Let’s start from the assumption that you have a Continuous Monitoring solution up and running in your environment with all business critical systems connected. A risk-based assessment of the main authorizations has been conducted, defaulting from industry standard rules, and you may have to correct a number of roles, authorizations and assignments. All your functional authorizations (e.g. SAP roles) are now clear of conflict and you have remediated violating user profiles by reorganizing employee duties and/or segregating user access. You might have also reached a point where, for practical business reasons, no further reorganization and distribution of duties were possible. To close the remediation loop you implemented compensating controls. However, some thought-provoking questions remain:
- What is the best way to manage and mitigate the residual risk of access violations?
- What additional risks do I have with compensating controls?
- What are the main cost drivers behind compensating controls?
- Could I turn these cost drivers into opportunities?
Your Continuous Controls Monitoring solution enables you to monitor authorizations within the ERP and other key applications. Profile assignments of these authorizations are analyzed for critical access and combinations of access following a set of rules. These industry standard rules are typically adapted to your own company business processes and aligned with the enterprise-specific risk objectives.
During the “clean-up” process of highlighted access violations, management has to decide what action to take to resolve the issues in a structured form. This is often a reiterative process, starting by fine-tuning the rules to remove false positives or false negative, and therefore implicitly skewing and adapting the rules to the enterprise specific risk management scope.
The remaining access violations indicate risks that need to be addressed because they may, for example, provide opportunities to commit fraud or bypass standard business processes. To prevent the worst from happening, the most secure approach is to remove the critical authorization or to segregate the combinations by tasks on role or user level. This process is also called remediation.
Nevertheless, having completed the first remediation round, there typically remains a number of violations where authorizations cannot be removed without impacting regular business activities. For instance, some critical authorization combinations cannot be separated from each other in small organizational units with insufficient people to segregate their business functions. Other examples include administrative and emergency IT support and other SOA (Service Oriented Architecture) business process setup. In some of these cases, management will mitigate (conditionally accept) these access violations.
Whilst not all access violations are suitable candidates for mitigation, it remains a valid measure and should be used where appropriate. However, quite often the business and IT find the mitigation approach to be the easiest and fastest way to resolve most violations. This generates a short-time benefit, but leads to other issues for the business. In the process of mitigating a violation it is most appropriate to implement a Compensating Control.
What is a compensating control and what does it look like?
The main purpose of a compensating control is to provide assurance over an accepted risk identified by another control activity. When mitigating access control issues, the respective control rules in the monitoring system are linked to a compensating control. Therefore violations are excluded from further analysis and considered resolved. The associated risk is not reported and no further action is apparently required. However, is the risk truly mitigated by a compensating control? Well, the risk continues to exist and only depending on the effectiveness of the execution of the compensating control we can learn to accept the risk. That is, the risk associated with the critical authorization or combination of authorizations is only mitigated if the right compensating control is selected, executed, reviewed and assessed for effectiveness in a timely basis.
Let’s explore the main 3 components of compensating controls.
- Control Description
- Execution evidence
- Assessment of design and effectiveness
Control Description – The main purpose of a control description is to provide an objective proof and common understanding of the control design and scope. This formal description enables the assessor to determine the design of the compensating control activity and risk focus. There is no common accepted and unified way to describe a compensating control. However, as a rule of thumb, one should describe the activity in a way that a 3rd party reader can gain comfort over why this control activity compensates for an accepted risk elsewhere. A simple way to structure the descriptions for compensating controls and improve their transparency follows:
- Background – Process background and flowchart
- Who, What, When and How ? Basic and simple activity description
- Error handling – Activities in case issues are identified
- Frequency – Important detail influencing sample size
- Evidence – Location of stored evidence
Execution evidence – For any control activity to be effective, it must execute in a defined frequency and leave a record of execution and a record of completion. Whilst there is no specific requirement on the form for this evidence and/or location, proper storage, back-up and archive policy should be defined. This applies to both paper and electronic evidence. Additionally,reasonable assurance must be provided to ensure that this evidence is tamper proof, objective, secured, reliable and available for review. A good example of execution evidence for Compensating Controls will include screen-shots, email attestations, PDF documents and hand signed & dated printouts. Such evidence is often required during both internal and external assessments.
Assessment of design and effectiveness – It is understood that the determination of the discounted risk over a mitigated control activity should be matched by the coverage of the compensating control itself. That is, the effectiveness of the compensating control should fully compensate the risk of not executing the associated control activity. Therefore, periodic assessment of this scope and coverage needs to be formalized to anticipate any risk gaps that arise with changing business. A formal periodic review of risk, coverage, execution, completion and evidence of the compensating control is needed to provide the assurance intended by the implemented compensating controls.
What Are the Main Cost Drivers Behind Compensating Controls?
It should be no surprise that the effort associated with implementing and maintaining compensating controls is an on-going and a specialist task. This is a key reason why the mitigation measure should be avoided in every feasible way,when an alternative remediation option exists. The following main cost drivers should be considered:
- Compensating Control management
- Follow-up audits
- Control nature (i.e. Review, Reconciliation, etc.)
