Why Compliance Controls Should Be Embedded in Business Processes

Your organization’s ability to achieve and maintain compliance is only as robust as the internal compliance controls you have in place.

Internal controls are most effective when they’re embedded into the business processes they are designed to govern. Unfortunately, many organizations leave them siloed in departments, which leads to a disorganized and inadequate system prone to control failure.

Failing to embed controls into business processes leaves organizations vulnerable to risk and attacks that could be expensive — or in the worst cases, even existential. This article will discuss the importance of embedding compliance controls into business processes, explore common frameworks for designing, implementing, and managing internal controls, and explain how to use modern GRC technology to automate the process.

What are internal compliance controls?

Internal controls are measures that organizations put in place to ensure that all policies and procedures are followed throughout every business process to ensure compliance with regulatory, legal, and standards requirements, reduce the organization’s overall risk exposure, and enhance operational efficiency and effectiveness.

Internal controls come in many forms

Here are a few examples of what implementing  internal controls looks like:

• Posting warning signs around heavy machinery or painting them in cautionary colors to prevent workplace injury.
• Installing antivirus software on all company devices.
• Performing audits to verify the accuracy of company financial records.
• Requiring management to review and sign off on action plans for specific activities.
• Conducting regular vulnerability testing to prevent cyber attacks.

These controls are usually designed and intended to work together as a system to prevent various risk events from occurring and impacting a company’s operations. Each risk or compliance requirement will have its own set of corresponding controls, and compliance is the act of conforming to the requirements of these controls. 

For example, planning vulnerability testing on a regular cadence, requiring employees to periodically change their passwords, putting two-factor authentication into place on employee devices, and running phishing simulations are all controls that can be implemented and used in conjunction with each other to improve your organization’s cyber defenses and reduce its cyber risk exposure.

Why are internal and compliance controls important?

Failing to put adequate compliance controls in place means your organization is flying blind when it comes to attaining, maintaining, and proving compliance.

Internal controls are a fundamental component of any successful compliance management program. These compliance controls are typically directly mapped to the regulatory requirements, laws, and standards frameworks that organizations are either required to or desire to comply with.

Without internal compliance controls, your organization has no way to guarantee to the greatest extent possible that compliance requirements are being followed, and therefore, no way to ensure compliance. That can lead to penalties such as fines or reputational damage, and exposes your organization to the types of risk that the regulations were designed to prevent from causing problems. 

How compliance controls interact with types of risk

To truly understand why compliance controls are necessary and how they affect your organization’s risk posture and exposure, we need to unpack a couple of additional concepts: inherent risk, control risk, and residual risk.

Inherent risk

Inherent risk is the level of risk your organization faces before any controls are put into place to control or mitigate it. (Inherent risk carries a different meaning in audit management: It’s the risk that an error or misstatement could appear in a company’s financial documents or statements  due to a reason other than a failure of internal controls.)

To understand your organization’s inherent risk exposure is to acknowledge that doing business always carries some level of risk that you’ll need to navigate. Internal compliance controls are one way that organizations begin to wrangle this risk into something manageable.

Control Risk

Despite your best efforts, sometimes the controls you put in place simply fail to prevent a risk event from occuring. This is known as control risk. Using these failures as learning moments can help you improve your controls and mitigate future controls risk.

Residual risk

Residual risk is the level of risk that remains even after you’ve put internal controls in place. No matter how hard you try to mitigate all of the risk your organization faces by implementing internal controls, it’s nearly impossible to remove all risk entirely. If your residual risk after controls are applied is not within your organization’s risk appetite and risk tolerance levels, you need to find ways to put even more robust controls in place.

Types of internal and compliance controls and examples

Compliance controls can take a variety of forms. Each compliance control will focus on a different area of your organization’s risk landscape, or a few different controls can focus on different aspects of the same risk, like in the cybersecurity example above.

Most compliance controls fall under one or more of these archetypes:

Preventive Controls

Preventive controls are the first line of defense in your compliance controls architecture. These types of controls are designed to head off risk events all together, preventing them from ever occurring and causing problems for your organization.

Some examples of these types of controls are phishing simulations, protocols for ensuring all entrances to and exits from facilities are always secured, cybersecurity firewalls to prevent unauthorized access, safety signage, and legal reviews.

Detective Control

Detective controls are the next line of defense. These controls are used to flag problems or incidents that your preventive controls weren’t able to stop, so they can be fixed before they start to cause issues for your organization.

Detective controls include audits, budget reviews and reconciliations, inventorying of physical goods and assets, and log monitoring. 

