What is a compensating control in auditing?
Related to COMPENSATING CONTROLS
Managing Segregation of Duties: What if it’s not operationally feasible to separate all tasks?When considering controls, including Segregation of Duties (SoD), it’s important to focus on what we’re trying to achieve. I think it’s summarized very well on the University of Toronto’s Internal Audit website. They define a control as “any policy, procedure, practice, or mechanism designed to provide reasonable assurance that the organization’s objectives will be achieved. This includes controls designed to safeguard assets, ensure the timeliness, accuracy and reliability of financial and management reporting and to promote operational efficiency, effectiveness and compliance with all applicable laws, regulations, policies and procedures.” There are four main types of controls: preventative, detective, compensating and steering. This article focuses on compensating controls. What are compensating controls and when do you need them?To reduce the risk of fraud and operational errors, most organizations define Segregation of Duties (SoD) policies, then implement detective controls, which identify anybody who has access to combinations of applications that enable them to violate the SoD rules. Ideally, they also implement controls to prevent people being granted access which breaches the policies. But resource limitations, such as technical or staffing constraints, mean that it’s not always possible to achieve perfect SoD. Where this is the case, you can use compensating controls to mitigate the risk incurred when a user needs to have many duties. This type of control offers an alternative means of providing the “reasonable assurance” that we need. Here’s an example of where a compensating control is required: A single user has access to and performs the tasks of accepting cash payments and recording the payments. Due to the nature of the business, and for efficiency, the same user performs both tasks. To prevent fraud, oversight is required. So, we need a compensating control – for example, we may specify that a second user must perform a reconciliation, reviewing the cash against the recorded transactions. Compensating controls should:
This third point is important. By its nature, a compensating control is never as good as creating a control within the system itself, so the compensating control has more to prove – and must go above and beyond what the system itself could have provided. For example: requiring a second signature on a report is not a good compensating control if the person never actually looks at the details line by line. So, you should always aim to make the compensating control more rigorous – i.e. the second signatory must not only sign off on the report, but must sign off on every line item, with comments etc. When designing compensating controls, consider these tips:
Examples of frequently used compensating controls:
Be mindful that compensating controls are a stop gap and not an ideal end state. Wherever possible, consider using other types of controls, such as preventative controls, which may be more rigorous and more cost effective as they require less resources. Specialized tools can help. Q Software’s auditing solutions flag conflicts / violations and provide the ability to note mitigations and report on the associated compensating controls. Watch this video below for Best Practice tips to help you design successful Compensating Controls that will satisfy your business needs, while meeting the objective to reduce the risk of fraudulent activity on your system. It gives you more insights into:
What is an example of a compensating control?Examples of Compensating Controls
Here is an example of when a compensating control would be required: A single employee has the duties of accepting cash payments, recording the deposit, and reconciling the monthly financial reports. To prevent errors and/or fraud, additional oversight is required.
What is the difference between mitigating and compensating controls?In the simplest analysis, the difference is this: mitigating controls are meant to reduce the chances of a threat happening while compensating controls are put into place when specific requirements for compliance can't be met with existing controls. The former is permanent; the latter is temporary.
What is a compensating security control?Definition(s):
A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.
What are the 3 types of internal controls?There are two basic categories of internal controls – preventive and detective. An effective internal control system will have both types, as each serves a different purpose.
|