urgently calls for a swift segregation of duties to mitigate risk. However, the
business process owner may believe that there is a legitimate need for the
dual responsibility. (Their concerns can be reconciled, as we’ll see later in
this chapter.)
Controls encompass all the actions, processes, or physical barriers that
direct or guide a resource to achieve a desired result. Often they prevent,
detect, or correct risks from becoming barriers to success. Here are some
different types of controls:
�Preventative controls:These controls prevent a bad event from happen-
ing. For example, a company may use a private network to ensure that
company data is not exposed to public networks.
�Detective controls:These controls determine whether a bad event has
already happened. For example, when a bank statement is received, it is
reconciled to the customer’s records to detect processing errors by the
bank or customer.
�Corrective controls:These controls come into play once a problem is
discovered. An example would be removing access from users who have
excessive privileges or executing a backup and recovery plan after a
physical disaster has occurred.
The adoption of good internal controls in order to become SOX- (or regulation-)
compliant is a top-down process that starts with management. Management
recognizes that the regulations exist and cannot be ignored. They select a team
to define how the regulations, including the attendant standards and practices,
will be implemented as controls in the company. Control owners and business
process owners work out how to incorporate these regulations into the busi-
ness through automated controls.
After the controls become woven into the fabric of the company — sweeping
strategically across processes, locations, and systems — they help close off
avenues of risk. Companies may then enjoy such happy side-effects as pre-
venting unintentional errors, improving efficiency, and keeping auditors smil-
ing and building shareholder value in the process.
Exploring the Benefits of Better Controls .................................................
Companies have processes. These processes contain risks, which are barri-
ers to success and avenues for fraud and negligence. Therefore, companies
must have controls. Nowadays, with the compliance requirements of regula-
tions such as SOX, companies are trying to be more proactive about their
controls. Being more proactive about controls requires effort and input, but
also has many benefits.
128 Part II: Diving into GRC
