Small cracks in financial control processes rarely draw much attention. Despite being important aspects of information security, maintaining proper access rights and timely approvals are often seen as routine activities by IT and finance teams. Yet many cyber incidents trace back to weaknesses in access and governance, the same areas where control violations tend to surface. Such lapses can offer early clues about where safeguards may be weakening, even if they are not commonly viewed through a cybersecurity lens.
The latest global benchmarking data from the American Productivity & Quality Center illustrates how common these issues are. The median organization reports about six control violations for every 1,000 business entity employees, and the number rises to nearly 14, on average, for those in the 75th percentile.
The volume may be modest, but each violation marks a point where the process did not work as intended. Together they form a pattern that can reveal more about an organization’s exposure than many leaders realize.
APQC research shows that organizations with stronger cybersecurity readiness closely watch how controls in key functions perform in everyday work. Finance leaders work with risk and compliance teams to use enterprise risk management as a framework for understanding where weak points are forming and how they may affect the business. Financial control violations are part of that view. When the number rises or clusters in certain areas, it signals that risk is shifting. Finance leaders can use those signals to link small breakdowns to broader vulnerabilities and act before the costs escalate.
Emerging risks
APQC’s new cybersecurity and enterprise risk management integration research, based on data from 5,000 organizations globally, reinforces why early signs, ranging from minor control violations to shadow data and systems, deserve more attention. Using ERM as a structure for building more holistic risk routines and dashboards, organizations with high integration maturity increase visibility into processes and controls to help leaders identify weak points before they widen.
A little less than half of organizations have integrated ERM with business functions to manage risks, and about 40% report some level of integration between cybersecurity and ERM, a sign that many are working to connect operational observations with broader assessments of risk. Control violations contribute to that effort by showing where responsibilities may be unclear or where policies and practices are falling out of sync. For finance leaders who sit close to many of the processes where these issues appear, the patterns can prompt important questions:
- Are duties concentrated in ways that create vulnerability?
- Is access drifting beyond what is needed?
- Is a process changing without controls keeping pace?
By bringing these observations into ERM discussions, finance leaders help sharpen the organization’s view of emerging risks and strengthen its ability to act before a minor breakdown becomes a costly incident.
Putting the insight to work
For finance and accounting leaders, part of the value of tracking control violations lies in what the patterns reveal. The numbers alone will not explain why a control failed or how serious the weakness may be. But when those patterns are viewed alongside changes in the business, they can help point out places where more attention is needed.
Look for where violations cluster. Concentrations of failures can indicate that a process no longer fits the work or that responsibilities are unclear.
Bring these patterns into ERM conversations. Control violations, whether financial or in other key functions, can add context to risk assessments and help clarify where accountability should sit as the business evolves.
Strengthen the routines that support reliable controls. Clearer approval paths, more frequent access reviews and updated process steps can improve both financial governance and the organization’s broader cyber readiness.
Cybersecurity risk is often described as a technical problem, but many of the factors that shape it are embedded in daily work. Control violations are among those factors. They can reveal where exposure may be quietly expanding. APQC’s research shows that organizations with stronger cybersecurity preparedness understand this connection and use ERM to bring those process insights into focus.
Finance leaders can start by treating control-violation trends as part of a broader risk story. When viewed through that lens, small breakdowns stop looking like administrative cleanup and start looking like early warnings. That shift in perspective can help organizations respond sooner, strengthen their defenses and reduce the chances of a costly cyber incident in the future.
