6 Key Questions to Define Risk Control

In last week's blog, I discussed the basic but often confused issue, of describing operational risks
in a logical and understandable way. This week, I turn to controls, which are often as equally
poorly defined and understood.

The ISO 31000 standard defines control as a “measure that is modifying risk”. While not
incorrect, this definition is broad, and I am not sure overly meaningful or engaging with the
employee at the coal face.

Risk Control Definition

I think a risk management framework that wishes to engage the front line needs a more practical
definition and understanding of controls.

Let’s investigate further by asking these key questions:

1. What aspect(s) of risk is the “measure” modifying?

2. How does a control “modify” risk?
3. What is a “measure”?
4. What is a control and what is not?
5. What are the main types of control?
6. What “measures” should be ideally recorded in a risk and control register?

1. What aspect(s) of risk is the “measure” modifying?

Risk is generally measured through a combination of an assessment of the likelihood of it

occurring and the impact if it were to occur. These are considered the key characteristics of a
risk that a control may modify. A control will, therefore, modify the likelihood and/or impact of
a risk.

Another aspect of risk that a control can modify is the risk’s velocity (a risk aspect that is not
talked about much but which will be the subject of a later blog). This is the speed at which a risk
passes through the phases of its life from initial cause to final impact. A bilge pump on a sinking
ship reduces velocity to allow more chance for passengers to evacuate the ship.

2. How does a control “modify” risk?

The ISO 31000 definition specifically does not say “measure that is reducing risk” but rather
“measure that is modifying risk”. This recognises that the risk aspect may be either increased or
decreased by the control. The general assumption with most controls is that they will reduce risk
which is usually valid. However, some controls may reduce one aspect of the risk while
increasing another.
Taking out mobile phone insurance for loss of phone for your staff will reduce the net impact of
a financial loss but will most likely increase the likelihood of it being lost as the employee will
care less as the net impact to them is zero or negligible.

We need to understand the way that controls modify all aspects of the risk in order to understand
whether overall the control reduces or increases the risk.

3. What is a “measure”?

There is a range of treatment methods we can apply to risk that will modify it. The main
treatment methods we have available are:

1. Accept the Risk

2. Eliminate / avoid the risk by stopping the activity causing the risk
3. Reduce the Risk by increasing controls
4. Reduce the Risk by transferring some of the risk impact (e.g. Insurance)
5. Reduce or increase the Risk by transforming the inherent risk environment. This would
usually involve process re-engineering.
6. Increase the risk by reducing controls

Not all of the above would be considered “controls”. Controls are only involved in points 3,4 and
6.

“Measures” that are controls are therefore usually considered to be either a procedure/action or a
device that is aimed at modifying a risk(s).

4. What is a control and what is not?

A definition of control in risk management: the ISO 31000 standard says “Controls include any
process, policy, device, practice, or other actions that modify risk.” In reviewing many risk
registers, “controls” are identified as many things, including:

 Policies e.g. HR Policy

 Documented procedures e.g. Documented procedures for paying suppliers
 Actions to fix a broken control e.g. Fixing of broken door locks
 Parts of the inherent risk environment e.g. Fixed window panes
 Committees e.g. Pricing Committee

The above are not controls. They may have controls embedded in them but this is what should
be called out. “HR policy” or “Pricing Committee” as a control is too vague. Parts of the
inherent risk environment are not controls.

I often find it useful to differentiate between controls and “Part of the Furniture”. An item that is
part of the furniture is expected to be there in a normal operating environment and will have
multiple purposes, not just the modification of a single risk.
An example is the fixed window pane in a building. The window reduces the risk of
unauthorised access but we a) would expect it to be present in a typical building and b) it also
keeps out the weather, keeps us warm and allows us to get natural light.

In contrast a security guard would be identified as a control because not all buildings have them
and their primary role is security.

5. What are the main types of control?

Controls are usually categorised as either Preventive, Detective or Reactive. This is based
primarily on where in a risk’s life do they apply and as a result, do they modify the likelihood
and or the impact of the risk.

Preventive controls apply at the beginning of a risk’s life, at or near the root causes(s). As a
device, they often act as a barrier to “nip it (the risk) in the bud”. They primarily reduce the
likelihood of the risk occurring. Examples are system passwords, locked doors, machinery
maintenance etc.

Detective controls usually apply somewhere in the middle of the risk’s life. Detective controls
rely on the analysis of information in order to detect that a risk is “in motion”. Detective
controls that are “early” in the risk’s life usually modify likelihood and those that are “late” in
the life, usually modify impact. Examples are data reconciliations, smoke detectors, exception
reports, etc.

Reactive controls (sometimes also called Responsive or Corrective), apply towards the end of a
risk’s life when the impact is imminent or being felt. They are focused on modifying impact.
Examples are DRP, Insurance, media management etc.

