Ever wish you could predict the future of your transformation journey? Luckily, there are internal controls you can integrate that can help.
When I was in grade school, a group of girls would get together at someone’s house after school, and we would seek advice from a Magic 8 Ball about some future event such as “Should I get my ears pierced?” or “Should I hang out with a certain boy?” We would shake the Magic 8 Ball and then turn it upside down to find out the answer to our yes/no question. Sometimes, we were elated at getting the answer we wanted. Other times, we were disappointed by the response. Don’t you wish that you could use a crystal ball to predict the future of your business profitability, know what business risks may be headed your way in the near or distant future, and understand how to detect errors or problems before they even happen?
All businesses are subject to threats that could harm their organization and result in asset loss. These risks, ranging from human performance error to fraudulent activity, are present in every business. Internal controls should be part of the solution to detect and prevent these events from occurring and to ensure the effectiveness of executing your organization’s operating, reporting, and compliance objectives. There are several internal control frameworks, and the one that is most widely referenced is the Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework (You can read more about the formation and history of COSO later in this article).
Below are three categories of internal controls to consider integrating into your processes:
Preventive controls are designed to prevent an event that adversely impacts your organization or a specific business process. These are the most beneficial controls because they lessen the need for detecting errors and taking corrective actions. Automating preventive controls can provide additional benefits by reducing or removing human intervention from parts of the process and streamlining audit functions. Some examples of preventive controls include:
- Using checks and balances such as auto-fill forms, drop-down boxes, and data validation criteria to avoid entering inaccurate or incomplete data
- Establishing a change management process to ensure that all changes are documented and unauthorized changes are prohibited
- Promoting segregation of duties by distributing critical functions of a process across a team or department as well as avoiding a single point of failure in the process
- Limiting or restricting physical or logical access to data or assets based on job function
- Implementing formalized, standardized documentation (i.e. flowcharts, forms, reports, checklists, workflows, etc.) that identifies critical steps in a process and promotes consistency in execution
Detective controls are designed to detect an error or problem after an adverse event has occurred.
A detective control is most effective if it results in the discovery of a minor error that can be corrected before it becomes a significant problem. Some examples of detective controls include:
- Conducting an internal audit to review a critical business process and ensure achievement of compliance with federal and state regulations
- Configuring an automated reconciliation tool to apply business rules logic across aggregated data gathered from multiple systems to verify and ensure the accuracy, correctness, and truth of the data
- Implementing an event management system to monitor and alert on unauthorized logical access to data or assets
Corrective controls are designed to mitigate the damage from an adverse event and reduce the risk of repeat occurrences of the event. These controls are most effective when developed from post-event investigation results or root cause analysis findings and coupled with preventive and detective controls.
Some examples of corrective controls include:
- Conducting remedial cybersecurity training for employees with repeat failures to identify phishing attempts
- Establishing a business continuity and disaster recovery program, including critical systems and data backups, and a restoration testing plan to ensure backup information is recoverable
- Implementing a patch management process to deliver and install software updates that remediate vulnerabilities or flaws in the software
Think in terms of preventing, detecting, and correcting risks related to process breakdown, fraud, theft, ineffectiveness, and human performance error. Your organization may not have a crystal ball to foresee what internal and external threats are imminent, but you can be better prepared to deal with them if your organization has a digital transformation mindset. Digital Transformation can help you reduce risks, create effective internal controls, and fuel future growth. We define Digital Transformation (DX) as “the commitment of an organization to consistently improve business performance through the use of technology as a strategic asset.” Because of the constantly changing threat landscape and the growing number of regulatory requirements that businesses comply with, digital transformation is not a singular initiative but rather a long-term journey. In fact, we believe it is best described as Continuous Improvement viewed through a technology-filtered lens. For help navigating that journey, fill out this form to download a copy of our Digital Transformation Framework and request a complimentary advisory session with us.
History of the Committee of Sponsoring Organizations
COSO was formed in 1985 to sponsor the National Fraudulent Financial Information Commission (the Treadway Commission). The Treadway Commission was originally sponsored and jointly funded by five major professional accounting associations and institutes based in the United States: American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI), Institute of Internal Auditors (IIA) and Institute of Management Accountants (IMA). The Treadway Commission recommended that the sponsoring organizations of the Commission work together to mitigate the risk of corporate fraud by developing integrated guidance on internal control. These five organizations formed what is now called the Committee of Sponsoring Organizations of the Treadway Commission. In September 1992, the Commission published the report entitled “Internal Control – Integrated Framework”. This report presented a common definition of internal control and provided a framework against which internal control systems can be evaluated and improved. For full details on the history and mission of the Committee of Sponsoring Organizations of the Treadway Commission, you can visit their website.
Think Digital. Embrace Clarity. Increase Advantage.