The purpose of the company’s existence: survival, development, and profit. If the company wants to achieve its purpose, internal audit, internal control, and risk control can be said to be the “firewall” and “health doctor” of the company. The foothold of internal audit, internal control, and risk control should be oriented to the strategic objectives, vision, and planning of the organization. From a near point of view, it should serve the development objectives (short-term objectives) of the organization at a certain stage. From this perspective, the goal orientation of the three is consistent. Today, we are going to talk about the difference between legal affair, compliance, internal control, risk control and audit.

Legal affairs

Based on the market, modern enterprises will face risks from all aspects, such as contract behavior risk, capital operation risk, intellectual property risk, human resources risk, environmental protection risk, tax planning risk, public relations risk, and litigation and arbitration risk.

How to prevent these risks in order to achieve the purpose of ensuring the safe operation of enterprises, fundamentally prevent potential risks from becoming real disasters, and prevent them before they happen, this requires the establishment of enterprise legal risk management service institutions and the improvement of enterprise legal risk management system. Large enterprises often set up a law and regulation office or legal affairs department to deal with the daily legal affairs of the enterprise.

Since the establishment of the company is often for the purpose of profit, and the establishment of the legal department within the enterprise is also based on reducing risks, reducing losses and safeguarding the legitimate interests of the company, the legal affairs of the enterprise takes everything to serve the company’s business and production and operation as the fundamental purpose, and takes expanding the service scope and improving the service level as the fundamental task, It is also commonly referred to as serving the business department.

Compliance

The international organization for Standardization (ISO) released the international standard iso19600 compliance management system – Guidelines on December 15, 2014, which defines “compliance”: organizations should formulate “compliance obligations” documents in a manner suitable for their scale, complexity, structure and operation. Compliance obligation information shall include compliance requirements, including compliance commitments.

The former includes the formulation and release of mandatory laws and regulations and regulatory regulations by regulatory authorities, while the latter includes the agreements, organizational requirements, policies, procedures, voluntary principles, procedures, and environmental commitments signed by organizations and communities, public authorities, and customers.

“Compliance” in a broad sense has three meanings:

The first level is that enterprises should abide by laws and regulations in the process of production and operation, that is, enterprises should abide by the laws and regulations and regulatory regulations of the country where the company’s headquarters and operation are located;

The second level is that the enterprise operation should follow the internal rules and regulations of the enterprise, including the rules of the enterprise’s code of business conduct;

The third level is that enterprise employees should abide by good professional ethics and ethics. In a narrow sense, compliance means that enterprises comply with the provisions against commercial bribery.

In combination with the above, the “compliance” of compliance should be correctly understood according to three meanings:

The first layer is mandatory laws and regulations, that is, mandatory legal and regulatory provisions in the country where the enterprise headquarter is located and the country where the enterprise operates;

The second layer is the voluntary commitment of the enterprise to the relevant parties (customers, shareholders, regulators, internal employees, etc.) written in the enterprise regulation in the production and operation activities;

The third level is that enterprises should abide by good professional ethics and ethics, public order, and good customs, which are not mandatory, but generally recognized by the public in social activities.

Compliance risk refers to the uncertainty of whether the collective behavior of the enterprise organization and the individual behavior on behalf of the enterprise organization comply with the “compliance” of compliance. From the three meanings of “compliance” of compliance, the first level of compliance risk and the third level of compliance risk fully include the content of enterprise internal control risk.

Risk management

Enterprise risk control refers to enterprise comprehensive risk control. COSO continued to put forward the overall framework of enterprise risk management in 2004, Define enterprise risk management: “enterprise risk management is a process, which is influenced by the board of directors, management authorities and other employees of the enterprise, including internal control and its application in strategy and the whole company. It aims to provide reasonable assurance for the efficiency and effect of the operation, the reliability of financial reporting, and the compliance with current laws and regulations.”

This definition of enterprise risk management still has too many traces of internal control. In practice, enterprise risk includes market macro policy risk, customer preference risk, compliance risk, technology risk, quality risk, performance ability risk, etc.

Internal audit

Internal audit is an independent and objective assurance and consulting activity. Its purpose is to add value to the organization and improve the operation efficiency of the organization. It evaluates and improves the effectiveness of risk management, control, and governance procedures through systematic and standardized methods to help organizations achieve their goals.

Conceptually, internal control also has the content of supervision and evaluation; Internal audit is to evaluate internal control, risk management, and governance, ensure the normal operation of the organization and ensure that it does not deviate from the company’s objectives.