6. What controls should be recorded in a risk and control register?

Controls should be recorded in the risk register against the related risk. The issue is which
controls should be recorded. I usually consider that “measures” can be divided into 4 main
types:

1. Base line “controls” = Part of the furniture

2. Minor controls = Very little impact on the risk
3. Medium controls = Negotiable but important
4. Key Controls = Non-Negotiable

Only the key and medium controls should be recorded. This should limit the number of controls
for each risk to between 2 and 4.

The quality for risk data in your risk system and the level of staff engagement with risk is highly
dependent on the level of understanding that staff have of the basic components of risk and
controls. The issues above should be addressed in your guidance and training of staff as without
clarity much confusion will exist.
Internal controls are policies, procedures, and technical safeguards that protect an organization’s
assets by preventing fraud, errors, and other inappropriate actions. These controls fall into three
categories: detective, preventative, and corrective.

Several internal control frameworks exist to help organizations implement internal controls as
necessary, so those organizations can fulfill any regulatory compliance obligations they have or
meet risk management guidelines handed down by their board of directors.

Perhaps the best-known framework is the Committee of Sponsoring Organizations (COSO)

internal control framework.

A system of internal controls weaves together various processes and rules to assure an effective
internal control process. Some examples of internal controls are internal audits, firewall
deployment, training, and employee disciplinary procedures.

All organizations are subject to threats that might harm the organization and could result in asset
loss. From inadvertent mistakes to fraud to cyber-attacks, risks are present in every business.

The importance of internal controls lies in their ability to protect your organization from risks
and consequences. For example, IT security controls reduce the risk of data breaches or malware
infection. They help you find weak spots in your information systems and then shore up those
weak spots. Internal controls limit what they can accomplish; hence it’s essential to have
ongoing reviews and monitoring of your system.

See also

Improve How You Manage Internal Controls

Some common terms and definitions that are key to understand compliance

Defining Your Organization’s Internal Controls

With the right internal controls, organizations can protect their assets, maintain accurate financial
reporting, improve operational efficiency, and meet legal obligations. Defining the controls that
your organization needs, however, requires careful planning and consideration. Internal controls
are grouped into five larger “components.”

Control Environment. These are the controls that set the overall tone and culture within the
organization. They include the organization’s commitment to integrity, ethical values, and the
establishment of appropriate oversight responsibilities.

Risk Assessment. These controls identify and evaluate risks that could potentially hinder
organizational objectives. By conducting comprehensive risk assessment, you can determine
where internal controls are needed and how to implement them.
Control Activities. These are the specific policies and procedures implemented to address
identified risks. Control activities can include:

 Separating duties among multiple people

 Implementing physical safeguards
 Establishing authorization procedures
 Maintaining proper documentation
 Conducting independent checks and reconciliations

Information and Communication. These controls establish reporting mechanisms to assure the
effective flow of relevant information, both vertically and horizontally.

Monitoring. Continuous monitoring and periodic evaluations of internal controls are vital to
identify deficiencies, assess their effect, and take corrective actions. This can be achieved
through management reviews, internal audits, self-assessments, and feedback mechanisms.

With the growing reliance on technology, internal controls must also address risks associated
with information systems. IT controls include measures to secure data, manage access, establish
backup and recovery procedures, and implement IT governance frameworks.

Compliance controls are specifically tailored to regulatory requirements, maintaining proper

documentation, and conducting regular compliance reviews to assure adherence to relevant
regulatory laws, regulations, and internal policies.

Now let’s review the three types of internal control, regardless of their component: preventive,
detective, and corrective.

What Are Preventive Internal Controls?

As the name implies, preventive internal controls are put in place to prevent an adverse event
from occurring. For example, many software applications have built-in checks to avoid entering
incorrect information.

Preventive controls are the best kind because they lessen the need to detect mistakes after the
fact. Automated preventative controls are even better because they remove the need for human
intervention and streamline auditing.

Examples of Preventive Internal Controls

Training programs, drug testing, firewalls, computer and server backups are all preventive
internal controls that block undesirable events from occurring. So are the following.

Segregation of Duties

Separation of duties is designed to reduce the incidence of mistakes or fraud by assuring that no
single employee has the potential to both perpetrate and hide errors or fraud in the course of their
activities. Assigning one person to write checks and another employee to authorize the payments
is one example of segregation of duties.

In general, the primary incompatible responsibilities that must be separated are:

 Performing transactions
 Authorization or acceptance
 Reconciliations
 Custody of assets

Access Controls

Access controls govern who or what has access to corporate assets, including IT systems. These
controls are a crucial security concept that reduces risk to the company or organization.

Physical access control limits access to campuses, buildings, rooms, and physical IT assets.
Security guards verifying ID credentials or access key cards may be employed to enforce
physical access control.

Logical access controls restrict connections to computer networks, system files, and data. The
principle of the least privilege (PoLP) is an information security standard that says users should
only access system functions and data that are necessary for the user to do their job.

Pre-Employment Screening

Pre-employment screening is a procedure where employers check candidates’ backgrounds,

screen them for drugs, check references, and assess their conduct. It is used in recruiting to
screen out many undesirable candidates before investing in the onboarding process.

