What are the Controls?
Control is a vague word that covers various activities. Controls can take place at two levels. controls are also part of an Internal Control Framework.
What are controls anyway ?
One of the definition of Webster’s dictionary is : “to check, test, or verify by evidence or experiments”. This is exactly what we refer to when we discuss controls.
Where do we have controls?
Controls take place at several levels, depending on the response we have for a specific risk.
Controls can occur at two levels:
- within the process it self,
- at a meta level to make sure something is actually done.
The controls in the risk mitigation
Let’ start with the most intricate response in terms of controls. When a company mitigates a risk, it often does it by embedding controls within the execution.
Companies often use this technique to reduce their processing risk. The software they use, or another person will check what an employee did to avoid an error.
If I use the example of the trapezists once again, someone will have to install the safety net. Someone else will verify this is correctly done for each installation. The guarantees the respect of the principle of segregation of duties.
The meta-level in risk mitigation will take place when there is a verification that the controls embedded in the process actually take place.
Usually, an internal audit team executes this task. This team is, however, not the only solution for executing meta-controls.
The controls in other risk response framework
In other risk response cases, the only controls that usually exist are meta-controls. For example, when you transfer the risk, you will make sure the insurance contract exists and covers the risks you want to cover. You will not have controls within the process of the signing the contract itself.
The link to the Internal Control Framework
This point will take us away from the pure risk management. COSO, the most reknown organization in risk management framework, has actually defined such framework and confirmed it is part of its risk management framework.
For those interested, the COSO definition of an Internal Control Framework is : “Internal control is a process, effected by an entity’s board management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
The important part of this definition is that concepts similar to the risk management appear here again:
As I wandered a bit in the control world, our next article will stay in this world to cover two important concepts:
- The timing of controls
- The segregation of duties
Co-Founder & Partner
After 13 years as CFO of The Bank of New York Mellon, I had several positions that allowed me to cover a wide range of topics: general management of entities, Risk and finance management, corporate taxes, supervision of IT and operations, accounting, budgeting, creation and restructuring of legal structures, regulatory reporting, acquisition of companies, operational statistics, and management accounting.
My strengths are in Finance and Risk Management