Risk has always been an inevitable part of doing business. How organizations identify, manage and mitigate those risks ultimately determine whether or not they will survive after a disruption. To help your organization better prepare for and respond to risks when they occur, you’ll need a comprehensive risk management program.
At the core of your risk management program is the risk management process, which consists of an ongoing series of activities including risk identification, risk assessment, risk analysis, risk prioritization, risk mitigation, and risk monitoring. Although all these steps are important to an effective risk management program, there’s one in particular that’s especially critical.
Risk mitigation, or the process of determining how to address a particular risk once it’s been identified, means choosing between risk acceptance, risk avoidance, risk transfer, or risk reduction.
These are the four most common strategies for risk mitigation, but there are, of course, many more to choose from. To learn more, you can check out this article for eleven risk mitigation strategies.
A more proactive approach to risk mitigation involves implementing something called internal controls with the goal of avoiding or minimizing loss to your organization.
In this article, we’ll explore why internal controls are important, what makes them effective, as well as some of the common internal controls used today. Armed with these best practices, you will be able to develop the best internal controls for cyber risk mitigation for your organization.
What are Internal Controls and Why are They Important?
Internal controls are the policies and procedures or technical safeguards that are put in place to prevent problems and protect assets. The very first common definition of “internal control” was documented in the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) 1992 framework for internal control: Internal Control–Integrated Framework.
In their framework, COSO defines “internal control” as “…a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
In addition to this definition, COSO’s framework also provides a system that organizations can use to assess their own internal controls’ effectiveness.
While fraud deterrence is the main impetus behind the formation of the COSO framework and the main reason organizations use it today, there are a number of other reasons you might consider using it as the benchmark for implementing internal controls within your own organization:
- Safeguarding your assets. Internal controls protect your assets from accidental loss or loss from fraud.
- Ensuring the reliability and integrity of your financial information. Internal controls ensure that management has accurate, timely, and complete information to plan, monitor and report business operations.
- Achieving compliance. Internal controls help organizations stay compliant with federal, state and local laws and regulations affecting operations.
- Promoting efficient and effective operations. Internal controls provide an environment in which managers and staff can maximize the efficiency and effectiveness of operations.
- Accomplishing goals and objectives. Internal controls provide a mechanism for management to monitor the achievement of operational goals and objectives.
There are a number of different internal controls you can implement to help your organization achieve any one of these objectives, but typically, internal controls are categorized into three main types: detective, preventative and corrective.
Detective internal controls are controls that are used after a discretionary event to try to piece together what happened. Examples of detective internal controls include internal audits, reviews, reconciliations, financial reporting, financial statements, and physical inventories.
Preventative internal controls are controls that are put into place to avert a negative event before it occurs and to avoid asset loss. These include both physical controls or administrative preventative controls like segregation of duties, training programs, drug testing, firewalls, and computer and server backups.
Corrective internal controls are controls that are put in place after the detective internal controls discover a problem and uncover the reasons behind its occurrence. This includes disciplinary action, reports filed, software patches or modifications, and new policies prohibiting practices such as employee tailgating.
Which particular internal controls you choose to implement within your organization will ultimately depend on your particular needs and industry standards.
Fortunately, there are a number of existing frameworks and standards that are available to business owners who want to create their own internal control framework but aren’t sure where to start.
One such framework is the COSO framework mentioned above, which is designed to help organizations ensure that their financial statements are accurate, their assets and stakeholders are protected from fraud, and their operations are running efficiently and effectively.
When it comes to cyber risk, information security controls include access controls such as restrictions on physical access such as security guards at building entrances, locks, and perimeter fences; procedural controls such as security awareness training education, security framework compliance training, and incident response plans and procedures; technical controls such as multi-factor user authentication at login and logical access controls, antivirus software and firewalls; and compliance controls such as privacy laws and cybersecurity frameworks and standards.
Without internal controls in place, your organization is vulnerable to a higher number of risks, including cyber risks. Internal controls help prevent these risks from taking place in the first place. Should a risk occur, internal controls help locate the origin of those risks as well as helping to reduce any risks that have already been identified. Overall, internal controls are something that your business simply shouldn’t operate without.
There are, of course, some limitations to internal controls. First, processes and control activities are never perfect, and problems are likely to occur along the way. For this reason, it’s important to have ongoing review and analysis of your internal controls as part of your regular processes. When a problem does occur, it should be documented and reviewed by those who can take the corrective actions to improve the system.
Finally, systems involving humans will always have limitations. People make mistakes and often find weaknesses in control procedures — either by accident or intentionally.
So, what makes an internal control effective? Next, we’ll introduce some of the most important elements of effective internal controls and some examples of common internal controls used today.
What Makes an Internal Control Effective
To be most effective, internal controls rely on the responsibilities of both management and staff for proper execution. Generally, management is responsible for maintaining the system of internal control and communicating the expectations and duties to staff. Staff and operating personnel are responsible for carrying out those internal control activities set forth by management.
