Testing: Real-time and historical ......................................................
After the documentation phase, companies then implement control checks,
either preventative checks, such as those that seek out Segregation of Duties
(SoD) violations, or detective checks, which are after-the-fact checks on what
happened (historical) or what’s happening right now (real-time). By automat-
ing both real-time and historical checks, a company can form a clearer idea of
how their business is operating.
Remediation: Fixing the problem .....................................................
When an internal control flags an issue — either a control violation or a con-
trol failure — someone must fix it. The control software should automatically
create a case in the system that includes all the details of what happened,
why the case has been created, what control has failed, and who is going to
fix it. The system should ensure that cases are automatically assigned to the
people who are responsible for that business area: the business process
owners as well as the control owners.
When the system creates a case, it should notify the control owner that they
are responsible for investigating the failure, and notify the business process
owner that a problem has been found and that she is now responsible for
fixing it.
Responsibilities for fixing the problem differ depending on what happened
with the control. Investigation of the problem could show that there’s a con-
trol failure instead of a control violation. In the case of a control failure, such
as a control that raises false positives, only the control owner needs to adjust
the control and run it again to make sure it’s working.
In the case of a control violation, the work mainly falls to the business
process owner, who must then fix the problem. When the business-process
owner fixes the problem, she records all activities: what she did, how it’s
going to solve the problem, and why it will no longer be an issue. After she
records all of that, she can close the case. She runs the control again and
makes sure that it passes this time.
Analysis: Reports for management ..................................................
In the analysis phase, managers report on the control environment. The
senior management in charge of compliance (whether it’s the compliance
team, the Chief Financial Officer, Chief Risk Officer or the Compliance Vice