3 Levels of Defense

Does any statement below sounds familiar to you?

• You are Internal Control team, so you are controls owner. 
• You are Internal Control team, so we cannot tell you what is wrong with our processes, cause you will put that into official audit report.
• You are Internal Controls team, so need to tell me how to perform controls.

There is a lot of confusion and misunderstanding in terms of split of responsibilities between business process owner, Internal Control and Audit. 

These can be easly explained by 3 level of defense in the process of internal controls. Here is what the differences are:

1)       Control Owner is the owner of the process or sub-process (eg. Acoount Payable Manager), and is responsible for identifying risks & control objectives, along with specifying controls and effectively implement control activity while performing it.

2)     Internal Control team is to support creating process documentation and validating its accuracy. The team also propose new controls or changes to existing ones, and help the wider team to prepare for an audit. Internal Controls also actively search for synergies and improvements within company processes. It is an advisor and consultant for Control Owner. 

3)     Internal Audit is an independent function from both business and Internal Control. It is not acting as advisor or consultant. Internal Audit is testing controls design, effectiveness and completeness of evidences. IA designs controls methodology and tools (Chart of Controls, ICFR) and conduct audits as per annual plan.

Prevent, Detect, React…How to explain the meaning of controls in 6 simple steps?

1. Start with definition…

Control is any action taken to mitigate or manage risk and increase the probability that the business/process will achieve its goals and objectives.

2. Emphasize that we all perform business actions and execute controls while doing that!

We all are responsible for ensuring that corporate assets are used properly and are well protected.

We are all key players. We have critical role in mitigating risks and preventing our business from losses.

3. Touch the bases! 

The essence of control is an attitude, common sense and doing right things.

It has to be done in a regular, structured, and documented way.

•       Internal controls ARE NOT THINGS in the process maps

•       Internal Controls ARE PEOPLE at every level of an organisation.

•       Evidences needs to be so clear that anyone who wants to check the control simply follow the instruction and receive exactly the same results.

4. Explain two types of controls.

Controls can be either preventive or detective. The intent of these controls is different:

•         Preventive controls attempt to deter or prevent undesirable events from occurring. They are proactive controls that help to prevent a loss.
•          Detective controls, on the other hand, attempt to detect undesirable acts. They provide evidence that a loss has occurred but do not prevent a loss from occurring.

5. Controls may fail… and what if they fail?

Control deficiency exists when the design or operation of a control does not prevent or detect misstatements on a timely basis. It may result in wrong or duplicate payment, data loss or discloser to authorised person, etc.

Once controls are weak, we need to fix them. Process Owner should understand root cause of the weaknesses and take all necessary remediation actions.

6. Give simple example!

One of the most common control is the access control. This is an action we take to secure our company data, like strategy, recipe, supplier spent; and information on our business partners, like prices, contracts, bank accounts, etc.

We all perform this control by encrypting the files, checking the list of recipients when sending the e-mail, storing contracts in secured archive, or logging our laptops when leaving the desk… simple as that!

This can be both preventing and detective control. Preventing is logging laptop when leaving the desk, detecting is checking logs to systems and track changes in master data by IT Security.

This control can easy fail, if we send confidential files to wrong e-mail address, if we are victims to phishing scam and our credentials are used by unauthorised person, or if we leave some print out copy of product strategy in hotel’s lobby…

SOX, what’s all about?

Do you often hear that question and need a short and clear explanation for your non financial colleagues or junior personnnel? 

You may use the below one.

Remind your colleagues that they need to remmeber that no matter if this is SOX control or not, all controls require their attention, use of common sense, right behaviour and professional attitute.


SOX is a short name of a Sarbanes–Oxley Act, which came into force in 2002 as a reaction to major corporate and accounting scandals, including Enron.

Basically it is a law which regulates company’s governance and  accounting.

SOX regulations set stronger CONTROLs to secure financial transparency, accuracy in financial statements, and investors and clients’ interests.

SOX controls are focused on every activity which can influence accuracy of financial statements, especially those related with invoicing processing, payments, reconciliations, consolidation and reporting.

SOX requires that:

•         Financial statements are certified by CEO and CFO.
•          Internal Controls report is filed with the annual report and is assessed by an independent auditor.
•          Material changes in Internal Controls, financial condition or operations are disclosed in real time in company books.

The law sets also severe penelties for misconduct, which include fees and imprisonment,

Get off the starting blocks!

Congratulation! You got a job and just starting as a new Compliance Manager.

Staring a new job is always, both, exciting and challenging. Don’t let the new environment overwhelm you. Take your time and use first month to gain as much knowledge on the new company as you can.

3 times LEARN!

Read and Learn!

Take your time and review Intranet, check if a Code of Conduct exists, check out for the shape of documented policies, procedures, finance manuals, chart of controls, etc. Create you initial “compliance check list”, i.e. a very simple list of what is missing or outdated. Make your initial comments to documents, especially if you don’t understand something.

This whole exercise may does not sound like an exciting thing to do, but trust me, it is worth your time and effort. You will gain an absolute overview and will know where to go and check for information.

Greet and Learn!

Make sure you have a chance to introduce yourself, don’t let HR to only send short and dull note or post it on intranet. Use stand-up meetings, dinners, unofficial after work drinks. Keep professional but don’t let yourself to stay disconnected. Your colleagues need to trust you and feel that you are part of the team.

Spend some time on organization chart to have a good overview of who does what and what interactions comes in place. Make relations. Don’t wait for invitations, just go around the office, shake hands, ask what the person is doing. Send invitations to different managers for an 1 hour meetings (try to invite for breakfast, lunch if possible). Ask every individual about the role, key projects, challenges and issue. Ask what you can do for them. Listen to them. Make notes (you will use them next months!).

Meet and Learn!

Your boss just grabs you to join different meeting. You feel lost? Don’t be, it’s great! Take as much as you can from these opportunities. Listen carefully and put down all key topics discussed, issues raised and useful references to teams, documents, projects, etc.

Remember that you don’t need to play active role yet. Rather be an astute observer! This is the very time you have during your career which is a given time. Simply as that, everybody understands that you are new to the company, and obviously you don’t have actions and deadlines at your plate yet.

This is the moment to ask questions, all questions that comes to your mind! Use first month to learn as much as you can. Asking questions is always good and valuable, however some questions are not appreciated after some time in the company, like.. “so what is our finance system”, or “who is our external auditor”.

Good luck!