The framework of a good internal control system should include the five components of internal control as defined by COSO, which are:
- A sound control environment. This is created by management through communication, attitude and example and should include a focus on integrity, a commitment to investigating discrepancies, diligence in designing systems and assigning responsibilities.
- A thorough risk assessment. This involves identifying the areas in which the greatest threat or risk of inaccuracies or loss exist — the greatest risks should receive the greatest amount of effort and level of control.
- Continuous monitoring and reviewing. This means management should periodically review your system of internal control to assure that internal control activities have not become obsolete or lost due to turnover or other factors, as well as enhancing internal controls to remain sufficient for the current state of risks.
- Open information and communication. This includes making information available and creating a clear and evident plan for communicating responsibilities and expectations.
- Detailed control activities. These are the activities that occur within an internal control system and include the policies and procedures as well as any daily activities.
Within COSO’s framework, each of these components includes principles with supporting “points of focus” to help with designing, implementing, conducting, monitoring, and assessing your internal control processes.
Although COSO is the United State’s most widely used framework for internal controls, compliance can be challenging and expensive. But it’s not nearly as costly or difficult as recovering from fraud, theft, reputational loss, or legal penalties. COSO compliance is voluntary, but it’s an investment that will eventually pay for itself in the long-run.
Authorization is a process that involves establishing a basis by which various employees have the authority to execute certain types of transactions and serves as a proactive approach for preventing invalid transactions.
This includes approval authority requirements which require specific managers to authorize certain types of transactions, adding a layer of responsibility to your records systems by proving that the transactions have been seen, analyzed, and approved by the appropriate authorities.
For instance, requiring approval for any large payments and expenses can deter employees from making fraudulent transactions with company funds.
To implement authorization, you’ll first need to document the level of authority and create an expectation of responsibility and accountability. Your policies and procedures should clearly identify which individuals have authority to initiate, submit, reconcile, view, or approve different types of transactions. The authority to perform a particular action can manifest as hard copy documents or system generated authority.
Individuals with authority should have first hand knowledge of the transactions being approved, or they should be able to review supporting documents to verify the validity and appropriateness of transactions. To make sure authorized employees are well informed, you should provide the proper training and inform them of any departmental procedures related to internal controls.
It’s important that authorization is also timely, as workflow is an important aspect of good internal controls. Any time lags between approval and processing give fraudsters opportunities to alter documents, and many of these falsifications occur after the approval of a transaction. In short, once a document has been approved, it should not be returned to the preparer.
Segregation of Duties
Segregation of duties is the means by which no one person has sole control over the lifespan of a transaction. According to the American Institute of Certified Public Accountants (CPA), segregation of duties means “shared responsibilities of a key process that disperse the critical functions of that process to more than one person or department” to reduce the risk of fraud and errors.
Ideally, no one person should be able to initiate, record, authorize and reconcile a transaction. All organizations should separate functional responsibilities to assure that mistakes, intentional or otherwise, cannot be made without being discovered by another person.
The segregation of duties will ultimately depend on the side of your organization and its structure. Duties may be segregated by department or by individuals within a department, and the level of risk associated with a transaction should determine the method for segregating duties.
This is another process that should be demonstrable to an outside party via documentation, including explicitly stating who will initiate, submit, process, authorize, review and reconcile each activity. If it’s difficult to sufficiently segregate duties, you should increase management’s review and oversight functions to assess the potential for mistakes or fraudulent transactions.
Documentation includes paper and electronic communication that supports the completion of the transaction lifecycle. It’s anything that provides evidence of a transaction, who has performed each activity pertaining to a transaction, and the authority to perform such activities.
Documents provide a financial record of events and activities, and therefore, they ensure the accuracy and completeness of transactions. This includes expenses, revenues, inventories, personnel, and other types of transactions. The proper documentation can provide evidence of what has transpired as well as providing information for researching any discrepancies.
Standardizing documentation used for financial transactions can help maintain consistency in record keeping over time, and it can also make it easier to review past records when searching for the source of a discrepancy in your system. Ultimately, a lack of documentation standardization can lead to overlooking or misinterpreting important information.
Establish a well-designed, uniform format to help ensure the proper recording of transactions. You should consider consistently using standard forms or templates for email approvals, departmentally created supporting documentation, time reporting, reimbursement logs, invoice, and any other financial documents.
Define clear ownership of entity-owned documentation so it’s never mistaken as personal property of your employees. Whenever possible, do not allow your employees to take business documents home unless business needs require them to do so. In these cases, you should communicate to employees that it is their responsibility to keep documentation secure, and particularly so for documentation containing personal or sensitive information.
Create a method that will help you avoid duplicating processing, especially in regards to transactions that result in payments to individuals such as payroll, petty cash, and travel reimbursements. Always check for duplicate payments and insist on an environment in which payments are processed in a timely manner — long delays in processing create opportunities for duplicate payments to go unnoticed.
Pay close attention to retention policies for all types of supporting documentation, and always keep documents for the appropriate retention period and no longer. Establish a process for purging documents that have reached the end of their retention period, and document who, when and how each record type should be purged.