See also

Improve How You Manage Internal Controls

Some common terms and definitions that are key to understand compliance

What Are Detective Internal Controls?

Detective internal controls detect an error problem after it has occurred. Ideally, detective
internal controls will discover an issue before it becomes a significant problem.

Examples of Detective Internal Controls

Some examples of detective controls are internal audits, reconciliations, financial reporting,
financial statements, and physical inventories.
Internal Audits

An internal audit evaluates compliance with company procedures, applicable laws, and
international standards. Data and reports are reviewed to assure consistency and compliance.

Internal audits provide a value-added service to management and the board of directors by
detecting and correcting weaknesses in a process before external audits discover them. This can
protect the organization from loss of certification and regulatory fines (not to mention painfully
high external audit fees).

Reconciliations and Financial Reporting

Reconciliations are performed to verify financial reporting among various sources. For example,
comparing (or reconciling) a bank statement to a company’s internal records is one form of
reconciliation.

Financial reporting documents the company’s revenues, spending, cash flow, and financial
health. It allows executives and investors to make more informed judgments on performance and
opportunities for improvement. Unusual or unexpected figures in financial reporting and
financial statements help detect inadvertent errors and inappropriate actions.

Physical Inventory Counts

Physical inventory counts are performed periodically to assure actual inventories match what is
recorded in business systems and financial statements. Physical inventory values directly affect
the balance sheet, so it’s imperative they are reflected accurately. Inventory discrepancy
investigations can reveal system issues, inadvertent errors, and theft.

What Are Corrective Internal Controls?

Corrective internal controls are implemented after detective controls discover a problem. These
controls could include disciplinary action, report filing, software patches or modifications, and
new policies. They are usually put into place after a root cause investigation.

Examples of Corrective Internal Controls

Corrective internal controls, by nature, are specific to the typical flaws and risks of your
company, previously evaluated through comprehensive risk assessments or detective controls
such as audits.

Patch Management

Patch management is the delivery and installation of software updates. These patches are
frequently required to remedy flaws (also known as “vulnerabilities” or “bugs”) in software.
Patches are commonly required for operating systems, applications, and embedded devices (such
as network equipment). When a vulnerability is discovered after a piece of software has been
released, a patch can remedy it. Proper patch management protects information security by
preventing data breaches and leaks.

New or Updated Policies and Procedures

Policies and procedures may be updated when an audit or other detective control identifies a
process gap. For example, root cause analysis on a physical inventory discrepancy may reveal
that employees are inadequately trained on how to decommission parts that fail quality checks.
Corrective controls would include updated work instructions and training.

Disciplinary Actions

Disciplinary actions are corrective actions taken in response to employee misbehavior, rule
violations, or poor performance. Discipline can take several forms depending on the seriousness
of the situation, including a verbal warning, formal warning, an unfavorable performance
evaluation, or even termination.

See also

Improve How You Manage Internal Controls

Some common terms and definitions that are key to understand compliance

Benefits and Limitations of Internal Controls

All processes and control activities are imperfect; mistakes and problems will inevitably be
found. That’s why an ongoing review and analysis of internal controls should be a part of any
organization’s regular processes.

Benefits of Internal Controls

Management is ultimately responsible for the control environment and the success of internal
controls. The benefits of internal controls depend upon correct implementation and ongoing
monitoring.

Early-Warning System

Internal controls serve as an early-warning system to identify issues before they become big
problems. Quality checks prevent faulty products from being shipped to customers. The
investigation into a decline in on-time delivery metrics may reveal a more significant problem on
the horizon. Problems are easier to fix when you catch them early.

Prevent Fraud
Robust internal controls deter employees from engaging in misconduct. When employees can see
process gaps, they may be tempted to perform minor inappropriate actions that eventually lead to
major ones. With multiple checks and balances, however, fraud is much more difficult. Solid
policies assure that employees understand the consequences of committing misconduct.

Avoid External Audit Findings and Regulatory Fines

Performing investigations and corrective actions on external audit findings can be arduous. If an
external audit identifies a significant gap in processes or material misstatements, you could be
exposed to losing industry certifications or substantial fines. Finding and fixing a problem before
an external entity discovers it is always best.

If you still experience a data breach, robust internal controls can also protect you from hefty
fines. If an investigation reveals that your organization acted with due diligence and had
adequate controls, a regulatory agency may reduce penalties.

Limitations of Internal Controls

Despite the benefits, internal controls have some limitations. It’s crucial to be aware of the gaps
left by internal controls to ensure that those risks are understood.

Collusion

Segregation of duties is one of the most prevalent internal controls businesses use. It separates
tasks so that no one employee has the power to commit fraud. Still, a group of employees can get
past this by collaborating in an elaborate process to disguise their fraud.

Human Error

Human error can be another disadvantage of internal controls, especially when relying on manual
processes and judgment calls. Mistakes can be made during manual inventory counts, and poor
judgment could degrade internal audit results. Automated systems should be employed to drive
consistency and reduce human error wherever possible.

