4. Informação e Comunicação
Even with so many ways to communicate these days – email, text messaging, Twitter, Facebook, apps, the cloud, FedEx, mail, phone calls, or EVEN face-to-face - sometimes it is difficult to find ways to communicate effectively and with impact. Just keep in mind what you are trying to communicate and to whom. Remember that more communication is not always better, but more well thought-out, directed communication is essential to all operations, including internal controls.
54
55
Avaliações para verificar se os controles internos estão presentes e em adequada operação
Avaliações continuadas: 
Desenhadas como parte do próprio processo
Informação oportuna
Avaliações periódicas:
Variam quanto ao escopo e frequência
Deficiências devem ser comunicadas á Direção
5. Monitoramento
The fifth and final component of the internal control framework is Monitoring. Monitoring activities are evaluations used to ascertain whether components of internal control are present and functioning. These evaluations can be split into two categories:
Ongoing evaluations are built into business processes and provide timely information on the underlying controls.
Separate evaluations are conducted periodically and vary in scope and frequency based on prior assessments of risk, the effectiveness of ongoing evaluations, and other management considerations such as resource prioritization. Separate evaluations include Internal Audit activities.
In other words, when we monitor an activity, we areassessing the performance of an internal control system over a period of time, helping to validate that the internal control system is operating as expected. Any findings that result from monitoring activities should be evaluated against relevant criteria, for example, how long has the control been compromised, and how high are the risks? Any deficiencies that are found, which are more pernicious to the control system than findings, should be communicated to the Board and Senior Management.
It confirms that the findings of audits and other reviews are promptly resolved so that internal controls are not compromised. 
Monitoring should be directed at both internal and external risks to the organization.
Monitoring also consists of supervisory review and sign off to help ensure proper checks and balances. 
Your organization should have a strategy for effective ongoing monitoring. 
55
56
5. Monitoramento - Princípios
The fifth and final component of the internal control framework is Monitoring. Monitoring activities are evaluations used to ascertain whether components of internal control are present and functioning. These evaluations can be split into two categories:
Ongoing evaluations are built into business processes and provide timely information on the underlying controls.
Separate evaluations are conducted periodically and vary in scope and frequency based on prior assessments of risk, the effectiveness of ongoing evaluations, and other management considerations such as resource prioritization. Separate evaluations include Internal Audit activities.
In other words, when we monitor an activity, we are assessing the performance of an internal control system over a period of time, helping to validate that the internal control system is operating as expected. Any findings that result from monitoring activities should be evaluated against relevant criteria, for example, how long has the control been compromised, and how high are the risks? Any deficiencies that are found, which are more pernicious to the control system than findings, should be communicated to the Board and Senior Management.
It confirms that the findings of audits and other reviews are promptly resolved so that internal controls are not compromised. 
Monitoring should be directed at both internal and external risks to the organization.
Monitoring also consists of supervisory review and sign off to help ensure proper checks and balances. 
Your organization should have a strategy for effective ongoing monitoring. 
56
57
Deficiência no Desenho – Mesmo que um controle opere como previsto, o objetivo de controle não é alcançado
Para avaliar o desenho do controle:
É preciso considerar como o controle é executado, quem o opera, quais informações são utilizadas, que evidências são produzidas
Avaliar as narrativas, e fluxogramas que tenham sido produzidos na fase de documentação dos controles
5. Monitoramento
When monitoring activities have been completed, the results must then be analyzed and reported. If deficiencies in controls are found, they should be categorized as either deficiencies in design or deficiencies in operations. 
A deficiency in design occurs when a critical control is not properly designed; that is, even when the control operates as designed, the control objective is not always met. Remember that a critical control is one that is critical to the organization’s ability to meet its control objectives.
The picture on this slide shows a train that has derailed due to a design deficiency. Per the news reports, this accident was caused by "serious deficiency" in the design of the cantilever arm and the fact that the concrete did not have adequate strength likely due to lack of its adequate curing.
