When considering controls, including Segregation of Duties(SoD), it’s important to focus on what we’re trying to achieve. The University of Toronto’s Internal Audit website defines a control as “any policy, procedure, practice, or mechanism designed to provide reasonable assurance that the organization’s objectives will be achieved. This includes controls designed to safeguard assets, ensure the timeliness, accuracy and reliability of financial and management reporting and to promote operational efficiency, effectiveness and compliance with all applicable laws, regulations, policies and procedures.” There are four main types of controls: preventative, detective, compensating controls, and steering. This article focuses on compensating controls.
To reduce the risk of fraud and operational errors, most organizations define Segregation of Duties (SoD) policies, then implement detective controls, which identify anybody who has access to combinations of applications that enable them to violate the SoD rules. Ideally, they also implement controls to prevent people being granted access which breaches the policies.
But resource limitations, such as technical or staffing constraints, mean that it’s not always possible to achieve perfect SoD. Where this is the case, you can use compensating controls to mitigate the risk incurred when a user needs to have many duties. This type of control offers an alternative means of providing the “reasonable assurance” that we need.
Here’s an example of where a compensating control is required:
A single user has access to and performs the tasks of accepting cash payments and recording the payments. Due to the nature of the business, and for efficiency, the same user performs both tasks. To prevent fraud, oversight is required. So, we need a compensating control – for example, we may specify that a second user must perform a reconciliation, reviewing the cash against the recorded transactions.
Compensating controls should:
This third point is important. By its nature, a compensating control is never as good as creating a control within the system itself, so the compensating control has more to prove – and must go above and beyond what the system itself could have provided. For example: requiring a second signature on a report is not a good compensating control if the person never actually looks at the details line by line. So, you should always aim to make the compensating control more rigorous – i.e. the second signatory must not only sign off on the report, but must sign off on every line item, with comments etc.
Forrester Report
Learn about the quantified and unquantified benefits that one Pathlock customer experienced while using Pathlock solution over a period of three years.
Be mindful that compensating controls are a stop gap and not an ideal end state. Wherever possible, consider using other types of controls, such as preventative controls, which may be more rigorous and more cost effective as they require less resources.
Specialized tools can help! Pathlock’s auditing solutions flag conflicts / violations and provide the ability to note mitigations and report on the associated compensating controls.
Watch this video for Best Practice tips to help you design successful Compensating Controls that will satisfy your business needs, while meeting the objective to reduce the risk of fraudulent activity on your system. It gives you more insights into:
You can also get in touch with us to schedule a demo here.
Share