What is a compensating control in auditing?

Related to COMPENSATING CONTROLS

• Internal Controls for districts means processes designed and im- plemented by districts to provide reasonable assurance regarding the achievement of objectives in the following categories:

  Nội dung chính Show

  • Related to COMPENSATING CONTROLS
  • Managing Segregation of Duties: What if it’s not operationally feasible to separate all tasks?
  • What are compensating controls and when do you need them?
  • When designing compensating controls, consider these tips:
  • Examples of frequently used compensating controls:
  • What is an example of a compensating control?
  • What is the difference between mitigating and compensating controls?
  • What is a compensating security control?
  • What are the 3 types of internal controls?

• External Account means an Account held at another Canadian financial institution; an Investment Industry Regulatory Organization of Canada registrant; a card issuer; or an entity eligible for membership with Payments Canada, being an account in Your name or on which You have the authority to independently authorize Transactions.

• Supervising Contractor means the principal contractor retained by SDs to supervise and direct the implementation of the Work under this CD.

• Internal audit means an independent appraisal activity established within a state agency as a control system to examine and evaluate the adequacy and effectiveness of other internal control systems within the agency.

• Controls for purposes hereof means that a person or entity has the power, direct or indirect, to conduct or govern the policies of another person or entity.

• Engineering control means the use of substitution, isolation, ventilation, and equipment modification to reduce exposure to SARS-CoV-2 virus and COVID-19 disease related workplace hazards and job tasks.

• Voting Control means, with respect to a share of Class B Common Stock, the power (whether exclusive or shared) to vote or direct the voting of such share by proxy, voting agreement or otherwise.

• External Auditor as used here shall mean any registered public accounting firm engaged for the purpose of preparing or issuing an audit report or performing other audit, review or attest services for the Company. Each such external auditor shall report directly to the Committee. With respect to the external auditor, the Committee shall:

• Proprietary Controls means easements or covenants running with the land that (a) limit land, water, or other resource use and/or provide access rights and (b) are created pursuant to common law or statutory law by an instrument that is recorded in the appropriate land records office.

• Institutional Controls or “ICs” shall mean Proprietary Controls and state or local laws, regulations, ordinances, zoning restrictions, or other governmental controls or notices that: (a) limit land, water, or other resource use to minimize the potential for human exposure to Waste Material at or in connection with the Site; (b) limit land, water, or other resource use to implement, ensure non-interference with, or ensure the protectiveness of the RA; and/or (c) provide information intended to modify or guide human behavior at or in connection with the Site.

• Internal control over financial reporting means a process effected by an insurer’s board of directors, management and other personnel designed to provide reasonable assurance regarding the reliability of the financial statements, i.e., those items specified in Section 5(B)(2) through 5(B)(7) of this regulation and includes those policies and procedures that:

• Internal Procedures means in respect of the making of any one or more entries to, changes in or deletions of any one or more entries in the register at any time (including without limitation, original issuance or registration of transfer of ownership) the minimum number of the Warrant Agent’s internal procedures customary at such time for the entry, change or deletion made to be complete under the operating procedures followed at the time by the Warrant Agent, it being understood that neither preparation and issuance shall constitute part of such procedures for any purpose of this definition;

• System for Award Management (SAM) database means the primary Government repository for contractor information required for the conduct of business with the Government.

• Rapid(ly) report(ing means within 72 hours of discovery of any cyber incident.

• SOX means the Sarbanes-Oxley Act of 2002.

• Prospective contractor means a person who is subject to the competitive sealed proposal process set forth in the Procurement Code or is not required to submit a competitive sealed proposal because that person qualifies for a sole source or a small purchase contract.

• Indigenous Peoples Safeguards means the principles and requirements set forth in Chapter V, Appendix 3, and Appendix 4 (as applicable) of the SPS;

Managing Segregation of Duties: What if it’s not operationally feasible to separate all tasks?

When considering controls, including Segregation of Duties (SoD), it’s important to focus on what we’re trying to achieve.

I think it’s summarized very well on the University of Toronto’s Internal Audit website.

They define a control as “any policy, procedure, practice, or mechanism designed to provide reasonable assurance that the organization’s objectives will be achieved. This includes controls designed to safeguard assets, ensure the timeliness, accuracy and reliability of financial and management reporting and to promote operational efficiency, effectiveness and compliance with all applicable laws, regulations, policies and procedures.”

There are four main types of controls:  preventative, detective, compensating and steering. This article focuses on compensating controls.

What are compensating controls and when do you need them?

To reduce the risk of fraud and operational errors, most organizations define Segregation of Duties (SoD) policies, then implement detective controls, which identify anybody who has access to combinations of applications that enable them to violate the SoD rules. Ideally, they also implement controls to prevent people being granted access which breaches the policies.

But resource limitations, such as technical or staffing constraints, mean that it’s not always possible to achieve perfect SoD. Where this is the case, you can use compensating controls to mitigate the risk incurred when a user needs to have many duties.  This type of control offers an alternative means of providing the “reasonable assurance” that we need.

Here’s an example of where a compensating control is required:

A single user has access to and performs the tasks of accepting cash payments and recording the payments. Due to the nature of the business, and for efficiency, the same user performs both tasks. To prevent fraud, oversight is required. So, we need a compensating control – for example, we may specify that a second user must perform a reconciliation, reviewing the cash against the recorded transactions.

Compensating controls should:

• Meet the intent of the original control requirement
• Provide a similar level of assurance
• Go above and beyond the original control requirement.

This third point is important. By its nature, a compensating control is never as good as creating a control within the system itself, so the compensating control has more to prove – and must go above and beyond what the system itself could have provided.  For example: requiring a second signature on a report is not a good compensating control if the person never actually looks at the details line by line.  So, you should always aim to make the compensating control more rigorous –  i.e. the second signatory must not only sign off on the report, but must sign off on every line item, with comments etc.

When designing compensating controls, consider these tips:

• Documentation – create a formal document which can be reviewed by management. The document should clearly outline the steps necessary to execute the compensating control.
• Approval – ensure documentation is reviewed on a regular basis and approved by management. Systems, access, people and functionality change constantly, so it’s important to ensure that your control is relevant and serves the purpose it was designed for.
• Training – ensure appropriate staff are trained. They need to understand the risk, review the procedure documentation and be clear on such things as execution method and timing.
• Review – periodically review the control to ensure that it’s effective, especially in the first six to twelve months of a new control being in place.

Examples of frequently used compensating controls:

• The requirement for a secondary signature to authorize critical or sensitive transactions, such as high dollar value for purchase orders.
• Exception reports. These can be created in a reporting tool and setup on a scheduler, so that they are run in a timely manner. The output is then checked against the applicable process.  An example of this is a report of changes to customer master data; the report is reviewed against documentation that states the requestor of the change is not the person who executed the change.  The report is then signed by a supervisor or manager and saved as evidence.

Be mindful that compensating controls are a stop gap and not an ideal end state.  Wherever possible, consider using other types of controls, such as preventative controls, which may be more rigorous and more cost effective as they require less resources.

Specialized tools can help.  Q Software’s auditing solutions flag conflicts / violations and provide the ability to note mitigations and report on the associated compensating controls.

Watch this video below for Best Practice tips to help you design successful Compensating Controls that will satisfy your business needs, while meeting the objective to reduce the risk of fraudulent activity on your system. It gives you more insights into:

• What are Compensating Controls?
• When and why you may need them
• The objectives of the controls
• How to design, document, implement and review them
• 3 common examples.

What is an example of a compensating control?

What is the difference between mitigating and compensating controls?

What is a compensating security control?

What are the 3 types of internal controls?