CONTROL FREAKS! Internal Controls and how to make them.

Written By John Paul Tran

Don’t read this - just watch the video!

Who, What, When is an internal control? (Al Gore did not invent this article!)

Sorry,  my fellow  humanities friends, but this is not about the internal expression of your inner poet and deepest feelings! However, properly established and managed, internal controls will go a long way to protecting your organization, not to mention passing audits and maintaining those increasingly important security certifications. 

 Internal Controls refer to the controls a company implements, either to meet a control requirement or to protect the organization from a risk. 

There are three primary types of internal controls:

  1. Administrative -> Policies & procedures

  2. Technical -> Encryption, anti-virus software, vulnerability scanners, identity systems, etc.

  3. Physical -> Doors, Locks, Gates/fences, badge readers, cameras, etc.


Similarly, there are three categories to describe the nature of an Internal Control:

  1. Preventative - A control that prevents an event from occurring

  2. Detective - A control that identifies a risk or potential event

  3. Corrective - A control that ensures or corrects process or behavior

Some internal controls fall into more than one of these categories, but again, why confuse the matter here. 

External auditors evaluate your controls as part of your auditing process. This evaluation will include the manner of implementation or effectiveness of each control and the assurance level, or validating that the control is implemented, usually via some form of evidence request.  The combination of assurance and effectiveness is called “Control Strength.” 

Control Strength is important. If you are getting SOC 2, ISO 27001, CMMC Certification, getting your CMMI Rating, or effectively going through any external, your Control Strength will be part of your success or failure.  

Key Controls: Internal Controls and Risks

As we mentioned before, internal controls are the procedures organizations put into place to contain internal risks. These controls reduce or eliminate internal risk to the organization, noting that it is very rare that a risk can be entirely eliminated. It’s good to keep track of your key controls and map them to your Risk Register, so you know that you have controls in place to manage your internal risk. Similarly, your risks should map to an asset or multiple assets, so you can evaluate where the risk has an impact on the business. Finally, of course, once the asset, risk and controls are connected, you have a pretty full picture of the maturity and effectiveness of your security program. 

Control Owner

It is critical to track the owner of the internal control to ensure that the control is being implemented. However, the Control Owner can be either the team member who is responsible for validating the implementation of the control or the team member who actually implements the control. Either way, the person or group responsible for the implementation of the control must be able to provide validation or “evidence” when required. As such, Control Owners can also be Evidence Owners. The Control Owner and Evidence Owner will be verified during audit, so again, it’s important to track.

How to write an Internal Control? (video)

It’s best to lean on an external auditor for advice on how to write your controls! For one thing, your auditor will evaluate your controls (design effectiveness) and may call out any gaps, so the best advice we give here comes from our own audit expert.

See how easy it is to create internal controls in  C1Risk

Here is the basic formula:

  1. Who is responsible for the Control (implementation and validation)?

  2. How is the control implemented (Design Effectiveness - Auditors look for comprehensive implementation here)?

  3. How often is the control implemented (Assurance - is the frequency of the control sufficient to reduce or eliminate risk, or validate its effectiveness)?

Remember your auditor can be a resource for you. If you’re struggling to write controls, there is some good news. If you’re looking for SOC 2 Certification, your SOC 2 Type 1 Report includes all the internal controls you need, written by your auditor for you. It’s a place to start.

Final thoughts

Ultimately your control design should really depend upon your own internal processes, external regulatory requirements, risk, and company risk policies. 

Ask yourself the following questions:

  1. What are the company assets that you need to protect?

    1. How valuable is each asset?

  2. What are the risks associated with your assets

    1. Which are the highest risk?

  3. What controls do you need in place to protect your assets from the associated risks?

    1. Start with the highest risks and most valuable assets

  4. Do you have any gaps or active issues that need mitigating? 

    1. Add new controls


A final, final thought

Nowadays, even though your audit may only come around once a year, you are required to demonstrate Continuous Security. Just like it sounds, this means ongoing monitoring and evaluation of your security posture, assets, risks, controls and issues. We recommend that you use an affordable, easy-to-use automation platform to ensure you can maintain Continuous Security. C1Risk is the leading solution in today’s market for SMB’s and any size business. 

About Us...

C1Risk offers subscription-based Software and Support Services that are specifically designed for small to mid-size organizations.

Any size business can now take advantage of our subscription service to provide affordable access to cybersecurity management. 

When you subscribe to the C1Risk platform, you can build a risk-first cybersecurity program; track and value your assets, identify your risks, build your governance and compliance requirements and manage any issues or incidents in real-time on our fully automated, Rest API integrated platform.

John Paul Tran
Previous

Separation of Duty: A Case Study on the Value-add of Internal Audits
Next

Control Freaks! SOA Internal Control - Risk Register. Who’s on first?