Entities should ensure that:
- the controls in place are effective and proportionate to the level of risk to be managed,
- that preventative, detective or corrective controls are in place,
- each control has a clearly designated owner who regularly reports on the implementation, testing and effectiveness of the control.
Entities should ensure that risks are periodically reviewed and monitored. Risks are ultimately managed through controls. The success of managing risks relies on the effectiveness of controls and these controls being monitored. The frequency of control reviews should be guided by the nature, velocity and severity of the risks.
The more effective a control is in its design and operation, the greater assurance that the associated risk is being managed effectively. Reviewing and validating controls provides an element of confidence that the controls in place are operating effectively and if there are any gaps or deficiencies that need to be rectified.
A control is any process, policy, device, practice or other action that is put in place to regulate or modify the likelihood or consequence of a risk. Controls should be proportionate and commensurate with the nature of the risk being managed and the subsequent consequence. The different types of controls include:
- Preventative: these controls reduce the likelihood of a risk occurring and include procedures, approvals, policies, delegations, separation of duties, technical security solutions and training.
- Detective: these controls aim to identify failures in the current control environment and can include reconciliations, exception reporting, investigations, performance reviews and staff surveys.
- Corrective: these controls modify and mitigate the consequence and/or rectify a failure after it has been discovered and include business continuity plans, continuous improvement actions, crisis management and disaster recovery plans.
Individual controls can have multiple functions. For example, the deterrent effect of a highly visible security camera is a control that is preventative as well as detective.
Control effectiveness is the term used to describe how well a control is reducing or managing the risk it has been designed to modify. The more effective the control is, the greater assurance this provides that the risk is being managed appropriately. The process of control effectiveness testing allows an entity to assure itself that appropriate controls are in place.
Testing the effectiveness of controls involves the periodic and regular review of controls in order to ensure that they are designed correctly and operating effectively (i.e. reducing and managing the risk as expected).
There is an element of flexibility in the periodic nature of how frequently a control may be reviewed, however, the regularity of control effectiveness testing could depend on the following factors:
- The critical nature of the control – a risk with severe inherent consequences and a high likelihood may require a more frequent review of its control effectiveness to provide greater assurance that the risk is not realised.
- The risk appetite and tolerance of an entity – the lower the risk appetite and tolerance, the greater the need may be for more frequent control reviews.
- Recent changes to the internal or external operating environment of an entity – these can dictate whether controls are required to be reviewed more frequently in order to provide a greater level of assurance that the relevant risks are being managed effectively. Some examples of internal and external changes to the operating environment that necessitate a review include:
- A change in accountable authority or significant organisational change
- A change in government or relevant policies or priorities
- A new IT system being implemented in the entity
- A recent turnover in staff resulting in new risk or control owners
- The emergence of new and emerging risks within the entity’s risk profile.
- Clarify and support a culture of ‘ownership’ of controls to drive accountability and develop risk capability.
- Understand the different data sets that you can draw upon to gather evidence to test the control and review its effectiveness.
- Document the control effectiveness review process and outcomes in order to ensure that there is sufficient evidence to justify any treatments or measures undertaken.
- Prioritising the most critical controls first in any register helps focus attention on them.
- Preventive controls act on causes and corrective controls mitigate consequences. Identifying causes or consequences that do not have a mapped control/s can suggest control gaps or weaknesses.