Prevent, Detect, React…How to explain the meaning of controls in 6 simple steps?

1. Start with definition…

Control is any action taken to mitigate or manage risk and increase the probability that the business/process will achieve its goals and objectives.

2. Emphasize that we all perform business actions and execute controls while doing that!

We all are responsible for ensuring that corporate assets are used properly and are well protected.

We are all key players. We have critical role in mitigating risks and preventing our business from losses.

3. Touch the bases! 

The essence of control is an attitude, common sense and doing right things.

It has to be done in a regular, structured, and documented way.

•       Internal controls ARE NOT THINGS in the process maps

•       Internal Controls ARE PEOPLE at every level of an organisation.

•       Evidences needs to be so clear that anyone who wants to check the control simply follow the instruction and receive exactly the same results.

4. Explain two types of controls.

Controls can be either preventive or detective. The intent of these controls is different:

•         Preventive controls attempt to deter or prevent undesirable events from occurring. They are proactive controls that help to prevent a loss.
•          Detective controls, on the other hand, attempt to detect undesirable acts. They provide evidence that a loss has occurred but do not prevent a loss from occurring.

5. Controls may fail… and what if they fail?

Control deficiency exists when the design or operation of a control does not prevent or detect misstatements on a timely basis. It may result in wrong or duplicate payment, data loss or discloser to authorised person, etc.

Once controls are weak, we need to fix them. Process Owner should understand root cause of the weaknesses and take all necessary remediation actions.

6. Give simple example!

One of the most common control is the access control. This is an action we take to secure our company data, like strategy, recipe, supplier spent; and information on our business partners, like prices, contracts, bank accounts, etc.

We all perform this control by encrypting the files, checking the list of recipients when sending the e-mail, storing contracts in secured archive, or logging our laptops when leaving the desk… simple as that!

This can be both preventing and detective control. Preventing is logging laptop when leaving the desk, detecting is checking logs to systems and track changes in master data by IT Security.

This control can easy fail, if we send confidential files to wrong e-mail address, if we are victims to phishing scam and our credentials are used by unauthorised person, or if we leave some print out copy of product strategy in hotel’s lobby…