For example, scales can be used in stockrooms to verify inventory counts. Automated systems
can help perform reconciliations among accounting and financial records. Solid auditing
processes and management oversight will support rigorous internal auditing standards.

Unforeseen Circumstances

Internal controls rely on management anticipating all potential hazards and implementing
mechanisms to prevent or mitigate them. Still, management cannot anticipate all potential
challenges or events. Random variables or occurrences are prone to render internal controls
ineffective.
Moreover, attempting to control unusual conditions can be costly, and a management team may
instead decide to accept the risk. As a result, internal controls may be limited in their use under
unexpected or extraordinary scenarios.

Enhance Your Internal Controls with ROAR

Internal controls are important, but creating them isn’t easy. Aside from risk assessments,
procedures, reporting, and communication, all internal control schemes also need arduous
documentation and reporting.

Small companies may begin by managing their controls with spreadsheets, but internal and
external stakeholders increase as their business grows. As a result, preparing ahead of time for a
more streamlined solution can save time and money in the long run.

Instead of using spreadsheets to manage your compliance requirements, use the RiskOptics
ROAR Platform to streamline evidence and audit management for all of your compliance
frameworks.

A single source of truth assures your organization is always audit-ready, thanks to its advanced
features that enable straightforward risk assessment, analysis, and mitigation. You can also easily
map controls across various compliance frameworks and monitor them to see which ones impact
risk the most.

What is an Internal Control System in an

Organization?
Published July 20, 2022 • By RiskOptics • 5 min read
TwitterFacebookLinkedIn

Copy Link
Modern organizations don’t operate in a perfect world where everything always goes according
to plan. Mishaps can (and do) happen all the time because all companies operate in a risky
business environment. Adverse events are a fact of life.

While at least some adverse events are unavoidable, organizations can evade many such events
and reduce the threat of others. This is where internal controls – actions organizations can take to
reduce risk – enter the picture.

So what are internal controls, exactly? What is an internal control system? What are the five key
components of an internal control framework?

And how can your organization monitor these controls to ensure they work as expected?

Let’s explore.

What Is an Internal Control?

As defined by the Committee of Sponsoring Organizations (COSO), an internal control is a
process designed to provide reasonable assurance that an organization’s operations are effective
and efficient, its financial disclosures are reliable, and it meets regulatory compliance objectives.

An internal control (also sometimes known as an internal safeguard) can be any mechanism that
helps a company to run its processes efficiently and effectively: a rule, a policy, a procedure, a
statement from management, and more.

The right controls can help to assure business continuity; prevent costly errors, irregularities, and
fraud; and maintain the integrity of financial statements and accounting records. They can also
help:

 Increase transparency throughout the enterprise

  Promote accountability in every process and business unit
 Promote ethical behaviors
 Identify problems and take corrective action
 Improve employee and organizational productivity
 Maintain regulatory compliance
 Protect the organization’s reputation and brand value
 Retain more customers and maintain a strong competitive position

Ultimately, well-designed controls can empower your company to achieve its established
objectives. Conversely, missing or poorly designed controls can result in inefficient processes,
low productivity, costly errors, and fraud. These issues may increase customer churn, harm the
company’s reputation, and result in financial losses, regulatory fines, and legal damages.

Types of Internal Controls

In general, internal controls fall into one of three categories:

Preventive Controls

As the name implies, preventive controls prevent issues including accounting errors, material
misstatements, fraud, or cyberattacks before they have a chance to happen. Such controls are
essential because they help to lower the costs of errors or malicious actions.

Some common preventive controls are:

 Segregation of duties, especially in accounting and financial reporting

 System access controls
 Employee training
 Authorization and approvals of invoices and expenditures
 Physical security controls

Detective Controls

Detective controls find errors and irregularities that have already occurred. They are essential
because they show whether preventive controls are operating as intended and because they help
improve process quality and prevent the recurrence of errors.

Examples of detective controls include:

 Monthly reconciliations of transactions

 Organizational performance reviews, particularly budget-to-actual comparison
 Physical inventories of cash, goods, or raw materials
 External and internal audits

Corrective Controls
Corrective controls resolve existing issues that may lead to or exacerbate fraud, financial losses,
or reputational damage. They include:

 Software patch management

 Updated policies for information systems
 Disciplinary action
 Ledger verification

The best way to implement and integrate these controls into business processes is to use an
established internal control framework such as the framework developed by COSO. Let’s look at
the five interrelated components of internal control systems as recommended by COSO.

See also

Best Practice Guide: Using Automation to Transform Risk Management

The 5 Internal Control System Components

The COSO internal control framework consists of five components that work together to create
an effective system of internal controls. This system supports your organization’s mission,
vision, business strategy, and objectives.

1. Control Environment

The control environment provides a structure and discipline for internal controls. It aligns
business processes with applicable laws, compliance requirements, and industry-standard
practices. It also assures that the company operates responsibly, ethically, and reliably
while reducing its legal exposure.

