so on — for enforcement trends that could help the company focus its efforts
and highlight new risk scenarios. For example:
Responsibility for partners:A few years after enactment of SOX, regula-
tory watchers were surprised to discover that the regulatory agencies
had held a few companies liable for the actions of their partners or third-
party organizations. To respond, some companies began an internal
Chapter 3: Governance: GRC in Action 75
Controls: Tools of governance
Controls are one of the more powerful tools of
governance. They encompass all of the actions,
processes or physical barriers that direct or
guide a resource or person to achieve a desired
result. Although there are many methods, they
all pretty much can be placed in the following
three categories:
Preventative controls:Preventative controls are
used to prevent an identified risk scenario from
actually occurring. For example, Segregation of
Duties (see Chapter 5 for more on that) is a pre-
ventative control because, among other things,
it seeks to ensure that no one person can estab-
lish a vendor relationship and then make a pay-
ment to that vendor. Preventative controls are
considered to be the most effective controls
because they help deter malicious behavior or
avoid risks and alert management in a timely
fashion.
Detective controls:Detective controls are used
to determine if any bad behavior or risk scenario
has occurred or is occurring. They are also
used to validate that monitored processes —
such as payments to vendors, financial report-
ing, or regulatory compliance — are being per-
formed within certain tolerances. For example,
within SAP’s GRC solutions, tolerances for
financial reporting can be set so that if one unit
is reporting a drop or increase in net sales that
exceeds set tolerances (“why are we selling so
many shorts in January?”), which could indicate
a reporting issue (“Actually, one division has
transferred a bunch of shorts to another division
and someone is labeling those as sales”) and/or
a business issue (“We may not be producing
enough shorts to meet demand”), a report is
created and appropriate personnel are notified
in order to set the response plan into action
(“We need to label the transfer appropriately
and increase shorts production”). These con-
trols are important because they provide infor-
mation to help a company understand where it
is within the risk and compliance spectrum and
what actions, if any, should be taken at any
given time.
Corrective controls:Corrective controls are
policies and procedures that lay out what
actions are to be undertaken if a risk scenario
occurs (“Why did Bob set up a vendor relation-
ship with a company named Bobcom and then
approve a check to be sent to a private resi-
dence?”). These provide the methods neces-
sary to correct whatever condition may exist
(“We need to talk with Bob”). Within the SoD
example, if an individual is found with conflict-
ing roles — establish a vendor and then make
a payment (“Bob?”) — that person’s roles are
redefined to remove the exception (“Bob, we
still need to talk”).
If a net sales tolerance is exceeded and a report
is generated, actions such as an internal audit
of that particular unit could be undertaken to
understand why the tolerance may have been
exceeded, and justify and document it (i.e.,
more people are buying shorts in January
because more people are going on vacation to
Florida at that time).