An introduction to internal controls
Businesses today are constantly facing new IT risks, and it can be challenging to keep up with the changes in technology and best practices for protecting your business and the valuable data in your possession. For example, since most workers have begun to work from home due to the global coronavirus health crisis, organizations have become more vulnerable to cyber-attacks and other types of operational disruptions.
One of the most effective ways to ensure your organization is taking the correct steps to mitigate risks is to develop a set of internal controls that ensure your processes, policies, and procedures are designed to protect your valuable corporate assets and keep your company secure and intact. Internal controls help your employees carry out their jobs in a way that protects your organization, your clients, and your bottom line.
Are you properly protecting your business and your customers data? Find out what critical data security controls your organization needs
What Are Internal Controls?
Jonathan Marks, a well-known professional in the forensics, audit, and internal control space, defines internal controls as, “…a process of interlocking activities designed to support the policies and procedures detailing the specific preventive, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes of the objective(s).”
Internal controls are processes that mitigate risk and reduce the chance of an unwanted risk outcome. Your organization may choose to create certain internal controls. And you may be obligated to have others in place because you’re subject to regulations such as the Sarbanes-Oxley Act of 2002 (SOX), a law created to restore faith in financial accounting systems and procedures and audits after several major public companies, including Enron, Worldcom, and Tyco International, defrauded investors.
While we will discuss specific types of internal controls later, it’s important to understand that internal controls will be somewhat unique to your business depending on what risks are most probable given the type of your business, your industry, and so on. The process of defining and implementing internal controls is often iterative and will take time, but it will ultimately make your company stronger and more resilient to risk.
Why Are Internal Controls Important?
Internal controls are used by management, IT security, financial, accounting, and operational teams to achieve the following goals:
1. Ensure the reliability and accuracy of financial information – Internal controls ensure that accurate, up to date and complete information is reflected in accounting systems and financial reports.
For example, the Sarbanes-Oxley Act of 2002 (SOX) requires annual proof that
- A business accurately reports their financials
- Their procedures effectively prevent fraud, and
- They have addressed any uncertainties.
2. Prevent fraudulent business activity – Internal controls create a reliable system for managing business operations and keeping a check on potential business fraud. Businesses subject to SOX are required to have a process for identifying fraud that is acceptable to regulators.
3. Safeguard sensitive, confidential, and valuable information – Internal controls are designed to protect information from being lost or stolen and to reduce the costs an organization may incur when it suffers from security incidents.
4. Ensure compliance – Internal controls help ensure that a business is in compliance with the federal, state, and local laws, industry-specific regulations, and voluntary cybersecurity frameworks such as SOC 2 or ISO 27001.
5. Improve the efficiency and effectiveness of business operations – Internal controls help companies reduce complexity, standardize and consolidate their operational and financial processes and eliminate manual effort. This often results in more efficient, more consistent, and more effective services and operations.
Internal Controls and Data Security
Having internal controls as a built-in part of your information security programs is the key to ensuring you have effective programs in place. It’s important that you know how your security compliance program is performing; if there is a cyber security incident, outside regulators examining your program will quickly be able to tell if your business is making an actual effort at compliance or if you are simply going through the motions.
Five Kinds of Internal Controls
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides five types of internal control to help companies develop their own unique and effective internal controls.
Control environment: This comprises the framework and basis of your internal controls program, including the processes and structures that create the foundation of the internal controls your business carries out. The control environment also includes:
- The integrity and ethical values of your organization
- Parameters for how and when the board carries out their responsibilities, and
- Incentives and rewards.
Simply put, the control environment is the culture your company creates around internal controls. The executives, upper management, and team leads must all communicate the importance of internal controls downward and every process must take place within the parameters of the control environment.
Risk assessment: To build effective internal controls, a business must first understand what risks they are controlling for and what their business is up against in terms of internal and external risks. A proper risk assessment means identifying risks in all areas of your business, both inside your organization and outside, and then identifying ways to mitigate those risks or bring them down to an acceptable level.
Below, are some questions to consider to make sure your risk assessment is comprehensive:
- Does your risk strategy include a comprehensive view that considers both existing and emerging risks?
- How are risk tolerance levels defined?
- Are key stakeholders involved in setting risk tolerance levels?
- How effectively does the design of the control mitigate the risk?
For more details on how to conduct a thorough security risk assessment, check out this blog post Conducting an Information Security Risk Assessment: a Primer
Control activities: Control activities are where the rubber meets the road. They are how your risk management strategies are actually carried out in the policies and procedures that govern the day-to-day activities of your employees. These activities are embedded throughout your entire company, and they are designed to identify, monitor, and, ultimately, prevent risks from manifesting.
Information and communication: In many ways, communication is the most important part of the internal controls your organization puts in place. If an internal control shows that a process isn’t working, and that isn’t communicated upwards to those who can fix it, what’s the point of having the internal control in the first place? How will your organization benefit from internal control if a manager doesn’t have a channel for communicating with control owners and policymakers within the company?
There must be an open channel of communication regarding internal controls, and robust reporting and information gathering is key to reaping the benefits of all the work and time that go into internal controls.
Yet, too often, compliance teams don’t have a comprehensive view into all risk areas and internal controls within their organization. Without such information, compliance teams are unable to see the gaps in their control environment and miss the opportunity to make timely adjustments to shore up controls and mitigate risks.
Monitoring: To gauge the effectiveness of your internal controls, and to ensure you’re addressing any gaps in the controls you’ve developed, you need to continuously monitor your controls and conduct tests to make sure your processes are working as designed. Ideally, these tests are automated, not manual. This reduces the chance of human error that can leave your assets vulnerable. For example, forgetting to revoke access privileges to critical systems when an employee quits will leave your organization open to threats. But it’s easy to forget to remove a departing employees’ access to certain systems if it is a manual process. Automating this process removes that risk from the equation.