Relationship among internal control, risk control and internal audit

In terms of group internal management, the relationship between the three has a certain relationship and function. Internal control is the basis of risk control and internal audit, the root of risk control and internal audit, and is at the front end of the whole control system. Risk management is at the middle end. It can provide logic and direction for internal audit, and provide accurate positioning for internal audit to determine problems (i.e. risks after evaluation) and audit direction (objectives).

Internal audit is to evaluate and evaluate enterprise operation, internal control, risk management, and corporate governance by means of confirmation and consultation, so as to ensure that all business work of the enterprise can achieve the company’s objectives in an impartial manner in accordance with the established objectives and standards.

From the perspective of control mode, internal control, risk control, and internal audit are the progressive and causal relationship of “foundation analysis evaluation”. In terms of control methods, internal control is pre-control, because the system and process are born for management and formulated to prevent problems, mistakes, and omissions in enterprise management. Therefore, it is the scope of prior prevention and control;

Risk management is mainly analyzed and evaluated in the process. Of course, it can also be done in advance. The basic and content of risk evaluation is also internal control and institutional process. The risk in the operation process belongs to in-process control; Even if the risk is analyzed afterward, it is also for in-process control. Therefore, I personally believe that risk control is the category of in-process control.

Internal audit, in terms of the relationship among the three: the internal audit work has been behind the first two. It is to confirm the corresponding nodes (key control points) of internal control according to the risk prompt or results and to confirm whether the risk exists, whether there is a loss, and whether it can be resolved or transferred. According to this process, internal audit is post-confirmation and evaluation, which belongs to the category of post control.

Relationship among compliance, internal control, and risk control

​1. Level of risk control: Compliance – internal control – risk control

(1) Compliance is “laying the foundation”

The core of compliance: “ensure that all production and operation activities of the company comply with internal and external laws, systems, regulations, norms and guidelines”. Compliance output: compliance can play the most basic role in restraining operational risk

Shortboard of compliance: only problems can be found but not solved

(2) Internal control is the “highest level” of compliance

The core of internal control: not only compliance is required, but also the status of “compliance” (whether it is perfect, whether there are supporting guidelines, and whether the implementation process is perfect) the focus of internal control: compared with compliance, compliance pays attention to results and internal control pays attention to the process. On this basis, more perfect tools and methods (COSO framework) are developed.

Advantages of internal control: internal control is the best means to curb operational risks.

Disadvantages of internal control: internal control is powerless for risks (such as strategic risks) that need to be managed at a certain height. (for example, internal control cannot measure how much risk capital market fluctuations will bring to the company)

(3) Risk control management is the “highest form” of risk control

The function of risk management must be upgraded to senior management; A risk management department independent of the business department must be established; All kinds of risks in the company are relatively scattered and independent, and a unified department is established to examine the risks from the height of the management, so as to avoid “treating head and foot with a headache”.

2. Similarities and differences between risk control and internal control

(1) Same point

Risk control and internal control essentially promote the realization of enterprise business objectives by evaluating, preventing, and controlling enterprise risks.

(2) Different points

First, the two look at risk from different angles

Risk control mainly focuses on the enterprise’s strategic business objectives, identifies, evaluates, and analyzes risks “from top to bottom”, and puts forward strategies and measures for risk early warning, prevention, and emergency management.

From the perspective of process compliance and anti-fraud, internal control mainly diagnoses and rectifies the internal control defects in specific operation processes such as bidding procurement, sales, and funds “from the bottom up”.

Risk control is like the “health doctor” of an enterprise, whose main responsibility is to “prevent disease”. Internal control is like an enterprise’s “emergency doctor”, whose main responsibility is to “cure the disease”.

Second, the two have different tools to deal with risks

Risk control mainly adopts risk map, process data analysis, questionnaire, control analysis, expert scoring, and other tools. With the gradual improvement of enterprise informatization, quantitative risk analysis and risk assessment index system (such as REI index) with data analysis as the core has attracted more and more attention.

Internal control mainly adopts routine audit, special audit, compliance inspection, and other forms, and mainly uses tools such as walk-through test and control tests to diagnose internal control design and operation defects of key businesses and important processes.

Consistent goal orientation: strategic goal orientation

Internal audit, internal control, and risk control are “products” based on governance, supervision, and other factors, and continue to trace the causes.

From an internal perspective, the separation of powers (ownership and management) is one of the important factors. From an external perspective, the organization and operation should meet the requirements of compliance with laws and regulations.

Internal audit, internal control, and risk control are quality checks and balances on the operation of the company, checks, and balances on people, things, and interests. In addition to checks and balances, they promote the healthy development of the organization.