The environment sets the stage for the other elements of your internal control system. It
describes the organization’s culture and ethics, the management’s philosophy and
commitment to internal control policies, and the direction provided by the board of
directors. It also incorporates all these elements:

o Employees’ competence and ethical values

o Management’s operating style
o Assignment of authority and responsibility
o People development processes
2. Risk Assessment

Regular risk assessments (say, once a year) allow the organization to identify risks and
implement plans for risk elimination or mitigation. This step involves assessing each
risk’s possible impact and likelihood to minimize the potential for damage or losses. Such
evaluations can help you understand how risks relate to business objectives and
implement appropriate controls against them.
 3. Control Activities

Control activities are the policies and procedures to carry out proper risk responses and
management directives. These controls help the organization achieve its business
objectives while keeping risks low. They can occur at all levels and in all functions.

Examples of control activities include:

o Segregation of duties
o Transaction verifications and reviews
o Reviews of operating performance
o Inventory counts
o Employee training sessions
o Physical and digital security
o Data backups
4. Information and Communication

Effective communication is a vital element of the internal control framework because it

helps to assure that the right controls are in place and working as expected. It’s vital to
share risk information throughout the organization in a timely manner, and in a form that
people can understand and use to take action.

5. Monitoring

Internal or external auditors must regularly monitor all internal controls to evaluate the
control system’s performance and effectiveness and to assure that controls are followed
throughout the organization. Regular spot checks can help you identify control gaps and
fix them before they can harm the organization.

How to Monitor Internal Controls

You should monitor internal controls during the course of operations. Internal control monitoring
can be in the form of ongoing monitoring activities, separate evaluations, or both. Outside
auditors can also monitor controls and report the audit results to senior management or the board
of directors.

Manage Risks with Preventive, Detective, and

Corrective Controls
Is it better to sell a prevention or a cure? From a marketing standpoint, there is
likely more money to be made selling cures. People would rather not attend to
the many risks in their lives that may not materialize — after all, where does one
begin? — but once a contingency does manifest itself, the same people are
willing to pay great sums for cures.

The world of a finance professional is different. Some of our core functions

include thinking, planning, and communicating about risk. We do not have the
luxury of taking a “wait and see” approach toward managing risk. We have to be
proactive about foreseeing risks and planning accordingly. We think in terms of
broad categories, such as regulatory and legal compliance risks, IT-related
risks, political risks, market risks, credit risks, and more.

Finance professionals measure the extent of our organizations’ exposure to risks

and help guide senior management in assessing the best way to effectively
expose our organizations to risk and at the same time manage risks. After all, if
an organization is not taking risks, it might as well shut down because it cannot
grow or produce a return on investment.

Part of an auditor’s evaluation of an organization is in terms of internal controls,

how they are documented, how they are communicated, how employees are
trained in them, and so forth. Controls are designed to prevent fraud and
material misstatements of financial results, as well as to ensure effectiveness in
carrying out management’s objectives.

Here are three types of controls to consider in your organization:

1. Preventive — Some of the best controls prevent fraud, theft,

misstatements, or ineffective organizational functioning. For example, we
saw in a previous post the effectiveness of segregation of duties to
prevent fraud. Preventive controls can be as simple as locks and access
codes to sensitive areas of a building or passwords for confidential
information.
2. Detective — A security camera is a good example of a detective control. A
store manager who notices a pattern of a cash drawer coming up short
when attended by a particular clerk can easily look at video of the clerk’s
actions throughout the day to detect potential theft. An access log and an
alert system can quickly detect and notify management of attempts by
employees or outsiders to access unauthorized information or parts of a
building.
3. Corrective — Coupled with preventive and detective controls, corrective
controls help mitigate damage once a risk has materialized. An
organization can document its policies and procedures, enforcing them by
means of warnings and employee termination when appropriate. When
managers wisely back up data they can restore a functioning system in
the event of a crash. If a disaster strikes, business recovery can take
place when an effective continuity and disaster management plan is in
place and followed.
Think in terms of preventing, detecting, and correcting risks of fraud, theft,
ineffectiveness, and breakdown. The world is full of risks, and problems tend to
strike suddenly and unexpectedly. Cures are great, but if you rely on finding a
solution once a risk has already materialized, you might find that your lack of
planning has made the risk unmanageable.

How Can You Prevent Fraud in Your Business?