Additionally, having open communication and a dedicated channel for people who have concerns or have experienced issues is an important practice to ensure the continued success of your internal controls. Further, conducting internal controls audits will also give you insight into how your internal controls are performing.
Conducting an internal control audit: An internal controls audit simply tests the effectiveness of your internal controls. When it comes to financial internal controls, the Sarbanes Oxley Act made businesses legally responsible for ensuring their financial statements are accurate, and the Public Company Accounting Oversight Board developed the standard that used to evaluate internal controls in their Auditing Standard No. 5.
Financial internal controls audits are performed by CPAs and require an organization to provide proof of the process your organization uses to evaluate your controls and financial statements. This can require a lot of documentation, but if your organization has been monitoring your internal controls and creating regular and thorough reports, and consolidating all of that information in one place, producing it should be relatively simple.
Are you taking an organized approach to managing cyber risks? See how you can get organized with our webinar.
Creating Internal Controls To Minimize Security Risk
Security controls are safeguards designed to avoid, detect, or minimize security risks to physical property, digital information (e.g. sensitive customer data or a company’s IP), computer systems, mobile devices, servers and other assets.
Security controls could fall into one of the following categories:
- Physical controls: doors, locks, security cameras
- Procedure controls: incident response processes, management oversight, security awareness and training, background checks for personnel who handle critical systems
- Technical controls: user authentication (login) and logical access controls, antivirus software, firealls
- Legal and regulatory controls: policies, standards, etc.
Security controls can also be classified according to the time that they act, relative to a security incident:
- Before the event: preventative controls are intended to stop an incident from occurring, e.g. by locking out unauthorized users
- During the event: detective controls are intended to identify and characterize an incident in progress, e.g. by sounding the intruder alarm and alerting the appropriate personnel such as system administrators, security guards or police
- After the event: corrective controls are intended to limit the extent of damage caused by an incident, e.g. restoring a system to normal working status as fast as possible
As we mentioned earlier, internal controls need to be tailored to the specific risks you want to mitigate. Having said that, here are the key considerations for creating effective controls for protecting your data assets and information systems:
Understand what your risks are: Before you can take steps to protect your electronic assets, you need to understand what you’re protecting them against and how to effectively guard them. Performing an information security risk assessment will give you a detailed look at your risks and help you decide how to best mitigate them.
Take both physical and electronic threats into consideration: When it comes to information security, it’s not just about who has electronic access to data or email policies. In the course of their jobs, many employees come into contact with hard copies of sensitive information or have access to places where assets are stored, and your business needs to have policies and controls that protect physical assets as well as electronic threats.
Work on your compliance processes: Going through a thorough compliance process will give you the opportunity to uncover gaps in your security program. When we talk about a compliance process, we are really talking about identifying a cybersecurity framework (e.g., SOC 2, NIST 800-53, ISO 27001) you want to implement, understanding the requirements and controls outlined in the framework, taking inventory of your own internal controls and security measures to understand the gaps in your program, and then putting measures in place to fix or refine deficient controls and processes.
When you decide to become compliant with a cybersecurity framework, you will go through a process that forces you to inventory your strengths and weaknesses. You will educate yourself on modern security best practices, and the exercise can serve as a springboard to put in place or refine deficient controls and processes.
Have a data breach response policy in place: Even if you’ve implemented strong security controls and have regular security training with employees, you won’t be able to completely avoid the possibility of a data breach. The best way to handle a data breach correctly is to plan your response ahead of time and test early and often. A tried and tested plan set up before an incident ensures you won’t forget important actions when a crisis strikes. For more information on how to create a robust cybersecurity incident response plan, check out this article.
The Importance of Keeping Internal Controls Up to Date
Even if you’ve developed the most comprehensive set of security controls, they are effective only as long as your environment stays static.
As soon as change happens within your environment, you will need to re-evaluate your internal controls. When your organization rolls out a new process, technology or operating procedures (e.g. allowing employees to work from home due to COVID-19 on their own personal laptops), you’ll need to assess whether the inherent risk that your business faces has increased and update your internal controls accordingly.
To mitigate risk effectively on an ongoing basis, you need to build a sustainable compliance program, one that can monitor new risks effectively, test and document controls as necessary, and guide remediation efforts.
How Can Automation Enhance IT Security?
The more compliance processes you can automate, the better your security posture will be. For instance, you can automate reminders that go to line managers to test or execute a certain control, and automate alerts to you or other compliance officers when that work isn’t done in a timely manner. Reports of those tests can be fed into standard reports or risk dashboards to let you see and report security compliance quickly.
When you focus on automating the mundane, repetitive tasks, it frees up your employees to use their skills and expertise to solve more complex problems and evaluate the success or failures of your internal controls.
Moving Forward With Internal Controls
While keeping internal controls up-to-date will ultimately help your company minimize IT risks, it is a lot to take on and manage. The burden tends to grow as your business grows, as you adopt new software, hire new contractors and work with new vendors. Utilizing a compliance operations software solution like Hyperproof can help you make this process much easier and more effective.
Hyperproof is built to help security assurance professionals efficiently scale up multiple security and privacy programs and get through all the important tasks required to maintain a strong security program. These tasks include identifying risks, creating internal controls to address specific risks, mapping controls to evidence requests from auditors and following schedules to review controls, gather evidence and remind people to complete tasks on time.
Hyperproof also has pre-built frameworks for the most common information security compliance standards like SOC 2, ISO 27001 and NIST SP 80-53 so you can easily see what you need to do to maintain good cyber hygiene and safeguard your data.
If you want to find out how Hyperproof can streamline your security compliance processes and improve your security posture, sign up for a personalized demo.