Weak Internal Controls or Weak Governance Intelligence?

Last Updated on 17/07/2026 by 75385885

Why Governance Control Navigator (GCN) Would Have Asked Different Questions Than Traditional GRC


The new GRC – This article is based on publicly available reporting regarding the City of Rocky Mount, North Carolina. The governance analysis and the Governance Control Navigator (GCN) scenarios presented are fictionalised and intended solely to illustrate the difference between traditional Governance, Risk & Compliance (GRC) and Governance Control Navigator (GCN). They should not be interpreted as findings about the actual events beyond the published audit conclusions.

Read the original publication in this link: Auditor: Rocky Mount billing delays caused by weak internal controls in the Enterprise.


Part 1 – From Governance Control to Governance Intelligence

1. Governance Has Never Been Stronger

Over the past three decades, organisations have transformed the way they govern themselves.

Corporate governance has evolved from policy manuals stored in filing cabinets to highly integrated governance ecosystems supported by Enterprise Resource Planning (ERP) systems, Governance, Risk & Compliance (GRC) platforms, Internal Audit functions, sophisticated workflow engines and increasingly advanced analytics.

Today, large organisations operate within governance environments that would have been unimaginable only twenty years ago.

Segregation of Duties is embedded within ERP systems.

Approval workflows automatically enforce delegated authorities.

Identity and Access Management controls determine who may access critical systems.

Continuous logging captures millions of user activities.

Internal Audit periodically validates that controls continue to function as designed.

Boards receive governance dashboards.

Audit Committees monitor control effectiveness.

External auditors increasingly rely upon automated controls when determining audit approaches.

International frameworks such as COSO, ISO 27001, SOX, the Three Lines Model and numerous industry-specific regulations have significantly strengthened governance maturity across both public and private sectors.

This is an extraordinary achievement.

Modern GRC has professionalised governance.

It has reduced operational risk.

It has strengthened accountability.

It has increased transparency.

Most importantly, it has given boards and executive management significantly greater confidence that organisations are operating within an appropriate control environment.

Governance Control Navigator starts from exactly that premise.

GCN is not designed because traditional GRC has failed.

It is designed because traditional GRC has been so successful that organisations are now facing a different governance challenge.

The question is no longer simply:

“Have we designed effective controls?”

Increasingly, boards are asking something different.

“Does our organisation still behave the way those controls were originally designed to achieve?”

That subtle shift changes the governance conversation completely.

2. Traditional GRC Has Changed Corporate Governance Forever

Before discussing Governance Control Navigator, it is important to recognise the enormous contribution that traditional Governance, Risk & Compliance has made to modern organisations.

Without GRC, today’s governance landscape simply would not exist.

Most organisations now possess clearly documented governance structures.

Risks are identified systematically.

Control objectives are formally defined.

Responsibilities are allocated through governance frameworks.

Policies establish organisational expectations.

Internal controls translate those expectations into operational procedures.

Internal Audit independently evaluates whether those procedures continue to function effectively.

This governance architecture has fundamentally improved organisational resilience.

It has also transformed auditing.

Thirty years ago, many audits concentrated heavily on individual transactions.

Today, auditors increasingly evaluate systems of internal control.

When those systems prove reliable, auditors can often reduce detailed substantive testing because confidence shifts towards the control environment itself.

That represents a profound development in corporate governance.

It also explains why modern GRC deserves considerable credit.

It provides organisations with confidence that governance has been designed appropriately.

It provides assurance that controls appear to operate effectively.

It provides boards with structured information regarding governance risks.

In short, GRC answers one critically important governance question:

“Do our governance controls appear to be operating as designed?”

For decades, that has been precisely the right question.

Today, however, organisations are becoming increasingly dynamic.

Artificial Intelligence accelerates decision-making.

Digital platforms continuously evolve.

Hybrid working changes organisational behaviour.

Temporary workarounds emerge.

Staff shortages require practical operational adjustments.

Customer expectations change.

Business processes evolve almost continuously.

Increasingly, boards are discovering that governance design can remain remarkably stable while organisational behaviour gradually changes underneath it.

That is not a weakness of GRC.

It is simply a governance question that traditional GRC was never originally intended to answer.

Read more on Wikipedia: Governance, risk, and compliance.


3. Governance Design and Organisational Reality

Consider two organisations.

Both have implemented exactly the same governance framework.