Corrective Control

When both preventive and detective controls fail and a risk event occurs, organizations use corrective controls to mop up the mess as best as they can. Corrective controls can also be applied to preventive and detective controls to improve them and prevent the same problem from impacting the organization again.

Examples of corrective controls include reviewing access privileges of both current and former members of the organization and revoking them as necessary following a data breach or installing more secure fencing around a sensitive facility after a break in and providing any available evidence to the appropriate authorities.

Key controls and secondary controls

When risks require multiple levels of controls for mitigation, the primary, first-line control is known as a key control, while any controls that kick into gear if the key control fails are known as secondary controls.

Putting them all together as a system

Let’s use an example most of us can relate to — aerospace engineering and air travel — to paint a picture of what these three types of controls working in conjunction might look like.

When aerospace engineers set to work designing or improving a new commercial aircraft, they know the stakes are extremely high to prevent any risk events from occurring during flight — the lives of dozens or even hundreds of people could be on the line.

So, they install redundant systems for all of the critical components of the aircraft, from the engines to the landing gear to the flight control computers. That’s an example of putting preventive controls in place, and the redundancies could be considered secondary controls. The sensors in the cockpit and at air traffic control alert the pilots of any errors, allowing them to take the necessary actions. These are detective controls. If an incident does occur, the aerospace engineers use the information they’re able to collect afterwards to make further improvements and hopefully prevent future incidents. Those are corrective controls.

Benefits of embedding controls into risk and compliance processes

Implementing internal compliance controls shouldn’t be viewed as something that can be done in a vacuum. Internal controls are at their most effective when they’re embedded into the business, risk, and compliance processes and programs that they’re intended to protect and augment, and when they work together within those processes. 

Embedding controls into your processes creates an efficient system that meets the demands of compliance management with ease. Controls are the set of activities that guide, manage, and regulate toward a specific directive. Embedding controls is about assessing risk, providing oversight, and reporting on the company’s control posture. 

A system that embeds controls into the process is a higher level functioning system that is proactive to risk and can quickly adjust and error-correct when necessary, without a major disruption to the enterprise.

Additionally, centralizing your controls in governance, risk, and compliance software can help you get an eagle’s eye view of your controls landscape and a more granular view mapped to each of your business processes. This can help you quickly glean how effective your controls are, where they could potentially fail, or where gaps that need to be rectified exist.

Some of the potential cost benefits to embedding controls into your processes are:

• Obtaining a more complete or real-time view of your organization’s compliance status.
• Reducing the time and expense required to conduct audits.
• Reducing operational costs due to standardized testing, reporting, and documentation.
• Reducing compliance management costs.
• Identifying improvements that can be made to your controls.
• Easily assigning and tracking controls-related initiatives.
• Automating compliance notifications and reminders.
• Improving your organization’s overall security
• Easier reporting of risk and compliance information to leadership and your board.
• Streamlining compliance and certification process.
• Gaining a clear picture of accountability in your controls and compliance processes.

Risks of not embedding controls into risk and compliance processes 

When controls are not embedded in business processes, organizations are not able to easily identify gaps or problems with their controls program. 

This leads to reactive risk and compliance management. Some of the worst consequences are that managing controls becomes a burden, rather than a business enabler or source of strategic opportunity. The current state of the organization’s controls becomes difficult to grasp and visualize enterprise wide, remediating issues becomes time and man-power consuming, teams are not confident in test results, and operational costs increase. 

These issues are felt across the enterprise, and can include:

• Reputational damage: Control failures due to mismanagement or inefficient compliance processes can lead to risk events like data breaches that cause significant damage or a company’s brand or reputation.
• Loss of consumer and investor trust: The same controls-related incidents that caused the aforementioned reputational damage can lead to an erosion of trust in consumers and investors alike, leading to …
• Financial losses: Risk events that lackluster controls fail to prevent can add up in cost. Data breaches cost companies millions of dollars on average, and every hit your reputation takes can lead to customer churn, damaging your bottom line.
• Legal trouble: Those same risk events could also land you in legal hot water or in court, if they lead to the violation of any laws.
• Privacy concerns and data breaches: Especially in the realm of information security,  failing to embed controls into your cyber risk management programs and cybersecurity processes can expose you to the risk of a major data breach, which can in turn lead to all of the negative outcomes listed above.
• Operational inefficiency: Every risk that slips past your controls has the potential to disrupt your operations over both the short- and long-term. 

Common compliance controls frameworks

Implementing controls and ensuring compliance is never an easy lift. It’s a complex process, and it can be difficult to know where or how to get started. Fortunately, many have tread this road before you, and there are numerous resources available.

