Controls aren’t cheap and they require people, processes, and technology resources. For effective internal control design, you should first do a risk assessment. Using a combination of qualitative and quantitative methodologies, prioritize and implement controls that mitigate the most critical risks. This takes a risk-based focus, like how auditors approach their work.

It makes sense; if there’s no risk, there’s be no need for controls. Risk and controls are tightly coupled, so this means good risk assessment is crucial for implementing a solid controls system.

1. Prioritize & score your risks by likelihood, impact, & affect

Classify and categorize your assets according to their criticality. According to Risk in Focus 2019, some of the top risks (likely to have a major business impact) include:

(To learn more about risk assessments, review COSO’s Enterprise Risk Management – Integrated Framework and adapt it to your needs.)

2. Classify & categorize internal controls into preventive, detective, or reactive

In terms of effectiveness, one is the highest control category and seven is the lowest. The higher the category, the quicker the control counters the threat and reduces the impact.

3. Factor in cost

If the cost of using a preventive control is less than the cost to fix the issue (and any possible impact penalties that control is designed for), then use it. The costs of using a preventive control include developing, installing, configuring, operating, and maintaining it. You need to also factor in the costs to train people and audit its use. A similar cost analysis is needed when considering detective and reactive controls. You can make a decision to deploy the control after considering all of these costs.

4. Get rid of redundant controls

Redundant controls are costly and time-consuming. So it’s best to identify and eliminate controls for those risks that are addressed by some other control. Or controls that don’t actually address any specific risk or event. If a control is redundant, its removal should lead to improvements in cost effectiveness.

5. Focus on segregation of duties

When too much authority is given to any one employee, fraud is more likely. So it’s essential that duties and tasks are performed by different people. One employee shouldn’t have the authority to create a new vendor, as well as enter a transaction to pay it. With the authority to perform both tasks, they could create and pay a fake vendor.

Manual systems require people to review one another’s work. But automated systems separate duties by role. This means employees can only perform defined tasks, reducing the need for manual oversight.

6. Automate all the things

Risk management software is the best way to automate your internal controls. It prioritizes risks based on severity and likelihood, which means controls are also prioritized. It gathers your risks and controls together, removing duplicated data and effort.

Automated preventive controls include:

• Forced scheduled passwords updates.
• Regular security policy review and attestation.
• Assigning authorization amounts and preventing users from entering excessive amounts.

Examples of automated detective controls:

• Use intrusion detection or anti-virus software to find risky activity and create automatic reports. (These can double as corrective controls when they kill or quarantine the intruder or virus.)
• Use an automated audit system to scan data for deviations against policies and regulations, and highlight them in a dashboard. For example, the solution could scan your ERP data to highlight entries made outside office hours. The system takes action automatically when a risk event occurs. An alert could then be sent automatically for action.

7. Set up self-policing procedures

Audit is a useful mechanism for evaluating the effectiveness of internal controls. But self-policing procedures help create and maintain an effective internal control system. Self-policing procedures quickly detect control failures, allowing reactive controls to take over.

Let’s say you have a preventive control that limits the amounts you’re authorized to enter in the financial system. But something strange happens, and you can now enter an unauthorized amount. The reactive control would fire an email to your manager informing them of the entry so they could follow up immediately. In addition, all entries above a certain amount would need their authorization before being paid.

If a control is not protected by a self-policing procedure, a control failure may go undetected. (Note that self-policing and fail-safe properties are requirements of the higher-order categories of control systems.)

When selecting an internal control, you should document it for how and why that particular control was chosen. ISACA has produced an internal control selection worksheet that can be used for this.

Learn how ControlsBond can help you simplify internal control management, increase assurance, and automate compliance.