Both use identical ERP systems.

Both operate similar Internal Audit functions.

Both perform annual Segregation of Duties reviews.

Both comply with applicable governance standards.

Both receive clean audit opinions.

From a traditional governance perspective, they appear equally well controlled.

Now imagine observing these organisations over the next five years.

The first organisation continues operating exactly as management originally intended.

The second organisation gradually develops practical operational adjustments.

Temporary billing exceptions become more common.

Managers introduce manual workarounds to maintain customer service.

Operational staff develop shortcuts to meet performance targets.

Supervisors approve temporary exceptions that eventually become permanent practice.

None of these individual decisions appears unreasonable.

Each one solves a genuine operational problem.

Each one helps the organisation continue functioning.

Yet collectively they gradually reshape organisational behaviour.

Interestingly, Governance Design remains almost unchanged.

Policies remain valid.

Controls continue operating.

Approval workflows still function.

Internal Audit continues reporting satisfactory control effectiveness.

Governance Design has remained remarkably stable.

Governance Reality has quietly evolved.

That distinction lies at the heart of Governance Control Navigator.

Traditional GRC evaluates Governance Design.

GCN evaluates whether Governance Reality continues to reflect that design.

These are complementary governance perspectives.

Together they provide boards with a far richer understanding of organisational performance than either perspective can provide independently.


4. The Rocky Mount Audit

An interesting illustration can be found in the publicly reported follow-up audit concerning the City of Rocky Mount, North Carolina.

According to the published audit conclusions, weaknesses in internal controls allowed unauthorised changes to utility billing schedules and meter-reading information. The audit concluded that these weaknesses contributed to delayed customer billing, customer confusion and unpaid utility charges.

From a traditional GRC perspective, these conclusions are entirely appropriate.

Internal controls are expected to prevent unauthorised changes.

Authorisations should function correctly.

Critical changes should be properly documented.

Review procedures should identify inappropriate adjustments.

When those mechanisms prove insufficient, Internal Audit correctly identifies weaknesses within the control environment.

That is precisely the role Internal Audit should perform.

The audit therefore provides valuable governance information.

But for governance professionals another question naturally follows.

Not:

“Was the audit correct?”

The answer is clearly yes.

The more interesting governance question is:

“Could management have recognised the developing organisational behaviour long before those weaknesses eventually appeared in the audit report?”

That question does not challenge the audit.

It complements it.

It asks whether governance information could become available while operational reality is still evolving rather than after control weaknesses have become sufficiently visible for formal audit reporting.

That is exactly the governance space where Governance Control Navigator operates.


5. A Different Governance Question

Imagine the same organisation several months before the audit.

Employees begin making occasional manual adjustments.

A billing cycle is delayed to solve a customer issue.

Another adjustment is made because operational resources are temporarily unavailable.

A supervisor approves an exception to avoid disrupting service delivery.

Individually, each decision appears entirely reasonable.

Customer service continues.

Operational disruption is minimised.

The designed governance framework remains in place.

No single adjustment necessarily violates policy.

Nothing appears dramatic.

Traditional GRC quite naturally continues focusing on questions such as:

  • Were changes properly authorised?
  • Were responsibilities appropriately segregated?
  • Were procedures followed?
  • Were control activities performed?
  • Were exceptions documented?

These remain excellent governance questions.

Governance Control Navigator simply asks one additional question:

“Is organisational behaviour gradually moving away from the governance design originally approved by management?”

That single additional question changes governance from periodic assurance into continuous organisational understanding.

It also explains why GCN should never be viewed as an alternative to Governance, Risk & Compliance.

Instead, it represents the next governance layer.

A layer that builds upon decades of successful GRC development by adding something boards increasingly need:

Governance Intelligence.

Not simply understanding whether governance controls appear to be operating as designed.

But understanding whether organisational reality is still aligned with that governance design.


 

Part 2 – From Control Weaknesses to Behavioural Patterns

6. Every Individual Decision Made Perfect Sense

One of the reasons governance failures are so difficult to recognise is that they rarely begin with someone deliberately deciding to ignore internal controls.

Most governance problems develop much more gradually.The new GRC

Operational pressures increase.

Customer expectations change.

Employees try to provide better service.

Managers make practical decisions to avoid unnecessary delays.

Temporary exceptions become accepted practice.

The organisation adapts.

Imagine the Rocky Mount utility process before the audit findings became visible.

