Control Frameworks

More than 80% of all threats originate by trusted employees, or "insiders," who have access to sensitive applications and customer data as well as the organizational knowledge that lets them fly under the radar. Incidents resulting from insider threats are also more costly, with each incident costing $175,000 on average and more than a quarter of breaches costing over $1 million.

Controls

Both business and technology rely upon a variety of controls to maintain the integrity of a company’s data and satisfy internal and external audit and regulatory requirements.

Regardless of the size of company, controls should exist and operate effectively. Global and local regulatory requirements need to be met, investor confidence and financial stability maintained.

Controls fall into two categories; preventative or detective.

Preventive controls are aimed at avoiding a control breech before it happens. Built into internal control systems, they require a major effort in the initial design and implementation. However, preventative controls require less ongoing investment.
Example – when a user moves from a front office position to a back office position, all of the user application access rights are revoked.This can be more operationally troublesome, but is fail-safe and gives regulators greater comfort.

Detective controls, monitors when an unwanted event transpires. A detective control should notify monitoring parties as soon as possible, but it is after-the-fact. They are designed to detect errors and irregularities which have already occurred and to ensure their prompt correction. These controls represent a continuous operating expense and are often costly, but necessary. Detective controls supply the means with which to correct data errors, modify controls or recover missing assets.
Example – a quarterly review of user access rights is carried out, ensuring that all user access rights correspond to a user’s role and responsibilities.

A combination of preventative and detective controls offers the greatest assurance. Preventative alone cannot guarantee that an event will not occur, by combining the two in the event of the preventative event being compromised; the detective control should alert monitoring parties.

Another consideration is whether the control is manual or automated.

Manual controls, log sheets, review of log files and meetings. These are normally low cost but present higher risk as there is a greater human element which can cause failure or even corruption.

Automated controls or semi-automated controls, where an application performs perhaps complex calculations or a voluminous function, thus providing the automated part of a control, output\results of the automation then require a manual certification or review. Many controls are wrongly classified as automated when they are really semi-automated.

Relationship with Policies and Standards

For those firms looking at existing control frameworks or looking to implement a control framework, the question of what comes first, a policy/standard or the controls. Some firms choose to purchase off the shelf policies based upon certain regulatory requirements. Others build policies based on standards and methodologies, whichever way a firm operates; controls will need to be in place to address the points within the policy. Both of these methods cannot be done in isolation. A single policy can spawn many controls as one control can spawn multiple policies. Policies that are based on regulatory requirements or external standards cannot be implemented without sufficient internal consultation.

Controls may exist to address each point within a policy, there will however be gaps and these are the points that will cause management problems. Internal auditors will use policies as a baseline to measure compliance; external auditors will review policies to ensure that all requirements are met. Simply by writing a policy doesn’t mean that the appropriate controls exist and operate within a firm. There is a lot more to creating a control environment than simply authoring or buying a set of policies and procedures. The organization needs to understand them and actually follow them. At a minimum, that takes stakeholder involvement, communication, training, regular review of applicability and audits.

It is important to maintain a balance when writing policies and implementing controls. Control procedures need to be developed so that they decrease risk to a level where management can accept the exposure. to that risk. By performing this balancing act "reasonable assurance” can be attained. Excessive controls can lead to increased bureaucracy; reduced productivity; increased complexity; increased development times; and an increase of no-value activities.

In order to achieve a balance between risk and controls, internal controls should be proactive, value-added, cost-effective and address exposure to risk.

In conclusion, controls are a combination of people, processes and tools that are put in place to prevent, detect or correct issues caused by unwanted events. The need is to create a carefully planned control framework that weaves the various types of controls together and protects the organization from risks.

At Playbook Solutions we have assisted clients with the implementation of controls and the identification of sustainable remediations. We have worked to identify gaps in policies when looking at local and global regulatory requirements and have provided expertise in writing policies.