Thus, when validating control design (that is, determining the control’s effectiveness), we should consider various factors. In this case, how is the train usually kept from derailing, who ensures that this control is in place, and what data/reports and physical evidence were or could be used in monitoring the control? This information could be evaluated using process narratives, flowcharts, and any other documentation. 
57
58
Deficiência nas operações – Um controle bem desenhado não opera como esperado ou a pessoa responsável pelo controle não tem autoridade ou qualificação necessária
Para avaliar efetividade do controle:
Revisar documentação de suporte
Revisar conciliações periódicas
Revisar o cumprimento de políticas e procedimentos
5. Monitoramento
The other type of control deficiencies is a deficiency in operation. These occur when a properly designed control does not operate as intended, or when the person performing the control does not possess the necessary authority or qualification to perform the control effectively.
The picture on this slide shows a clip from the movie Gravity, where Sandra Bullock plays an astronaut that is stranded in space. Here, she is in a foreign space station where, even though controls have likely been properly designed, the astronaut does not possess the necessary qualifications to operate the controls effectively.
Testing for operating effectiveness (down here on Earth) can include: 
Reviews of supporting documentation for proper authorization,
Reviews of periodic reconciliations, and
Reviews of policies and procedures to determine if they are being followed
All of these reviews can be performed on a sample basis.
58
59
Limitações do Sistema de Controle Interno em uma Organização
Adequação dos objetivos
Viés do julgamento humano
Falhas humanas
Gestão pode “atropelar” controles internos
Habilidade da gestão de se “desviar” dos controles
Note that even an effective, well-designed system of internal control can experience a failure. Limitations may result from:
The lack of suitability of established objectives
The reality that human judgment in decision making can be faulty and subject to bias
Breakdowns that can occur because of human failures such as simple errors
The ability of management to override internal controls
The ability of management, other personnel, and/or third parties to circumvent controls through collusion
External events beyond the University’s control
Again, internal control provides reasonable, not absolute, assurance of achieving objectives. The point of internal controls is to prevent what is preventable, not to prevent everything. Remember one of the key components of internal control is risk assessment.
59
Ambiente de Controle: 
firma de natureza familiar; 
filhos e sobrinhos do fundador (que é o presidente da empresa) são diretores; 
contratações realizadas a partir de indicações de parentes e amigos;
não há ações de desenvolvimento de pessoas; 
funcionários que não têm relação de parentesco mantêm seus cargos gerenciais a partir da manifestação de lealdade inequívoca ao respectivo diretor, trabalhando até 12 horas por dia.
Uma análise a partir dos componentes COSO
60
Avaliação de risco: 
um dos diretores é sócio de uma empresa que é uma das principais compradoras da firma; 
os limites de crédito concedidos aos clientes são deferidos de forma centralizada pelo Presidente da firma; 
a empresa escreveu seu planejamento estratégico há 4 anos e neste período não foi realizada revisão dos objetivos estratégicos;
houve uma elevação da inadimplência nos últimos meses e a firma teve que tomar empréstimo bancário para honrar folha de pagamento;
apesar do clima de recessão mundial, a área de vendas tem feito enorme pressão por aumento nas receitas.
Uma análise a partir dos componentes COSO
61
Atividade de Controle: 
a fim de garantir melhores resultados, a firma contratou um diretor no mercado, que passou a responder pela aprovação do crédito e gerenciamento das vendas;
estão em fase de manualização as rotinas relativas à realização de compras pela firma;
em função da contratação do novo Diretor Executivo, foi necessário dispensar o gerente de patrimônio. O controle de itens patrimoniais passou a ser realizado pelo Contador.
Uma análise a partirdos componentes COSO
62
Informação e Comunicação: 
o Presidente reúne-se informalmente com diretores por ele escolhidos, a cada semana;
somente os gerentes utilizam correio eletrônico;
ainda não foi implantada sistemática de avaliação de desempenho dos funcionários;
as informações são centralizadas na Diretoria.