A customer complains about an incorrect bill.

An employee delays a billing cycle while the issue is investigated.

Another customer disputes a meter reading.

A supervisor authorises a manual adjustment.

An operational backlog develops.

Employees begin making additional billing changes to keep customer service functioning.

Individually, every adjustment appears entirely reasonable.

Every employee believes they are helping customers.

Every supervisor believes they are solving operational problems.

Nothing suggests that governance is failing.

Quite the opposite.

The organisation appears responsive and customer-oriented.

This illustrates an important governance principle.

Governance rarely deteriorates because people intentionally undermine it.

More often, governance evolves because people continually adapt to changing operational realities.

The controls remain.

The behaviour gradually changes.

That distinction is fundamental.

Traditional GRC primarily evaluates whether the controls remain effective.

Governance Control Navigator asks whether organisational behaviour is gradually evolving away from the governance design that those controls were originally intended to support.

Read more on one of the best traditional GRC-software providers: What is Gorvernance, Risk, and Compliance (GRC)? as explained by ServiceNow.


7. Why Internal Audit Correctly Identified Weak Internal Controls

The published audit concluded that weaknesses in internal controls allowed unauthorised billing changes, delayed customer billing and contributed to unpaid utility charges. Those conclusions were entirely appropriate based on the audit evidence available.

This point deserves emphasis.

Governance Control Navigator does not argue that Internal Audit reached the wrong conclusion.

On the contrary.

Internal Audit fulfilled exactly the role it is expected to perform.

Auditors evaluate governance through recognised professional methodologies.

They assess whether control objectives have been achieved.

They determine whether controls have operated effectively.

They identify deficiencies.

They recommend improvements.

That process remains essential.

Without Internal Audit, organisations would lose one of their most important independent assurance functions.

GCN therefore does not compete with Internal Audit.

It complements it.

Think of the relationship this way.

Traditional GRC asks:

  • Were billing changes properly authorised?
  • Were approval procedures followed?
  • Were responsibilities appropriately segregated?
  • Were review controls operating effectively?

Governance Control Navigator asks additional questions:

  • Why are manual billing adjustments steadily increasing?
  • Why are certain users making significantly more overrides than comparable colleagues?
  • Why are billing delays gradually becoming more frequent?
  • Why is operational behaviour changing even though governance documentation remains unchanged?

The difference is subtle but profound.

The audit explains why the control environment no longer provided sufficient assurance.

GCN seeks to explain why organisational behaviour gradually moved in that direction long before the audit identified the resulting control weaknesses.

Read more on modern internal control environments in our blog: Internal Control in the Age of AI – When Governance Moves from Paper to Code.


8. From Transactions to Behaviour

Traditional governance largely evaluates transactions.

Governance Control Navigator evaluates behaviour.

This distinction is perhaps the most important conceptual difference between the two approaches.

A transaction answers questions such as:

  • Was this billing adjustment authorised?
  • Was this customer account updated correctly?
  • Was this workflow completed?
  • Was this exception documented?

Each transaction receives an individual answer.

Behaviour emerges only when thousands of transactions are analysed together.

Suppose an organisation processes several hundred thousand billing transactions annually.

Within those transactions GCN may observe gradual developments such as:

  • manual billing schedule changes increasing month after month;
  • the same operational teams performing most overrides;
  • certain supervisors approving significantly more exceptions than comparable managers;
  • customer complaints increasing in parallel with billing adjustments;
  • delayed invoices becoming concentrated within particular operational areas.

None of these observations demonstrates poor governance.

Each may have entirely legitimate explanations.

Perhaps staffing shortages occurred.

Perhaps a software implementation created temporary operational pressure.

Perhaps regulatory changes required manual interventions.

GCN therefore avoids drawing conclusions.

Instead, it generates governance questions.

That distinction is critical.

Good governance should never confuse pattern recognition with evidence of misconduct.

Pattern recognition simply helps management recognise that organisational behaviour deserves closer attention.

Read more in our blog: The Muscles and Nerves of AI Governance – Labour, Profession and Sensitivity.


9. What Governance Control Navigator Would Probably Have Seen

Now imagine the same utility organisation operating with Governance Control Navigator alongside its existing GRC environment.

Nothing changes within the ERP system.

Internal controls remain exactly the same.

Internal Audit continues performing periodic reviews.

Policies remain unchanged.

