The role of compensating controls in Controls Assurance & Risk Management

Before providing a brief analysis on compensating controls, it is important to first look at internal controls and how they are classified.

Internal controls can be classified in four ways:

1. Directive controls ensure a particular outcome is achieved. Examples include guidelines, training and incentives.
2. Preventative controls limit the possibility of an undesirable outcome. Examples include tone at the top, authorization, segregation of duties and password protection.
3. Corrective or compensating controls correct undesirable outcomes that have occurred or reduce risk to an acceptable level when other controls have failed or are not cost-effective. Examples include close supervision and management review including reviewing cost center reports, personal expense reports, time cards, etc.
4. Detective controls spot errors, omissions and fraud after the events have taken place. Examples include reconciliations and exception reports.Compensating control is a type of control activity that is useful when there is a specific standard control activity that is not in place. The compensating control helps recue the risk from the missing control. Also called an alternative control, it represents a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time.

By its nature, a compensating control is never as good as creating a control within the system itself, so the compensating control has more to prove and must go above and beyond what the system itself could have provided. For example: requiring a second signature on a report is not a good compensating control if the person never actually looks at the details line by line. One should always aim to make the compensating control more rigorous – i.e. the second signatory must not only sign off on the report, but must sign off on every line item, with comments etc.

When designing compensating controls, the following tips can prove helpful: 

·       Documentation – create a formal document which can be reviewed by management. The document should clearly outline the steps necessary to execute the compensating control.

·       Approval – ensure documentation is reviewed on a regular basis and approved by management. Systems, access, people and functionality change constantly, so it’s important to ensure that your control is relevant and serves the purpose it was designed for.

·       Training – ensure appropriate staff are trained. They need to understand the risk, review the procedure documentation and be clear on such things as execution method and timing.

·       Review – periodically review the control to ensure that it’s effective, especially in the first six to twelve months of a new control being in place.

Examples of Compensating Controls

1. Review a detailed transactions report: A manager may consider performing a high level review of detailed report of transactions completed by an employee that performs incompatible duties. Follow-up questions should be asked if any transaction is flagged by the manager. In situations where the detailed transactions report is voluminous, managers may consider prioritizing the types of transactions or accounts to be reviewed. For example, a manager may simply skim through the report sections that contain high risk transactions or accounts.
2. Review sample of transactions: On a periodic basis, a manager may select a few sample of transactions, request for the supporting documents and review the documents to ensure that they are complete, appropriate, and accurately processed. In addition to detecting errors, the periodic reviews could create a disincentive (that is, reduce the opportunity) for the person performing the incompatible duties to process unauthorized or fraudulent transactions.
3. Review system reports: Most applications that support business or office operations have embedded reporting capabilities that enable the generation of reports based on pre-determined or user defined criteria. A review of relevant system exception reports can provide good compensating controls for an environment that lacks adequate segregation of duties. For example, review of report of deleted or duplicated transactions, report of changes to data sets and report of transactions exceeding a specific dollar amount.
4. Perform analytical reviews: Another example of compensating control is the comparison of different records with predictable relationships and the analysis of identified unusual trends. For example, a budget vs. actual expenditure comparison or current year vs. prior year subscription fees analysis or comparison of selected asset records to actual physical count of asset might indicate unusual variances or discrepancies that may need to be investigated.
5. Reassign reconciliation: If there is an opportunity to reassign one activity from the person performing incompatible function to another employee, a manager may consider re-assigning the reconciliation activity. For example, reassigning the bank account reconciliation function to someone other than the person receiving cash and depositing it to the bank could improve the quality of internal controls in the cash receipt process.
6. Increase supervisory oversight: Other forms of activities a manager may perform as compensating control are observation and inquiry. Where appropriate, increasing supervisory reviews through the observation of processes performed in certain functions and making inquiries of employees are good administrative controls that may help to identify and address areas of concerns.

Compensating controls should:

·       Meet the intent of the original control requirement

·       Provide a similar level of assurance

·       Go above and beyond the original control requirement.

The third point above is important. By its nature, a compensating control is never as good as creating a control within the system itself, so the compensating control has more to prove – and must go above and beyond what the system itself could have provided. For example: requiring a second signature on a report is not a good compensating control if the person never actually looks at the details line by line. One should always aim to make the compensating control more rigorous – i.e. the second signatory must not only sign off on the report, but must sign off on every line item, with comments etc.

Conclusion

Effective compensating controls can improve the design of a process that has inadequate segregations of duties and ultimately provide reasonable assurance to managers that the anticipated objective(s) of a process or a department will be achieved.