Safeguarding an organization’s financial and physical assets requires careful consideration of a complex set of factors. For finance leaders who also oversee the protection of information technology infrastructure, the complexity of decision-making increases substantially.
In their role as protectors of organizational assets and systems from fraud, theft and intrusion, finance executives frequently fixate on prevention, and rightfully so. But what happens when preventive controls fail?
For maximum effectiveness, a comprehensive internal control program should include both preventive and detective controls. To find the right ratio of preventive to detective controls for a specific organization, finance leaders should regularly engage their leadership teams in discussions about controls. A fundamental understanding of controls and options, as well as familiarity with benchmarking data on this issue, provides a useful starting point for these conversations.
Types of internal controls
Preventive controls include all activities designed to stop errors, irregularities, fraud and other unwanted events before they happen. Multi-factor authentication and digital bank tokens that issue one-time passwords for employees to access corporate bank accounts are common examples. In the IT context, firewalls, access rules and data-loss prevention applications are employed to prevent security breaches and data theft.
But sometimes, even the strongest defenses are not enough.
A complementary set of detective controls, such as frequent bank account reconciliations by accounting staff and systems that detect and track irregular network behavior, should be in place and ready to respond swiftly when an adverse event occurs. These detective controls pinpoint the problem, notify the proper parties about the loss, damage, or breach and help limit the fallout.
Benchmarking internal controls
Based on benchmarking data collected from nearly 500 organizations, the American Productivity & Quality Center finds the percentage of primary financial controls that are detective in nature varies greatly by company and industry. At the midpoint of the data, 38.2% of internal financial controls are detective. Companies at the higher end of the spectrum (within the 75th percentile) report that, on average, detective controls make up half of all internal financial controls. In the 25th percentile, the average percentage of detective controls is 28.6%.
Although reviewing this data is worthwhile, finance leaders should be aware that these percentages do not represent higher or lower levels of performance. They are not intended to be used for comparison. Rather, every organization must determine what mix of internal controls provides an effective level of risk management and detection of irregularities and loss, based on context-specific considerations.
A cautious approach to detective controls
Because detective controls are designed and established to detect adverse events, a control environment that relies too heavily on detective controls can increase an organization’s susceptibility to fraud and errors in finance and to cyberattacks in the IT context. Additionally, detective controls typically require human verification of the problems that control systems detect, action to stop the undesirable activity and corrective measures to remediate the consequences.
When comparing levels of upfront effort and investment, detective controls are usually less intensive to implement than preventive controls. But the costs (in time and money) to mitigate an adverse event once it has occurred may far surpass the investment required to develop and implement a comprehensive set of controls to safeguard assets and systems at the outset.
Finding the right mix
With these considerations in mind, finance executives and leaders charged with safeguarding IT infrastructure can intelligently discuss other factors that might influence the appropriate mix of preventive and detective controls for their organizations. These factors typically include risk tolerance, regulatory and compliance requirements, stakeholder expectations, operational complexity, the organization’s history of fraud or error, and internal technology capabilities.
Importantly, once made, decisions about internal controls should never be thought of as “final.” Finance leaders can guide leadership teams in revisiting the internal control program regularly to assess effectiveness and reconsider the control mix based on changes in relevant conditions both inside and outside the organization.