GCN simply introduces a continuous governance intelligence layer.

During the first months, almost nothing appears unusual.

Then several behavioural indicators begin moving slowly.

Manual billing adjustments increase by 12%.

Customer billing delays rise slightly.

A small group of employees performs an increasing proportion of billing overrides.

Exception approvals become more concentrated within particular supervisory teams.

Customer complaints relating to delayed invoices increase gradually.

None of these developments individually exceeds management thresholds.

No single indicator would justify a formal investigation.

However, Governance Control Navigator does not evaluate indicators individually.

It evaluates relationships.

When multiple behavioural indicators begin moving in the same direction simultaneously, GCN identifies an emerging governance pattern.

Importantly, GCN would not generate an alert stating:

“Weak internal controls detected.”

Nor would it conclude:

“Fraud suspected.”

Instead, management might receive a governance observation such as:

“Operational billing behaviour has gradually changed over the past six months. Manual interventions, billing delays and approval exceptions have all increased beyond historical norms. Management review is recommended to determine whether organisational reality remains aligned with the current governance design.”

Notice the language.

No accusations.

No conclusions.

Only Governance Intelligence.

That distinction makes continuous governance acceptable within professional organisations.


10. Governance Intelligence Connects What Organisations Already Know

One of the most fascinating aspects of cases like Rocky Mount is that the relevant information usually already exists.

The challenge is rarely a lack of data.

The challenge is fragmentation.

Customer Services sees complaints.

Billing Operations sees invoice delays.

Finance sees overdue receivables.

Internal Audit sees control testing.

HR understands staffing changes.

IT manages system activity.

Management receives operational reports.

Each department possesses accurate information.

Each department performs its responsibilities professionally.

Yet each department sees only part of organisational reality.

Governance Control Navigator introduces a different perspective.

Rather than asking each department to collect more information, GCN connects the information already available.

It links operational behaviour.

Financial performance.

Governance controls.

Process execution.

Human behaviour.

Management reporting.

Together these elements create something entirely new.

Not more dashboards.

Not more controls.

But Governance Intelligence.

Information that enables boards and executive management to recognise organisational evolution while it is still manageable rather than after it has become visible as an audit finding.

That is why Governance Control Navigator should not be viewed as another GRC application.

It should be viewed as the next governance layer.

A layer that helps organisations move from understanding whether controls operate effectively to understanding whether organisational reality continues to reflect the governance that management originally designed.


Part 3 – The Next Evolution of Governance

11. Continuous Monitoring Creates Continuous Improvement

One of the greatest misconceptions surrounding continuous monitoring is that it exists to monitor employees.

Nothing could be further from the truth.

Well-designed governance has never been about surveillance.

It has always been about helping organisations achieve their objectives in a controlled, transparent and sustainable manner.

The same principle applies to Governance Control Navigator.

GCN is not designed to detect wrongdoing.

It is designed to help management recognise when organisational reality begins to evolve differently from the governance framework it originally approved.

That distinction fundamentally changes the conversation.

Suppose Governance Control Navigator had identified a gradual increase in manual billing adjustments during the early stages of the Rocky Mount case.

The purpose would never have been to accuse employees of inappropriate behaviour.

Instead, management might simply have received a governance observation:

“Manual billing interventions have increased by 18% during the past six months compared with historical patterns. Would management like to understand the operational reasons behind this development?”

That single question immediately changes the role of governance.

Management might discover:

  • staffing shortages within the billing department;
  • delays caused by system upgrades;
  • changing customer expectations;
  • increasing operational complexity;
  • insufficient training;
  • unclear procedures.

Or perhaps management concludes that existing controls no longer reflect operational reality and should therefore be redesigned.

Every one of these outcomes represents governance improvement.

Not because someone has been blamed.

But because management receives earlier insight.

Traditional governance often improves organisations after problems become visible.

Governance Control Navigator helps organisations improve while governance is still evolving.

That is why continuous monitoring should perhaps be viewed differently.

It is not continuous inspection.

It is continuous organisational learning.


12. From Governance Control to Governance Intelligence

Corporate governance is entering a new phase.

For decades organisations focused primarily on designing better controls.

That investment has been enormously successful.

The next challenge is different.

Modern organisations generate extraordinary volumes of operational information.

ERP systems record transactions.

Workflow systems record approvals.

Identity Management records user activity.

Customer systems capture service performance.