Soldiers have their battle stories. Athletes recount memories of their on-field
exploits. Actors make a living out of drama. So what type of exciting
professional adventures would you expect from an accountant? No, we’re not
talking about paper cuts, out of control copy machines, or circular references in
Excel files. The most exciting shop talk within accounting circles invariably
involves uncovering a massive fraud in one of our client’s companies. Off the top
of my head, here are some of the most infamous examples I have heard from my
fellow accountants:

 When I was in one of my first accounting classes my teacher told a story

of a bartender whom she discovered was pocketing money from the bar
sales and covering the inventory discrepancy with his own booze brought
in from the outside (he was pocketing a nice margin along the way).
 When I was an auditor my boss told me a story about his discovery that a
credit union employee falsified records in a failed attempt to cover up
theft of the institution’s funds.
 I became familiar with a situation in which an elderly professional client of
our accounting firm had a long-time, trusted employee use her employer’s
funds to pay her mortgage, provide gifts for her family members, pay her
debts, and more. As you might have guessed, our client had not taken
upon himself to review the banking information for his business.
 A finance executive friend shared about an employee within his company
that he had to fire and evict from a company-owned rental unit because
she was stealing funds from the business.
 A forensic accountant at a recent seminar shared her story of discovering
a fraudulent CFO’s misdeeds not once, not twice, but three times. When
her client (the business owner) refused each time to do anything
significant about this problem, she fired her client and discovered not long
thereafter that the business had gone under.
 Another story I heard (one of my favorites) involved an inept management
team that provided free and open access to all employees to every module
within the information system. When the auditors arrived to do their
standard year-end work, one of the employees became very inquisitive and
showed signs of nervousness. Although they would not have otherwise
been inclined to investigate her specifically or to look at detailed payroll
 data, the auditors decided to take a look at her payroll transactions and
discovered that she was getting paid far more than other production
workers in the business. As it turned out, before each payroll was run, she
took it upon herself to increase her pay rate by $5 per hour. After the
payroll run, she would decrease the rate back to normal so that hopefully
no one would notice.

Fraud often resembles lightning: It strikes you suddenly, when you are least
expecting it, and often when you are comfortable. Experienced risk managers
understand that fraudsters don’t fit the popular media stereotype of slimy
connivers. Rather, they are often regular people, even trusted long-time
employees.

The key to preventing fraud is situational awareness. Know the yellow and red
flags such as a rapid and unusual increase in an employee’s living standards, an
employee who unnecessarily works long or odd hours and refuses to take
vacations (for fear that another person covering the role for a few days could
discover the misdeeds), or an employee who noticeably faces financial
pressures. Also, be aware of the “fraud triangle”:

 Pressure – an employee or someone else with access to company

resources might have a personal financial pressure in life such as
uninsured medical bills, a gambling habit, credit card debt, or a divorce.
Many savvy employers check credit history for potential new hires to
initially screen out employees who might bring unwanted personal
pressures into the workplace environment.
 Opportunity – the employee sees a weakness in the company’s systems,
whether an open door in a secluded part of the warehouse, an unsecured
cash drawer, or in the case of many large frauds, a material internal
control weakness that enables an employee to misappropriate funds
without getting caught.
 Rationalization – most people understand it is wrong and risky to steal, but
if they feel the need and see the opportunity, they can often come up with
ways to justify it in their minds. Some employees, especially in times of
tight corporate budgets during economic uncertainty, may feel
overworked, underpaid, and under-appreciated. Perceptions about unfair
treatment and office politics, regardless of whether these notions are
justified or mere fabrications in the employee’s mind, can breed
resentment and a desire for revenge.

A successful fraud involves all three elements to one degree or another. An

employee without some type of pressure to defraud her company — even if she
sees an opportunity and might be able to perversely rationalize it in her mind —
will probably back off when she considers the potential consequences if she got
caught. Likewise, without an opportunity or a way to rationalize a fraud, an
employee will probably think better of it.
Business owners can exert the most direct influence over the second point,
opportunity. One of my accounting teachers recounted when he tried to suggest
sound financial controls for his church finance committee. His pastor did not
take kindly to this, assuming that he was “accusing the brethren” within the
leadership. However, as my teacher pointed out, there is nothing to be lost from
implementing measures to keep honest people honest.

Internal controls are aimed at preventing, detecting, and correcting fraud,

whether misappropriation of assets or fraudulent financial reporting.
Furthermore, beyond safeguarding physical and intangible assets, controls also
should be designed to ensure operational effectiveness. (More on this in future
installments.)

The primary preventative internal control is segregation of duties. Specifically,

companies are well advised to separate these functions among employees:

 Custody of assets, e.g., inventory and cash

 Authorization of expenditures or disbursements, e.g., cash payments or
inventory shipments
 Recording of transactions, e.g., entering payments or inventory
transactions into the system
 Reconciliation, e.g., the monthly bank statement reconciliation or the
periodic inventory count and reconciliation to inventory records in the
accounting system

For example, ideally the same person should not have access to company funds
(e.g., to be a signer on the bank account), the ability to authorize spending those
funds, the authority to record the transaction, and the responsibility to reconcile
the bank statement at the end of the month. Some or all of these duties should
be segregated among several employees so that any fraud would require
collusion. Even if one employee had the pressure and rationalization to commit
fraud, in an environment with segregation of duties, he would have to take the
risk of recruiting another employee to cover for him.

The warehouse manager who has physical access to inventory should not have
the ability to make inventory adjustments in the accounting system, as this
segregation between custody and recording prevents the manager from stealing
product and recording adjustments to make the system data match the physical
inventory. Rather, inventory shrinkage should show up on reports monitored by
inventory accountants who do not have access and authorization to remove
product from the warehouse; by segregating these duties, discrepancies should
be detected, monitored, and accounted for by the appropriate authorities.

