The first posting I did on this subject was to provide an understanding that, despite the news stories, the insider threat is a very real threat and needs to be addressed. However, what is an organization to do? Employees and others need to have access to certain information in order to get their jobs done. What steps should an organization take to minimize the insider threat?
First, I need to be very clear about this. Even when you do all of what I recommend, you are only minimizing the insider threat. The insider threat can never be totally mitigated. Insiders must have access to information that the general public or even you business partners do not have access. As a result, should an employee get sloppy with controls or go “rogue,” you can expect to lose whatever information that person had access. Remember my mantra – security is not perfect.
I posted some ideas a while back on controls for automation. Here are my minimum recommendations for manual controls to put into place to minimize the insider threat.
- Management needs to recognize the importance of management controls. The “tone at the top” really does mean something when it comes to controls. However, management needs to understand that these sorts of controls are no absolute guarantee of avoiding issues. Properly implemented, monitored and adjusted as necessary, such a control environment will confirm to the rest of the organization that management believes that controls are important. If management does not know what to do regarding management controls, then they should consult with a public accounting firm as they are very aware of control environments and can assist in the design of a control environment.
- Preventive controls. Preventative controls, as their name implies, put in place something to prevent a problem. A prime example of a manual preventive control is requiring a minimum of two signatures on checks. The larger the amount on the check, the more people that have to sign off on the check. Under such an approach multiple people have to collude to defraud the system. This sort of approach can also be taken for report reviews of inventory, cash on hand and any other metrics that are important to the survival of the organization. The idea is to ensure that at least two people are involved in these reviews and that they physically sign off on their review and document and start an investigation into any irregularities.
- Detective controls. As the name implies, detective controls are controls used to detect problems. Following the example in preventative controls, the other people signing off on a check or reviewing a critical metric report is a detective control. If the reviewer feels that something is not right with what they are reviewing, they are obligated to notify their immediate supervisor of the issue and ask the submitter to physically document the situation. Once documented, the reviewer can then either sign off and accept the explanation, or refuse and further investigate.
- Corrective controls. Corrective controls are those controls used to ensure that the preventative and detective controls are focused on the right problems and are going to be able to be relied upon going forward. Keeping to the theme, in the event of an irregularity being identified, management should then institute a root cause analysis and determine what caused the situation and make the necessary changes to the preventative and detective controls to ensure that people do not try to circumvent the control environment.
- Hold employees responsible for the control environment. Management may be responsible for establishing controls, but it is the employees that make the control environment actually work. Employees should have their key controls evaluated at least annually to reinforce the importance of controls. In our check example, the people signing off on checks should be evaluated on how many checks with problems are issued by the organization that they were required to sign.
- Solicit control improvement ideas from employees. The problem most organizations have with management controls is keeping them relevant. A common example we see is a problem that occurred ten years ago has been addressed by automated controls in a new computer system, yet management continues to require the manual control to be followed. Most of the time, employees know exactly what needs to be done, but management does not want to recognize that fact.
- Have a third party periodically assess your controls. In addition to employees providing ideas, organizations should periodically invite a third party, such as their accounting firm, to assess the control environment and recommend changes. A number of years ago I worked with a large organization where we discovered that the way one of their computer systems had recently been modified, checks could be generated and bypass approvals and oversight.
For those of you that are going to recommend these minimum controls, my heart goes out to you. The road ahead is likely to be very bumpy and contentious if your organization has a mediocre control environment.
Something to share with management as you push this sort of project is that there are very measureable benefits to implementing controls. Every organization that I have worked with over the years has found that a byproduct of their controls projects has been fewer customer complaints and fewer employee screw ups. Avoiding problems or making them smaller and less impactful on customers can add up to serious savings in time and money.
If you have a mature control environment, take a look at how you can make them better, more effective and more relevant. If you do not have a mature control environment, then take baby steps. Look to your accounting area as they will likely have the most robust control environment. Grab one of those accountants and use them to help you look at other areas that may have problems that controls can address.
Best of luck to all of you on your journey.