The Anatomy of a Control

The term control has a lot of varied meaning in the business world. This article addresses controls typically applied in the Financial and Compliance areas with an overlap into the Information Technology areas for businesses that have to support a strong control environment.  What makes a good control?  A good control for the purpose of Sarbanes Oxley (SOX) or a Service Organization Control (SOC) Report can be defined as a formalized set of actions and processes with a planned specific outcome and the assurance that the outcome is achieved consistently.  Having a repetitive and guaranteed outcome is one of the paramount requirements for a SOX or SOC control in business today. The value of a control comes from its assurance that the function it is supporting is being carried out as desired and designed on a repetitive basis each time it functions.

The development of a good control requires attention to all of the various components that make up the control’s anatomy. You may, for example have a car that you maintain well and continually rotate and replace the tires on in order to keep it safe and running well. However, if you never change the oil on the car, the engine will fail. Only addressing part of the required components of the control will likewise cause the control to fail to meet its required goal eventually. Reviewing and expanding the existing controls in place in order to make sure they include all of the required control anatomy components is a critical function for maturing the control and the control environment within your organization.

Development of a mature control requires some forethought and a number of organizational commitments. Successful Internal Controls Leaders constantly have to shape and drive control environments and processes in order to deliver required SOX or SOC compliance. The control maturity process begins with the analysis of existing controls to see if they include all of the required control anatomy components to meet the needs of the organization.

Components of the Control Anatomy

The anatomy components of a control, just as in the human body, are the basic foundation enabling the control to operate in a planned and repeatable manner with a consistent outcome.  These components must exist for the control to operate in a sustainable and reliable manner providing the expected results and assurances it was designed to accomplish. The primary control anatomy components are include the target, trigger, roles, conditions, frequency of operation, monitoring, alerting, and logging.

•  Target - The target of the control is the task, function, or process it provides control and management over. This is the primary function of the control and provides the root functionality.  For an optimal control environment having a single target for any given control is best, however, it is not mandatory. There may be some unique situations where a control has two processes or targets it must support. This should be the outlier and not the normal control design if you need to maintain a good control environment that supports control management and independence. The presence of multiple control targets in a given control will also increase the likelihood that one target process functions well, while the other may not, failing the overall control when part of it actually was operating as intended. Separation into controls where there is only one functional target assures pinpoint accuracy and review of the control functions.
• Trigger(s) - The trigger(s) are events or actions that occur in the target process that would enact some control function that would in turn generate alerting, reporting, or some other implied action or activity. There is normally one trigger event in most controls. As with the target, this is not a hard rule, but when you have multiple trigger events the control environment becomes more complex and requires additional time, resources, and oversight to effectively manage. Just as having multiple targets in a given control, the failure of one trigger will often result in a complete control failure.
• Roles - The roles provide the person(s) or titles of person(s) who will be important to the control operation, monitoring, and alerting. Effective controls will normally have two roles identified. The primary role is the person, person(s), or role that will be tasked with some performance of the target process the control is designed to support. The second role, and the one often omitted is the role that will supervise or provided control function oversight. This identifies who is responsible for reviewing the normal control operation through observance and assessment of data such as alerts, monitoring, and log reviews.
• Conditions - The conditions are the set of identified values, normal status standards, or other standards for which the control evaluates the process and functions against. If the conditions are not within tolerance as they relate to the target function, the alerting will occur to the identified roles for specific remediation or mitigation actions. Controls may have multiple conditions as a part of their operational requirements.  Traditionally the least number of independent conditions added to the control are best, however, in some complex environments multiple conditions are needed to properly assess if the target process is being performed as prescribed. Too many conditions make a control overly complex.  Too few conditions make a control isolated and its function so narrow that additional compensating or supportive controls are required. Maintaining the proper balance of the optimal conditions for a control is a risk and process based decision that must be evaluated and considered each time risks or business environments are changed or updated. Newer controls and those with less maturity, or those in a high risk area may require fewer conditions and more similar controls to provide assurance that the overall tasks and risks are addressed. As processes, systems, and staff mature or if risk decreases there may be opportunity to combine controls with multiple conditions. 
• Frequency - The frequency of the control is the time or repetitive cycles the control occurs. For example, a control that functions once a day may have a daily frequency and thus exhibit a certain amount of risk. A control that has a frequency of 5 minutes would function 288 times in a day, and may represent an increased residual risk level based on the operational frequency alone if the process has variables or manual tasks performed by staff. Controls should have a standard frequency identified and stated as a part of their design. Some controls cannot be defined with a fixed frequency. These controls are typically the ones that function in a reactionary model, with little ability to predict the absolute frequency. An example of this type of frequency means the frequency is “as required”. When considering control frequency as a part of the overall risk the concept of as required adds a complexity to the risk model because planning for adequate staff/roles to execute and monitor the control may be a variable that has to be closely monitored.
• Monitoring - Organizations need to have systems in place to monitor, assess, and review the function of the control in order to understand if it performing as it should. There are monitoring requirements for control execution and alerting that should be undertaken in order to support the control environment. Control operation has to be monitored in a manner conducive to its operational frequency and the risk involved with the control. Controls that function daily for example need a monitoring function that allows operational issues and anomalies to be identified in a timely manner so that remediation or risk mitigation actions can be applied rapidly. Successful monitoring can be performed through manual, automated, or some combination of processes. The important aspect is that the monitoring must include some verification model that allows the reviewer to adequately assess if the control is functional and working.
• Alerting - Alerting is the method or manner in which the control provides feedback and notice to the person(s) identified to monitor the control in most instances. Normal monitoring of the control operations is different than providing alerting.  The alert is some established form of communication or task that provides the intended reviewer with information that one or more of the control conditions failed to exist, thus requiring action and review. An alert can be generates as an email, automated error report, or similar system generated message. In the IT world alerts are often generated through a management and monitoring tool whose sole purpose it to assess conditions and provide some level of alerting when they are not met as expected. The key element in alerting for a control is that the role(s) that are identified to receive the alert must understand what this alert is and what they need to do when they are alerted.  It is not sufficient to have an email alert sent to someone when a condition fails for the control if the person does not monitor or review these emails for example.
• Logging - A well designed control will provide for a level of logging that promotes easy review and audit of the control operations and results in accordance with the desired frequency. Often times the logging may be a separate function or a separate system all together. Logging is a critical component for any audit or review of the control so that it can be evaluated for operational functionality.

