Akash Agarwal on LinkedIn: IT internal audit controls: 1. Access Controls: Control: Implement… | 10 comments (2024)

Managing risk typically involves a combination of preventive, detective, Compensating, Directive and corrective controls. These controls help identify, mitigate, and respond to risks. Here's a breakdown of the types of controls used in risk management: 1- Detective Controls: * Definition: Controls that detect irregularities or deviations from established policies and procedures after they have occurred. * Examples: Audits, reviews, reconciliations, monitoring systems. * Implications: Can help identify and mitigate risks but may not prevent losses._______________________________________________ 2 - Corrective Controls: * Definition: Controls that address the root cause of a problem and restore operations to their intended state. * Examples: Incident response plans, remediation procedures, disciplinary actions. * Implications: Essential for recovering from incidents and preventing future occurrences._______________________________________________ 3 - Preventive Controls: * Definition: Controls that prevent errors or irregularities from occurring in the first place. * Examples: Access controls, segregation of duties, security measures. * Implications: Proactive approach to risk management, often more cost-effective than reactive measures._______________________________________________ 4 - Compensating Controls: * Definition: Controls that are implemented to offset the limitations of other controls. * Examples: Manual reviews in the absence of automated controls, additional approvals for high-risk transactions. * Implications: Can be necessary to address gaps in the control environment but may not be as effective as primary controls._______________________________________________ 5 - Directive Controls: * Definition: Controls that establish policies, procedures, and standards to guide behavior and ensure compliance. * Examples: Management directives, code of conduct, training programs. * Implications: Provide a framework for effective risk management but require ongoing enforcement.

13

HITRUST Facts worth reading

Asset MisappropriationOccupational fraud poses a significant threat to the organisation's operations, encompassing a range of deceptive activities that exploit the perpetrator's access and opportunities within the victim organisation. The common prevalent form involves the misappropriation of assets.Asset Misappropriation refers to the intentional unauthorised use of an organization's assets for personal gain. This type of fraudulent activity can have a serious impact on a company's financial stability and reputation. Asset Misappropriation includes fraudulent disbursem*nts, fraud billing schemes, payroll fraud, and expense reimbursem*nt fraud. These fraudulent activities can be carried out by employees, management, or external parties and may involve various deceptive methods to conceal the theft or misuse of company resources. Identifying the specific sub-schemes that present the highest risk to organisations is crucial for conducting comprehensive risk assessments, implementing effective risk mitigation strategies, and fortifying internal control systems.

9

There should not be separate sets of controls to meet SOX (ICFR), operational processes, ESG, and other requirements. Instead, key internal controls should address multiple risks across various processes. While some unique controls will be necessary to address specific risks, these should be minimal.Strategic approach to identifying key controls:•𝐈𝐝𝐞𝐧𝐭𝐢𝐟𝐲 𝐞𝐱𝐢𝐬𝐭𝐢𝐧𝐠 𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐬 𝐚𝐝𝐝𝐫𝐞𝐬𝐬𝐢𝐧𝐠 𝐦𝐮𝐥𝐭𝐢𝐩𝐥𝐞 𝐫𝐢𝐬𝐤𝐬: Focus on controls that are already managing multiple risks across different processes.•𝐔𝐩𝐝𝐚𝐭𝐞 𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐬 𝐟𝐨𝐫 𝐦𝐮𝐥𝐭𝐢-𝐩𝐮𝐫𝐩𝐨𝐬𝐞𝐬: Update and enhance current controls to serve broader purposes effectively.•𝐏𝐫𝐢𝐨𝐫𝐢𝐭𝐢𝐳𝐞 𝐞𝐟𝐟𝐢𝐜𝐢𝐞𝐧𝐜𝐲 𝐢𝐧 𝐭𝐞𝐬𝐭𝐢𝐧𝐠: Emphasize controls that are more efficient to test, such as automatic controls, which require fewer samples compared to manual controls.Internal auditors, with their strategic perspective and assessment of financial and operational controls across the organization, are uniquely positioned to:•Identify key controls that address multiple risks.•Assess the design and operational effectiveness of these controls.•Provide recommendations to enhance controls, thereby avoiding additional work for the business.As we enter the final quarters of the year and prepare for SOX (ICFR) testing, now is the ideal time to strategically review and optimize key controls.

10