Here are a few common compliance controls frameworks and resources you can use to get your internal compliance controls program off the ground:

COSO

The Committee on Sponsoring Organizations (COSO) publishes the COSO Internal Control - Integrated Framework. It is one of the most commonly-used frameworks for designing internal controls processes in use today. As such, we’ll explore it in a little more detail.

The framework relies on five components and 17 principles, all designed to work together as a system:

Control environment: This component focuses on the culture and the “tone at the top” of the organization. It deals with expectations around how people act, integrity and ethics, board independence, structure, authority, and responsibility, and attracting and retaining talent. It relies on five principles:

• A commitment to integrity and ethical values.
• A board that is independent of management and oversees development and performance of internal controls.
• Management is responsible for establishing structures, reporting lines, and appropriate authorities and responsibilities in pursuit of organizational goals — with board oversight.
• Hiring and retaining competent talent.
• Holding individuals accountable for their oversight of internal controls.

Risk assessment: Organizations are expected to carry out regular, thorough assessments of the risks that they face. Four principles underpin this component:

• Clearly outlining objectives, so that risks can be accurately identified.
• Developing plans to address identified risks.
• Explicitly considering fraud in every assessment (COSO originated as a framework focused on financial reporting.)
• Planning for changes that might affect internal controls.

Control activities: Once risk has been assessed, COSO requires controls to be put in place. This component includes three principles:

• Developing control activities to mitigate risk to acceptable levels.
• Implementing control activities over technology.
• Deploying control activities through policies and procedures that put them into action.

Information and communication: COSO places a high premium on effective communication and flow of information to relevant stakeholders. This component relies on three principles:

• Using high-quality information and data to support controls initiatives.
• Communicating relevant information about internal controls activities.
• Communication with external entities about internal controls.

Monitoring activities: Finally, the framework requires ongoing monitoring of internal controls. This component includes two principles:

• Developing and conducting regular, ongoing evaluations of controls effectiveness.
• Communicating any internal controls deficiencies in a timely manner.

COSO and the Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act of 2002, commonly referred to as SOX, is a federal law in the United States that was passed in response to a series of high-profile corporate scandals, including the infamous Enron scandal, that made having effective internal controls, specifically around finance, accounting, and fraud, more important than ever. Most importantly for compliance controls management, SOX actually requires regulated companies to document their internal controls and their effectiveness.

Compliance with SOX is mandatory for publicly-traded companies. The COSO framework, with its deep focus on fraud risk, is an effective controls framework for attaining and maintaining SOX compliance.

COBIT

COBIT, or Control Objectives for Information and Related Technology, is another common and globally-recognized framework for managing compliance controls focused specifically on IT and cybersecurity risk. Developed by the Information Systems Audit and Control Association (ISACA), COBIT 5 and COBIT 2019 are the framework’s most recent updates.

NIST

The NIST Cybersecurity Framework from the National Institute of Standards and Technology is another common cyber risk management that covers various compliance controls. It has five components — identify, protect, detect, respond, and recover — that each include multiple subcategories involving various internal controls.

ISO 27001 and 31000

These two commonly-adopted standards frameworks from the International Organization for Standardization (ISO) deal with managing enterprise risk (ISO 31000) and information security risk (ISO 27001). They lay out requirements for establishing, managing, and improving risk management programs, which includes the design and implementation of various internal controls.

Unified Compliance and Secure Controls Frameworks

The Unified Controls Framework (UCF) and Secure Controls Framework (SCF) are large libraries of compliance requirements and controls. The Unified Compliance Framework has a broader focus, encompassing all compliance requirements, while the Secure Controls Framework focuses solely on information security, data privacy, and cybersecurity controls.

The UCF is sold commercially, while the SCF is free to use. 

Using modern GRC software to managing internal compliance controls

While it’s possible to manage your internal compliance controls program through traditional methods like spreadsheets — organizations have been doing it for years, after all, in the absence of a better solution — doing so can lead to control gaps and noncompliance.

In recent years, advances in GRC technology have seen platforms like LogicGate Risk Cloud emerge, which has made it possible to centralize and automate implementation, management, and monitoring of internal controls. Having a single source of truth for your organization’s controls allows you to streamline audits, avoid control redundancy, automate evidence collection, and improve program efficiency by dynamically linking risks, controls, evaluations, and evidence. All of that makes it significantly easier to embed your compliance controls into your business processes.

Schedule a demo of LogicGate Risk Cloud today to learn how you can drive up the efficiency and effectiveness of your controls compliance program and improve your organization’s overall security.