Learning to manage risk-based internal controls must be a priority

With internal controls based on some level of risk, organizations should make management of internal risk-based controls a critical business activity.

Without internal controls, which provide structure and functionality, most businesses can't operate successfully. According to ISACA, internal controls are typically composed of policies, procedures, practices and organizational structures that are implemented to reduce an organization's risks. Risk-based audits are typically conducted to test and validate whether an organization is performing in accordance with its controls.

Several kinds of controls can be defined, all of which are linked to a risk, threat or vulnerability facing the organization. They include preventive (to identify and prevent a situation before it occurs), detective (to determine the nature of the event) and corrective (to mitigate the impact of an incident and remedy the situation). The following table provides examples of risk-based situations that can be addressed by one or more control types:

Type of control
Risk-based control
Risk/threat addressed
Conduct background checks for prospective employees.
Hiring an unqualified or potentially dangerous person.
Install access controls at building entrances and in specific rooms.
Prevent unauthorized people from entering specific areas.
Sign out of documentation before use.
Prevent theft, reproduction or destruction of critical information.
Install intrusion detection system.
Identify potentially harmful or malicious code, e.g., worms.
Scan past-due account reports.
Identify delinquent accounts to minimize loss of revenue.
Analyze internal audit functions.
Identify process-related problems so costly errors can be minimized.
Use change management processes.
Ensure that changes made to systems perform correctly.
Place security guards in high-risk areas.
Minimize the threat of unauthorized access to critical areas.
Enact data backup procedures.
Minimize threat of data losses by storing critical data at alternate sites.

Source: ISACA CISA Review Manual, 2009

Implementing risk-based controls is especially important in IT environments. The following list from ISACA's 2009 CISA Manual Guide is a sample of IT controls:

  • Ensure integrity of operating systems and their environments.
  • Ensure integrity of applications and their environments.
  • Ensure validation and authentication of IT resource users.
  • Ensure availability of IT resources when needed.
  • Ensure protection of IT infrastructures with incident management and disaster recovery plans.

Managing internal controls

Most organizations establish policies to govern their most basic functions and to define how they will achieve their corporate objectives. Once they have been established and approved, management of the policies includes documenting and disseminating them throughout the organization so all employees will know what is expected of them. Policies need to be periodically reviewed, e.g., audited and possibly updated so they are continually aligned with the firm's objectives.

Procedures are the action steps a company performs to achieve its objectives. These can range from how receptionists answer the phone to the steps needed to manufacture a component. Documentation of procedures ensures there will be no misunderstandings about what is expected. As with policies, regular reviews and updates of procedures are to be expected in a viable organization so that it can maintain its competitive posture.

Practices are broad-based descriptions of how activities should be performed. They are often the precursor to procedures and can be based on competitive information, regulations and standards. As with procedures, practices need to be documented, disseminated and regularly reviewed in order to maintain consistency with business goals.

Without an organizational structure, most firms can't operate. These structures provide links across various elements of the organization such as management, human resources, legal, operations, security, sales and marketing, helping to form a cohesive entity. Companies may be organized hierarchically, flat or as something in between. Regular reviews and analyses of the structures can help ensure that they are optimal for achieving corporate objectives.

Compliance with standards, regulations and other established guidance is another example of a risk-based control. Previously, I suggested that firms aim for compliance to:

  • Demonstrate that the business is run effectively and according to best practices and established standards and regulations.
  • Ensure that the firm is continually improving and refining its business operations, such as staff performance, commitment and motivation.
  • Improve overall performance, remove uncertainties and expand market opportunities.
  • Prove to customers that the firm can be trusted to deliver on its promises.
  • Reduce the likelihood of potential internal and external audits from key customers, suppliers and other stakeholders.
  • Satisfy requirements from major customers that need evidence of competent performance.

We can take the above requirements and consider each of them controls to make it clear that managing risk-based controls is an essential part of a well-managed organization.

Guidelines for effective control management

The following steps can help you properly manage your internal risk-based controls:

Understand the business. Once you know management's business objectives, it is easier to identify the controls needed to achieve them.

Understand the risks. Like any organization, your firm is constantly at some level of risk. Conduct periodic risk assessments to identify and validate external threats as well as vulnerabilities existing within the firm.

Develop and document risk-based controls. Depending on how discussions with senior management and business unit management go, develop, document, test and implement controls as needed. Be sure to document controls for potential risk-based audits and legal requirements.

Regularly assess/audit controls. How does a firm know its controls are effective? First-, second- and third-party audits can identify variances with controls and suggest remedies, and should be scheduled annually. Recommended changes should be implemented, validated and documented as soon as possible.

Most internal controls are based on some level of risk, so organizations should make management of these risk-based controls a critical business activity. Demonstrating a commitment to control management reinforces a company's commitment to managing a successful enterprise. This is something clients -- as well as stakeholders -- will appreciate.

Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years' experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter. Let us know what you think about the story; email [email protected]. Follow @ITCompliance for compliance news throughout the week.

Dig Deeper on Managing governance and compliance