A final word for business owners and CEOs: Especially in this era of automated
and integrated accounting systems that allow a small finance staff to handle
high transaction volume, many companies do not have adequate staff to properly
segregate all duties among finance staff. This means that the business owner or
CEO should be involved and situationally aware of risks. Although hiring
trustworthy staff members who can be relied upon is one essential component, if
there are limited numbers of staff in the finance group (i.e., one or two people),
the owner needs to take some time to monitor the activities of this important
department. At the very least, take time to check the bank statement each
month, look at reconciliations for asset accounts such as inventory, and
consider engaging an outside professional for a year-end audit. (As a bonus, an
experienced auditor with industry expertise can provide input on enhancing
operational and financial effectiveness.) However, do be aware of the limitations
of assurance that auditors provide regarding detecting fraud (this is spelled out
clearly in auditor engagement letters). If you have a suspicion that fraud might
be taking place, consider engaging a fraud examiner or forensic accountant to
investigate.

What is Risk Control?

The term “risk control” refers to the techniques firms use to evaluate

potential losses and take action to either partly reduce or eliminate

these threats.

This method uses the risk assessment process’s findings, which involves identifying the

potential risk factors within a company’s operational setup. These risks can be related to

technical & non-technical aspects of the business, fiscal policies, or anything that can

adversely impact the company’s well-being.

Explanation of Risk Control

Businesses generally face new challenges every day, which can be due to hurdles,

competition, and any other potential risks. Businesses use a methodical approach to

identify, assess, and prepare for any such dangers, which can be either physical or
symbolic and may affect the firm’s operations and objectives. In this way, the firm can

successfully manage business matters to ensure the maximization of the shareholders’

return.

How Does Risk Control Work?

Learning Paths @ $19 Most Popular Learning Paths in
Finance, Financial Modeling and Excel just for $19 5 to 30+ Courses |
20 to 100+ Hours of Videos | Certificates for each Course Completed

Any risk control method comprises the following step-by-step approach:

 Timely analyze the current business activities to identify any potential risks.

 Take mitigating actions to either reduce or eliminate these risks.

 Re-assess the business activities to ensure the successful implementation of these

measures.

Examples
Let us take the example of two companies, company 1 and Company 2, having similar

production units in which they manufacture shoes. Company 1 has a proper team for

assessing risks and controlling their impact, whereas Company 2 doesn’t have any such

team, and it manages the risks as and when they occur.

In 2019, the team of Company 1 informed the management about a possible shortage

of raw material in the near term that may disrupt production for a month resulting in a

loss of $30 million if not acted upon. On the other hand, company 2 is unaware of this

risk. Based on the risk assessment, company 1 created a sufficient stock of raw materials

and sailed through the shortage period, while Company 2 incurred losses of up to $25

million. Company 2 wouldn’t have booked such losses without a proper control team,

just like Company 1. This example shows the importance of risk control.

Types of Risk Control

Learning Paths @ $19 Most Popular Learning Paths in Web
Dev, Programming, Cyber Security and Testing just for $19 5 to 30+
Courses | 20 to 100+ Hours of Videos | Certificates for each Course Completed

There are three major types. They are detective, preventative, and corrective.
  Detective Risk Control: This control measure is implemented only after the

detection of the discretionary event. Examples of detective risk control include an

internal audit of financial reporting, a review of financial statements,

reconciliations of physical inventories, etc.

 Preventative Risk Control: These control measures are implemented to stop a

potential risk event from happening. For instance, all financial models have a

built-in check for the balance sheet to avoid a mismatch of total assets and total

liabilities.

 Corrective Risk Control: These control measures are implemented after the

discovery of a problem by detective risk control. The aim is to avoid repeating the

same mistake again in the future. Examples of corrective risk control include

disciplinary action, software patches, reports filed, etc.

Techniques
Six main techniques can be used. They are avoidance, loss prevention, reduction,

separation, duplication, and diversification.

Learning Paths @ $19 Most Popular Learning Paths in Data

Science, Machine Learning and AI just for $19 5 to 30+ Courses | 20 to
100+ Hours of Videos | Certificates for each Course Completed
  Avoidance: This control technique uses to avert a risk entirely, and if

implemented successfully, there is almost zero chance of incurring losses due to

that particular risk.

 Loss Prevention: This control technique doesn’t eliminate the risk but prevents

expected losses. In other words, this technique accepts the risk instead of

avoiding it completely and then attempts to prevent the losses because of it.

 Loss Reduction: This technique accepts both the risk and the loss that might

occur because of it. It simply attempts to minimize the losses in case the risk

event occurs.

 Separation: This control technique involves the spreading of key assets. This

ensures that not all assets will impact simultaneously if a catastrophic event

occurs at one location.

 Duplication: This technique involves the creation of a backup plan. Technology-

based firms primarily practice it.

 Diversification: This control technique involves the allocation of available

resources across multiple lines of a business. In such a scenario, any calamitous

event in one of the business segments doesn’t impact the entire firm’s operation.