Reconciliation is the process of comparing transactions and activities with supporting documentation and involves resolving any discrepancies that have been discovered. Occasional reconciliation ensures that the balances in your systems match up with the balances in the systems held by other entities, including banks, suppliers, and credit customers.
For example, a bank reconciliation involves comparing cash balances and records of deposits and receipts between your accounting system and bank statements. Any differences between these types of complementary accounts can reveal errors or discrepancies in both your own accounts, or in the accounts of other entities.
A good internal control system should provide a mechanism to verify that transactions and activities are for the correct purposes and amounts, and that they are allowable. For each type of activity, you should consider documenting the particular information from source documents that can be compared to the appropriate report.
You also need to ensure that transactions have been properly authorized, and so you should review all documents for any potential changes between approval and processing, and especially if the source documents are paper based.
Any errors or discrepancies, whether intentional or unintentional, should be detected, investigated and resolved as quickly as possible. This involves verifying the recording of transactions and reviewing the source documents to assure that they are processed and posted correctly and in a timely manner. If they aren’t then you should follow up with the appropriate central office or processing department to correct the issue.
Reconciliation processes are best when they’re consistent and thorough. Any employees who are involved in the process should be knowledgeable and clear on their responsibilities and expectations. It should also be clear to an external reviewer or auditor when a reconciliation has been completed.
Be consistent with your reconciliation process, as making changes often leads to undiscovered inaccuracies and potential for fraud. Your reconciliation process should be clearly documented, and should include the steps in the process; who performs each step; the expectations regarding timeliness; a mechanism for providing proof that all activity has been reviewed and reconciled; and a procedure for error correction.
Strict Security Measures
The security of assets and data includes three different types of safeguards: administrative, physical and technical. Administrative security focuses on the departmental processes that are put in place to protect assets and data. Physical security is the protection of physical data and assets from loss by theft or damage. Technical security is the protection of electronic data loss by theft, damage, or loss in transport.
Ideally, assets and data should be kept secure at all times to prevent unauthorized access, loss, or damage. The security of your assets and data is essential for ongoing operations, accuracy of information, privacy of personal and sensitive information, and in many cases is state or federal law.
First, you’ll need to designate a point person for all areas or individually for the three types of security to encourage responsibility and accountability for the proper security procedures.
For administrative security, you should keep an up-to-date chart that defines the reporting relationships as well as responsibilities (including back-up responsibilities) regarding internal controls. We recommend documenting such processes such as opening and distributing the mail, administration of keys, access to documents, and other administrative controls.
For physical security, you should limit access to data and assets to only those who have a business related need for them. Do not allow employees to download data to mobile workstations and transported outside the office, and keep your most important physical documents in lockable, fireproof storage.
For technical security, you should also limit access to data and assets to only those who have a business related need for them. This includes setting up password protected access to electronic records as well as employing identity access management (IAM) to limit access to sensitive areas of a system or network to only the people who need it.
System access controls control access to different parts of your system via passwords, lockouts, and electronic access logins to keep unauthorized users out of your system while providing a way to audit the usage of your system and to identify the source of any errors or discrepancies. This kind of robust access tracking can also serve to deter attempts at fraudulent access in the first place.
If you’re experiencing employee turnover, you should develop and use a checklist for removing access to networks, systems, and data upon separation of an employee or upon transfer. Develop a process and assign a point person the responsibility of administering the process for deleting access to data.
Mitigate and Manage Risks More Efficiently with Reciprocity ZenRisk
Between risk assessments, procedures, reporting and communication — paperwork is the one thing that all internal control frameworks share in common. While small businesses may use spreadsheets to track their controls, it’s a process that will eventually become unmanageable without the right solution to help.
Reciprocity® ZenRisk is an integrated cybersecurity risk management solution designed to provide you with actionable insights to gain the visibility you need to stay ahead of threats and clearly communicate the impact of risk on high-priority business initiatives. Turn the unknown into quantifiable and actionable risk insights with built-in expertise that identifies and maps risks, threats and controls for you, so you can spend less time setting up the application and more time using it.
A single, real-time view of risk and business context allows you to clearly communicate to the board and key stakeholders in a way that’s framed around their priorities, keeping your risk posture in sync with the direction your business is moving.
Reciprocity ZenRisk will even notify you automatically of any changes or required actions, so you can be on top of your risk posture like never before. Eliminate time-consuming, manual work and streamline collaboration by automating workflows and integrating with your most critical systems.
Plus, Reciprocity ZenRisk is seamlessly integrated with Reciprocity ZenComply so you can leverage your compliance activities to improve your risk posture with the use of AI. Built on the ZenGRC, the Reciprocity product suite gives you the ability to see, understand and take action on your IT and cyber risks.
Now, through a more proactive approach, you can give time back to your team with Reciprocity ZenRisk. Talk to an expert today to learn more about how the Reciprocity Product Suite can help your organization mitigate cybersecurity risk and stay ahead of threats.