What are the Controls?

Control is a vague word that covers various activities. Controls can take place at two levels. controls are also part of an Internal Control Framework.

What are controls anyway ?

One of the definition of Webster’s dictionary is : “to check, test, or verify by evidence or experiments”. This is exactly what we refer to when we discuss controls.

Where do we have controls?

Controls take place at several levels, depending on the response we have for a specific risk.

Controls can occur at two levels:

  • within the process it self,
  • at a meta level to make sure something is actually done.

The controls in the risk mitigation

Let’ start with the most intricate response in terms of controls. When a company mitigates a risk, it often does it by embedding controls within the execution.

Companies often use this technique to reduce their processing risk. The software they use, or another person will check what an employee did to avoid an error.

If I use the example of the trapezists once again, someone will have to install the safety net. Someone else will verify this is correctly done for each installation. The guarantees the respect of the principle of segregation of duties.

The meta-level in risk mitigation will take place when there is a verification that the controls embedded in the process actually take place.

Usually, an internal audit team executes this task. This team is, however, not the only solution for executing meta-controls.

The controls in other risk response framework

In other risk response cases, the only controls that usually exist are meta-controls. For example, when you transfer the risk, you will make sure the insurance contract exists and covers the risks you want to cover. You will not have controls within the process of the signing the contract itself.

The link to the Internal Control Framework

This point will take us away from the pure risk management. COSO, the most reknown organization in risk management framework, has actually defined such framework and confirmed it is part of its risk management framework.

For those interested, the COSO definition of an Internal Control Framework is : “Internal control is a process, effected by an entity’s board  management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

The important part of this definition is that concepts similar to the risk management appear here again:

  • Process
  • Board
  • Objectives

As I wandered a bit in the control world, our next article will stay in this world to cover two important concepts:

  • The timing of controls
  • The segregation of duties
Jean-Christophe Mathonet

Jean-Christophe Mathonet

Co-Founder & Partner

My positions allowed me to cover a wide range of functions: general management of entities, corporate taxes, supervision of IT and operations, accounting, budgeting, creation and restructuring of legal structures, regulatory reporting, acquisition of companies, operational statistics, and management accounting.

Specialties: Finance as a general matter