How Does Risk Control Help the Firm?

If a firm can successfully analyze and control the ill effects of the potential risks, then it

can easily sail through any adverse situation that may take place in the future. In effect,
by controlling the risks, the firm can limit the losses to a minimum, maximizing returns

for the company’s shareholders and adding value to the market share of the firm.

Importance
Every business operates in an environment that comprises various types of risks. Some

risks may avoid, while others have to accept and control to abate their impact on the

business. Timely analysis of potential risks and implementation of adequate measures to

mitigate such risks can help an organization achieve its business objectives and goals,

which provides the ability to sustain in the event of any such risk and indirectly add to

its market value. As such, most big and reputed organizations across the globe have an

established team for analyzing and controlling such business risks.

Conclusion
Risk control measures play a vital role in the success of a business firm, enabling it to

achieve its business objectives and goals while effectively managing its business

activities according to plan. In other words, it can be stated that proper management of

potential business risks is required by businesses at any level in order to attain their

objectives.

Controls Related to Time

Controls related to time generally fall into three categories:
■
Preventative
■
 Detective
■
Corrective
Preventative
Preventative controls are designed to be implemented prior to a threat event and reduce and/or
avoid the likelihood and potential impact of a successful threat event. Examples of preventative
controls include policies, standards, processes, procedures, encryption, firewalls, and physical
barriers.
Detective
Detective controls are designed to detect a threat event while it is occurring and provide
assistance during investigations and audits after the event has occurred. Examples of detective
controls include security event log monitoring, host and network intrusion detection of threat
events, and antivirus identification of malicious code.
Corrective
Corrective controls are designed to mitigate or limit the potential impact of a threat event once it
has occurred and recover to normal operations. Examples of corrective controls include
automatic removal of malicious code by antivirus software, business continuity and recovery
plans, and host and network intrusion prevention of threat events.
The COSO Internal Control Framework
April 24, 2021 by Jacy

The COSO framework was developed to help organizations design and

implement a system of internal control, enterprise risk management, and fraud
deterrence. COSO stands for The Committee of Sponsoring Organizations of
the Treadway Commission.

History of the COSO Framework

In June 1985, the National Commission on Fraudulent Financial Reporting
was established. The Commission was commonly referred to as the
“Treadway Commission” after its chairman the SEC Commissioner James C.
Treadway, Jr.

Five organizations participated in the Commission:

 American Accounting Association

 American Institute of Certified Public Accountants
 Financial Executives International
 The Association of Accountants and Financial Professionals in Business
 The Institute of Internal Auditors
 In October 1987, the Treadway Commission released the “Report of the
National Commission on Fraudulent Financial Information.” The report
covered the Commission’s findings, conclusions, and recommendations
concerning factors that can lead to fraudulent financial reporting. It also
addressed how to reduce the occurrence of fraudulent financial reporting.

As a result, COSO formed and created the COSO framework which was
released in 1992. In 2013 COSO updated the Internal Control-Integrated
Framework to incorporate new business practices and needs. In 2017 COSO
updated the Enterprise Risk Management-Integrated Framework.

COSO Internal Control Framework

When people think of the COSO framework, the COSO cube is typically the
first thing that comes to mind. The cube is a visual reminder of how the
concepts work together in a unified way. Depicted in the cube are the:

 Three categories: Operations, Reporting, and Compliance

 Four organizational structures: Entity level, Division, Operating Unit, and
Function
 Five Components: Control Environment, Risk Assessment, Control Activities,
Information & Communication, and Monitoring Activities

The internal control components are necessary to achieve the objectives. The
organizational structure determines which components and objectives belong
where in the company.
 Internal Control—
Integrated Framework (Framework), © [2013] Committee of Sponsoring
Organizations of the Treadway Commission (COSO). All rights reserved.
Used with permission.
Objectives of Internal Control

Displayed on the top portion of the cube are three categories of objectives.

 Operations objectives refer to the entity’s business processes, goals, and

protection of assets.
 Reporting objectives refer to the reliability of both external and internal
financial and non-financial reporting.
 Compliance objectives refer to the laws and regulations that the entity is
subject to.

Organizational Structures of Internal Control

The four organizational structures tie objectives and components of internal

controls to the specific location where the control is taking place in the
business.
 Entity level refers to the whole company
 Division refers to business segments separated by product or service lines
 Operating Unit refers to a specific group within that division
 Function refers to a specific job in the operating unit

Components of Internal Control

There are five essential components to the COSO internal control framework:

 Control Environment sets the tone at the top and company policies.
 Risk Assessment identifies areas that expose the company to higher risks
both internally and externally.
 Control Activities are the policies and procedures that a company implements.
 Information and Communication are utilized from internal and external
sources to stay up on internal and external changes.
 Monitoring is the evaluation that processes, policies, and procedures are
occurring as expected.

The 2013 revision of the framework also introduced 17 Principles which

further expanded and clarified the five components of the framework.