Examples of the Control in Action

To better understand how each of these control anatomy components come together we can use a mock demonstration. The example below provides a good overview of a basic business function, and provides several examples of controls used to achieve assurance that the functions are occurring as intended and desired.

Scenario: Tom runs a small business repairing roofs for residential buildings. Tom started the company on his own. As it has grown, he has hired additional roofers and recently hired a receptionist / admin person, John, to help run the office.   Tom now spends his time at business meetings and working with clients. He is dependent on John to answer the phone each time a customer calls.

Tom has invested in a phone system with three office lines and an automated voice mail system. This system has a daily call report it can generate showing the total calls, time of call, and if the call went to voice mail with a message length. If John is on one line, the phone will roll the call to another and then allow for 6 rings before the voice mail system engages and takes a message. 

Tom’s Process: Tom has asked John to be sure all calls are answered by the 5th ring.

 Initial Control

The initial control implemented is a simple and direct one. The control statement is:

-         All calls are answered by the 5th ring.

While this describes the process and identifies the target and the conditions, there are some key missing components.  This control does not contain the required control anatomy components to support the required action.   If we examine the control as stated, there is only a target and condition component. 

• Target – All called are answered
• Condition – by the 5th ring.

This is a typical control weakness many organizations suffer from, using a short policy like statement as the control itself and placing reliance on this statement alone to achieve the required risk reduction and compliance with required control functions.  The missing components in this control statement prohibit it from providing assurance that all calls are being answered by the 5th ring.  In order to improve the control and make it more mature we need to implement the additional control anatomy components that are missing.

Maturing a Control with a Strong Control Anatomy

The mature control will contain all of the key components of the control anatomy so the control has the ability to function and support the required operations as desired. By adding the proper triggers, roles, alerting, frequency, monitoring, and logging to the control, Tom will be able to have assurances the required tasks are handled as they should, or that mitigation and remediation activities are being carried out.

Below is an example of a more mature control for this scenario that includes all of the major anatomy components of the control.

-         During normal business hours all office staff members will answer all phone calls by the 5th ring. The phone system is configured to provide daily logs of call times, hold times, and calls that went to voice mail. Daily log files from the phone system are generated, saved, and are emailed to management who are required to review the logs each day to assess if calls are being addressed according to stated requirements. Calls that went to voice mail are highlighted in the report for review.

In this version of the control, we can see the full anatomy of the control. It is supported, by the required components to function and provide the assurances needed so that calls are being addressed as expected. Breaking down the mature control into the basic anatomy components demonstrates how they are applied:

• Target – All phone calls are answered by the 5th ring – This is the target process
• Trigger - the 5th ring – This sets the trigger event that assesses the conditions set forward to be met
• Roles – Office staff members answer all phone calls AND reviewed by Management – This identifies roles of the persons who carry out the control and those who will monitor and assess the alerting as needed.
• Condition(s) – Answer all phone calls by the 5th ring AND During normal business hours AND all office Staff – This portion of the control identifies three conditions of the control in order to provide the clarity for the trigger to function as intended.
• Frequency – During normal business hours – This identifies the time or frequency of the control. Since there is no set number of calls that can be established, the frequency as “as required” during the normal business hours of operation.
• Monitoring - Daily log files from the phone system are generated, saved, and are emailed to staff who are required to review the logs each day to assess if calls are being addressed according to stated requirements – This establishes who will perform the initial monitoring of the control and provides guidance on how to monitor the function of the control.
• Alerting – Calls that went to voice mail are highlighted in the log for review -  While in this example there is no automated separate alert, the alerting is included in the monitoring where we see the role (management) perform a review as a part of the monitoring. If the review reveals that there are calls not answered by the 5th ring (by going to voice mail) then the report has provided an alert that can be reviewed and appropriate action can be taken to address the issue.
• Secondary Monitoring - Daily log files from the phone system are generated, saved, and are emailed to management – This establishes that the report is sent to the proper person(s) who will review assess if the proper monitoring and reviews are occurring as needed.
• Logging - Daily log files from the phone system are generated, saved – This supports a saved log file of the data that shows the actions taken on the system. This data contains the call logs, inbound and outbound calls, and all calls that went to voice mail. By reviewing the aspects of the control there is adequate information stipulated in the control to provide reasonable assurance upon review of the log file that the control can be assessed for operational functionality.