- Control purpose (Detective vs. Preventive)
- Automation level
Compensating Control management – In a dynamic environment such as a business, keeping the description documentation, risk objectives, coverage and execution evidence of the compensating controls is usually not trivial. This is especially true, if parts of the information are kept in multiple environments. In these cases, auditors and control professionals need to correlate the original risk objective in scope of the business process workflows with the compensating control activity and the evidence of execution and sign-off. Without a robust documentation and reporting process for the use of compensating controls, the likelihood of unexpected surprises in this area during the next audit increases dramatically.
Follow-up audits – Some companies opt for over-using compensating controls instead of redesigning their authorization objects and/or adopting a more compliant provisioning processes. This practice requires that companies spend time assessing the effectiveness of the compensating controls. This is a quarterly or by-yearly effort required by audit. This undermines the argument not to fix the access violation in the first place. What’s more, too much reliance on compensating controls may tilt the assurance balance, resulting in audit comments to mitigate the authorization assignments and remove the compensating control.
Control nature (i.e. Review, Reconciliation, etc.) – Depending on the nature of the compensating control activity and the desired confidence level, a different sample size and assurance process might be needed. In essence, the more reliance, the more laborious data comparisons and sample sizes will be required, and therefore, the more time and effort the control activity will require to be effective. For instance, if a vendor-edit report is used, a compensating control for allowing a profile with access to procurement and vendor management, the report scrutiny will be much higher than if the same report is only used as operational evidence of the vendor management process.
Control purpose (Detective vs. Preventive) – By definition, preventive controls are designed to forest all the occurrence of the risky situation in the first place. An example of a preventive activity, in the case of access management, is to disable the capacity to grant access to the supplier master data for the provisioning clerks during the provisioning process. Detective controls on the other hand, take place after the event. Compensating controls are often detective controls and therefore consideration should be given to the fact that, by the time the compensating control kicks-in, a significant irreparable issue (such as reputation or fraud) might have already affected the company.
Automation level – The main advantages of a fully automated controls solution is the capacity to by-pass manual human interaction when processing the control activity and assurance of the complete coverage of the tested population. But even with automated controls, there are also constraints to be considered. In the case of access controls, for instance, if the provisioning system is configured to disallow SoD assignments, this fully automated control will not prevent role conflicts down the road, if compensating controls are allowed for exceptions.
Considering a semi-automated control activity, a manual element is present on top of the automation, therefore, two distinct levels of effort must be coordinated to provide the needed assurance. This complexity raises issues of competency, process and resources coordination. For instance, many times, compensating controls are semi-automated, as in the case of report reconciliation or edit-report validation. This configuration undermines the advantages of fully automated controls.
How To Turn Cost Drivers to Opportunities?
The cost drivers around implementing and managing compensating controls mentioned above can also be turned into cost savings opportunities. Let’s explore what an ideal cost effective compensating control may look like:
Compensating Control management – Control description documentation, risk objectives, coverage and execution evidence of the compensating controls is usually not static, automatic and often not in the same system. Enabling the functionality to maintain the complete compensating controls documentation in the Continuous Monitoring solution itself is a logical step towards simplification and integrated governance of the Controls infrastructure.
Follow-up audits – Dynamic work-flow-based attestation procedures will optimize the control assessment workload. This is supported by a transparent definition of responsibilities to streamline the delivery of relevant information. Easy and comprehensive progress and status reports help drive action through the system. The result is an augmented continuous monitoring process that sends a strong signal of assurance to external and internal independent reviewers.
Control nature – Based on the business defined risks, a fully automated extraction and analysis of data from the productive environment can eliminate manual labor during the execution of controls. This automated controls environment can flag and automatically report on exceptions to the predefined process rules. This approach also reduces the risk of control deficiencies as it offers 100% coverage and testing of the risk.
Control purpose – A continuous controls automation monitoring solution enables almost a real-time extraction, closing the time gap between detective and preventive approaches.
Automation level – An integrated solution that enables implementation of fully automated controls leverages the benefits of automation and avoids the pitfalls of trying to implement and interconnect various stand-alone tools and procedures. This controls model requires a flexible solution able to easily connect, extract and analyze data from various types of productive environments. The investment in expertise, infrastructure and normal process control setup is often split between productive environments, resulting in a significant payback and a substantial decrease of manual labor and control deficiency risks.
Some critical combination of authorizations can be accepted due to low business risk, others can be easily remediated by removing part of the access. In seldom cases a compensating control can be implemented to mitigate the associated risk of allowing the critical combination needed for the business.
Though Compensating Controls offer less assurance than preventive automated controls, the implementation of Compensating controls typically consist of an up-to date description, execution, evidence and attestation of effectiveness. A single technical solution administering both the Continuous Monitoring and the compensating controls is an attractive option to minimize the added risks. The combination of a strong audit trail and robust workflow functionality grants a high degree of assurance. Also, when possible, Compensating control automation through transactional analysis, should be employed to provide better assurance over the process and increased transparency.
To access the paper in a PDF format, click here Closing the Loop on the Remediation Cycle – Managing your Compensating Controls