Financial systems monitor operational results.

HR systems document organisational change.

The question is no longer whether sufficient information exists.

The question is whether organisations understand what that information collectively tells them.

This is where Governance Intelligence becomes increasingly important.

Governance Intelligence is not another reporting framework.

It is the ability to combine governance information, operational behaviour and business performance into one coherent management perspective.

Instead of analysing isolated control activities, organisations begin understanding organisational dynamics.

They recognise behavioural evolution.

They identify emerging operational pressures.

They understand why exceptions increase.

They recognise when temporary workarounds become permanent practice.

Most importantly, they understand whether governance continues supporting organisational objectives as circumstances evolve.

This represents a significant conceptual shift.

Traditional GRC primarily evaluates control effectiveness.

Governance Intelligence evaluates organisational alignment.

Together they provide boards with significantly richer governance information.

Also read our blog on audit trails (that are off course included in GCN): AI, Audit Trails and Accountability – Why Human Confirmation Remains the Core of Governance.


13. Governance Design, Governance Reality and Collective Governance Behaviour

One of the central concepts within Governance Control Navigator is that every organisation simultaneously operates within three governance realities.

The first is Governance Design.

This represents everything management intentionally creates.

Policies.

Procedures.

Control frameworks.

Segregation of Duties.

Approval matrices.

Identity Management.

Risk registers.

Internal controls.

These collectively describe how management intends the organisation to operate.

The second is Governance Execution.

This is where employees, managers and information systems execute those governance processes every day.

Purchase orders are approved.

Invoices are processed.

Bills are generated.

Customer requests are handled.

Controls are performed.

This is governance in action.

The third reality is perhaps the most interesting.

It is Collective Governance Behaviour.

This is not the behaviour of one individual.

Nor is it the outcome of one isolated transaction.

It is the behavioural pattern that emerges when thousands or millions of operational decisions are viewed together.

No individual employee creates Collective Governance Behaviour.

The organisation creates it.

That distinction is essential.

Traditional GRC provides valuable assurance regarding Governance Design.

Operational reporting explains Governance Execution.

Governance Control Navigator connects both realities to understand Collective Governance Behaviour.

This is precisely why GCN should not be viewed as another control framework.

It is a governance intelligence capability.

One that helps boards understand whether the organisation they designed is still the organisation that actually exists.


14. Governance Is No Longer About Better Controls Alone

The Rocky Mount case illustrates a broader governance lesson that extends far beyond municipal government.

The published audit identified weak internal controls.

That conclusion remains entirely valid.

Governance Control Navigator reaches exactly the same conclusion.

But it asks one additional question.

How did organisational behaviour gradually evolve until those weaknesses became visible?

That question changes governance fundamentally.

Instead of viewing governance as a periodic assessment of historical controls, governance becomes a continuous understanding of organisational development.

Traditional Governance, Risk & Compliance remains indispensable.

Every organisation requires strong governance frameworks.

Effective Internal Audit.

Reliable ERP controls.

Identity Management.

Segregation of Duties.

Policy frameworks.

Regulatory compliance.

These remain the foundations of professional governance.

Governance Control Navigator simply adds another layer.

Not another control.

Not another framework.

Not another audit.

A layer of Governance Intelligence.

Traditional GRC indicates whether governance controls appear to be operating as designed.

Governance Control Navigator helps management understand whether organisational reality is still aligned with that governance design.

Those are complementary questions.

Together they represent the next evolution of governance.

The future of governance will therefore not be characterised by more controls.

Nor by larger audit programmes.

Nor by additional compliance checklists.

Instead, the future belongs to organisations capable of recognising behavioural patterns while they are still developing.

Organisations that understand not only whether governance controls function, but also whether governance continues supporting the organisation’s strategic objectives in an increasingly dynamic world.

That is the ambition of Governance Control Navigator.

Not to replace Governance, Risk & Compliance.

But to build upon everything GRC has already achieved.

Because governance has always evolved.

From financial control.

To internal control.

To enterprise governance.

The next logical step is Governance Intelligence.

And Governance Intelligence begins with one simple but profoundly important question:

Is our organisation still behaving the way we intended when we designed our governance?

That is not an audit question.

It is a board question.

And increasingly, it may become one of the most important governance questions organisations can ask.

Also read our blog: Production as Governance – Five Archetypes That Shape How Car Companies Are Controlled.

The new GRC