In this example, we have a stated target of answering calls by the 5th ring, we identify who it is responsible for the task, what times of day they are expected to complete the task, and how the reporting and monitoring is done. There are review processes included so if calls are missed, Management can look through the reporting and take action to correct the issues.  This simple control encompasses all of the major anatomy components in a manner that provides assurance that the target action or activity will occur as expected, or management can implement corrective action when it does not.

While this is a very simplistic version of a control issue, it demonstrates how the various control anatomy components come together to form a complete control solution. Some controls can exist and operate without all of the anatomy components in place, but these normally have some level of other compensating controls or mitigating activities that act in a support role. In the ideal situation every control would have the full control anatomy suite so that it can stand alone and operate independent of other upstream controls.  These considerations become more important in complex business environments where there are diverse areas of operations that depend on one another for operational success and compliance.  

The Perfect Anatomy

As a human we are designed with two feet, two legs, two hands, two arms, one torso, one neck, and one head. Having three legs and three feet would be an oddity, one that may work for some, but it would not be considered normal. This holds true of a control anatomy as well. For a control to have balance it needs certain amounts of or parts of each of the anatomy.

The recommended rule of control anatomy is to have one target per control where possible. This keeps the control focused and unique. This also helps promote a very effective way to review and test the control as there is only one key target or task the control has to achieve. When building or improving your controls keep in mind that a balance and a limited amount of each of the key anatomy components can often ensure the control is as clean and straightforward as it can be.  

Sample Mature Control Process with a Full Control Anatomy

When planning a new control, or working to improve an existing control environment it is important to maintain focus on the balance of anatomy components for each control. The suggestions included below are a good starting point:

• Target – One target per a control is the ideal normal. 
• Trigger(s) – One to two triggers with a maximum of three, otherwise the combined trigger scenarios become very difficult to assess and evaluate for functionality. This also causes control complexity to increase and will tend to make the control more dependent on upstream and downstream functions.
• Roles – There are always two roles needed at a minimum. The role that performs or is engaged somehow in the target process and the role of the monitoring or alerting reviewer. In some instances alerting and monitoring can be separate roles and have independent functions.
• Conditions – Conditions can be a big variable in the anatomy. In some instances we have a simple condition of “it worked vs. it didn’t work”. In some cases we have combined condition sets such as “if this then that but only after this and before that when it’s after this time of day on this date if that day was cloudy and too hot for a coat”. Too many conditions make it very hard to formulate good analysis of the condition status, and it creates a difficult process to review and manage.  Excessive triggers or excessive conditions will often place more reliance on upstream and downstream control functions.
• Frequency – Typically in a control environment there is a one to one ratio for frequency to target. Each target will have a standard frequency. While some frequencies may be variable, the overall goal of a frequency statement in the control is to establish the normal expected control cycle and operation requirements.
• Alerting – Alerting should be based on the number of conditions. Each condition should be mapped or connected to some form of alerting so that when an issue or anomalies occurs the appropriate alert can be initiated so that review and corrective action can be taken.
• Monitoring - To provide an effective control there has to be a level of monitoring the function and alerting of the control. Often this is an overlooked component of the control itself and is carried out as an assumed or otherwise stated business process related to the department that owns the control. The incorporation of standards for how a control is monitored and who is monitoring it within the control itself will provide stability and longevity to the control function.
• Logging – Similar to control monitoring the logging functions are often excluded from the basic control operation and language. This is often envisioned as a process carried out by another function or separate controls related to some system or IT process in many cases. Where applicable, adding this to the control will provide a more robust and centralized control that is self-contained and one with a clear audit and review trail. Some needs won’t require a logging portion of the anatomy, however if there is an opportunity to include it the control will be stronger and easier to verify and validate by reviewers, auditors, and examiners.

Conclusion

No matter what your control environment is like, everyone can benefit from having a well-defined control anatomy and model to work from. In most instances, you can look at your existing controls and see they may be missing some of these important anatomy components, yet they continue working as they should today.  Using the concepts of control anatomy, we can improve and strengthen our existing controls and control environment, thus making controls more succinct and able to stand independently with less reliance on upstream, downstream, or compensating controls.

I hope this information provides some useful ideas for how you approach control reviews and creation in the future. 

Own it, protect it, and make it better!