Uma análise a partir dos componentes COSO
63
Monitoramento: 
como há um clima de competição, os gerentes manipulam as informações sobre resultados atingidos em cada uma de suas áreas;
os diretores não supervisionam as atividades de controle dos gerentes a eles vinculados;
ações corretivas somente são aplicadas quando há suspeita de fraude ou dolo, com a demissão sumária.
Uma análise a partir dos componentes COSO
64
65
Quais controles são relevantes?
Para os controles financeiros, por exemplo, importa identificar:
As atividades de controle ajudarão a alcançar os objetivos? 
As atividades de controle irão mitigar os riscos de acordo com a tolerância da organização?
Como os controles irão prevenir ou detector erros nas demonstrações financeiras? 
We have been talking about internal controls in general, but one key area of internal control is related to financial reporting, both for internal departmental reports and University-wide financial reports, which are key to management decision making. When designing and documenting controls over financial reporting, consider the following questions:
Will the control techniques help achieve the control objectives? 
Will the controls mitigate risk to an acceptable level? (and how do you define ‘acceptable level’?)
How do the related control objectives prevent or detect a potential misstatement?
How do potential misstatements affect the related financial report line item? 
65
66
Alguns princípios universais
Quais controles são relevantes?
Even if none of the rest of this session has stuck with you (and I’m sure it has!), there are some common basic internal control principles that can be applied on a practical level to any process:
Establish responsibility. All key tasks should be assigned, and they should be assigned to only one person. If tasks are not assigned, you run the risk of no one taking responsibility or multiple people doing duplicative work or colluding.
Segregate Duties. The following responsibilities should be segregated in each business process:
Maintaining proper custody of assets
Properly recording the transactions
Authorizing the transactions, and
Reconciling the transactions
Remember that compensating controls can be put in place where full segregation of duties is not possible. At the very least, do not make one employee responsible for all parts of a process. A key to defeating opportunity for fraud is to divide key functions so that no one person has control over ALL parts of a transaction.
3. Restrict Access. Don’t provide access to systems, information, assets, etc. unless that access is needed to complete assigned responsibilities.
4. Document Procedures and Transactions. We’ve already talked about documentation. It’s necessary to prepare evidence to show that activities have occurred and verify findings.
5. Independently verify. Remember to check others’ work. Don’t let an employee have unbridled and unchecked authority.
Note that higher risk transactions include:
The purchase of goods and services
Cash receipts
Payroll operations
Inventory operations
These processes should be more closely monitored for proper controls since they present higher opportunities for fraud and misappropriation than other processes.
66
Estabelecer responsabilidade
Designar cada tarefa para uma pessoa
Segregação de funções
Uma pessoa não pode ser responsável por todas as etapas do processo
Restrição de acesso
O acesso a sistemas e informações deve ser adequado às responsabilidades de cada agente
Documentar procedimentos e transações
Verificação independente	
Motivar e registrar atividades realizadas
Mútua vigilância
image1.png
image2.png
image3.png
image4.png
image5.png
image6.png
image7.emf
image8.png
image9.png
image10.jpeg
image11.png
image12.png
image13.emf
image14.png
image15.jpeg
image16.png
image17.emf
Entity-Level Controls
Control Environment
Fraud Controls, including Controls Over Management Override
Risk Assessment and Related Policies
Control Activities, Including Fraud Controls
Information
Systems
Financial 
Statement
Close
Process
Financial
Statements
Transactions
Monitoring 
Controls
image18.png
image19.png
image20.jpeg
image21.emf
IVIII1II2IABCDEF
Impact (I)
Impact: I –Marginal; II –Material; III –Severe; IV –CatastrophicLikelihood: A –Almost Impossible ; B –Remote; C –Low; D –Reasonably possible; E –Probable; F –Very High
Likelihood (L)
LOWMODERATEHIGH
image22.jpeg
image23.jpeg
image24.png
image25.jpeg
image26.jpeg
image27.png
image28.png
image29.emf
image30.jpeg
image31.jpeg
image32.jpeg
image33.png
image34.png
image35.png
image36.png
image37.png