Table of Contents
Simply put, internal controls are safeguards put in place within an organization that protects your business from technological, financial, strategic, and reputational risks. In auditing terms, internal controls assure that your business operations remain effective and efficient.
From a cybersecurity perspective, internal controls protect your business from the risks that can compromise an information technology environment and there are three primary types of internal controls.
Defining Your Organizations Internal Controls
The first step to establishing internal controls lies in defining the risks you are protecting against. Until your organizations fully understand how it wants to position itself, within its market industry, it will be an impossible task to set the appropriate objectives and mitigate any inherent business risks.
Determining business objectives drives the risks your organization faces the same way. For example, if an organization is involved in the financial industry, the business leaders need to look at the standards and regulations that govern banks and other financial institutions to ensure they provide suitable controls. Ultimately, once an organization understands its objectives, it can then move forward toward defining the risks, and the development and implementation of suitable internal controls to mitigate those risks.
Types of Internal Controls
There are three main categories of internal controls: preventative, detective and corrective. Internal controls are characteristically summed up as a series of policies and procedures or technical protections that are put in place to prevent problems and protect the assets of a business organization.
All organizations are subject to threats occurring that may have negative impacts on an organization and result in asset loss. Some of these threats are unintentional, caused by an ignorant employee that leads to costly errors, others are more malevolent, such as the case of fraudulent manipulation and extortion. These risks are present in every business, small, medium and large. Regardless of why it happens, internal controls need to be established to avoid or minimize loss to a business organization.
There are also limitations to each type of internal control to consider, making it essential to engage in ongoing reviews and monitoring of an organization's systems and networks.
Compensating controls are those which provide a temporary solution to reduce risk where it may not be possible to implement a proper solution such as a Web Application Firewall instead of implementing a more complex code change.
As they say in medicine, the best cure is prevention. Understandably, it is always easier, less stress-inducing and thereby more efficient to establish the appropriate measures to prevent an event from occurring rather than working under the pressure of an active security event. Preventative internal controls are those internal controls put in place to avert a negative event from transpiring. For example, most web applications have built-in checks and balances to avoid and otherwise minimize a user from entering incorrect information.
To put this into real-world context, an organization may begin by assigning one person to write cheques, and another person to authorize the payments. This breakdown, or segregation of duties, falls under the definition of preventative internal controls from an administrative standpoint. Other examples of preventative internal controls include the use of video surveillance or strategized placement of security guards at entry points, verifying identification credentials and restricting access. All of these are examples of physical preventive controls.
Further, firewalls, computer and server backups, training programs and even routine drug testing are all types of preventative internal controls that are put in place to prevent asset loss and detrimental events from transpiring.
Of course, in a perfect world, all that would be required is a well-established set of preventative internal controls. Unfortunately, even if everything is done right, a security event is almost inevitable. That’s where detective internal controls come in.
If your preventative measures were not enough, the next best line of defence is well-managed detective internal controls. Detective internal controls are controls that are used after a security event has occurred. Think of just about any one of your favourite 30-60-minute crime shows, CSI or NCIS maybe, depicting a weathered, veteran officer walking onto the scene of an event, trying to piece together what happened, when it happened and how it happened.
As mentioned, while it is almost always more efficient from a human resources and financial standpoint, to prevent an event from occurring; when things do go wrong, it is critical to learn everything about the event to sharpen your preventative efforts in future.
Some questions an organization may ask itself are: What caused the event? What preventative internal control process failed to prevent the event? Are there policies that can be modified or put in place to improve results moving forward?
From a business perspective, some common examples of detective internal controls are audits, inventory, financial reports and financial statements. While this list is by no means meant to be exhaustive, it provides a general idea of the concept.
Last, but certainly not least, are corrective internal controls. Corrective internal controls are those controls that are put in place after detective internal controls identify a problem. As previously noted, even when all of the existing preventative controls go as planned, sometimes it is not enough. Upon discovery of a flaw or defect within the current security regimen, with detective internal controls, corrective internal controls are implemented to improve upon previous shortcomings.
These controls may include software patches or modifications, disciplinary action, reports filing and new or refined policies prohibiting inefficient or insecure practices such as password sharing or employee tailgating.
As previously mentioned, processes and internal controls are never perfect. Errors, and upsets, with or without intent will always be found. It is for this reason that an ongoing review and analysis process of the internal controls should be part of any organization’s annual security practices.
When an event occurs, it should be well-documented, investigated and reviewed by those individuals capable of taking the corrective actions discussed above to improve the system of internal controls. As with any human endeavour, there will always be limitations. The human element is prone to error and malicious parties can and will find weaknesses in any organization’s control procedures. It’s absolutely crucial to keep this in mind when considering internal controls.
Fortunately, at Packetlabs we have the privilege and advantage of reviewing countless organizations’ security controls and practices across endless industries and business models. This allows us to quickly and efficiently hone in on things that may be missed, inefficient or otherwise require corrective attention. Whether it involves a web application, infrastructure or the basic matter of security maturity, we offer a variety of options that are designed to suit any organization’s specific needs. To learn more about how we can assist your organization, please contact us for more details!