PR1-General Controls, Policies & Procedures

AboutMission & StructureFounders & Leadership CouncilAdvisory BoardSteering CommitteeMedia Partners/AffiliatesManagement TeamContact Us / FeedbackTechnology CouncilStandards & GuidelinesFrameworkProcess FoundationRisk Area DomainsExposure DraftsTechnology / XMLResourcesGRC illustrated seriesTopics & GroupsCase StudiesGRC360 MagazineExposure DraftsGRC SourceBlogsGRC 360° - Driving Principled Performance™OCEG Technology BlogBenchmarking SeriesAudit & EvaluationMeasurement & Metrics GuideUpcoming EventsWebinar SeriesMember to Member NetworkNews & AnnouncementsJob Postingswhy join?How Can OCEG Help Me?Benefits Overview:: Governance:: Risk Management:: Audit:: Compliance:: Ethics & culture:: Technologyjoin / upgrade now

Measurement + Benchmarking

Events + Networking

why join?

You are here :: home > knowledge network > FND-OCEG Foundation v1 > P-Process > PR-Prevent, Protect & Prepare > PR1-General Controls, Policies & Procedures

PR1-GENERAL CONTROLS, POLICIES & PROCEDURES

An organization should establish a mix of preventative and corrective controls, policies and procedures to address risks and other program objectives. Management should indicate specific accountability and criteria for successful operation of the controls. These controls should be implemented, managed and monitored.

There are two primary types of controls:

> Preventive Controls deter or prevent undesirable events from occurring and should be designed to discourage errors or irregularities. These are proactive controls that help to prevent a loss.

> Detective Controls detect undesirable events which have occurred and should be designed to identify an error irregularity after it has occurred. These controls do not typically prevent a loss from occurring.

There are several other types of controls that management may define or employ:

> Directive Controls cause or encourage a desirable event or behavior to occur and typically include written policies, procedures, training, job descriptions, compensation plans, performance evaluations and the like.

> Corrective Controls correct undesirable events after they occur. These controls are designed to return the system to a trustworthy state after a loss has occurred.

> Compensating Controls are internal controls that are intended to reduce the risk of an existing or potential control weakness when duties cannot be appropriately segregated.

Principles
> Mix of preventative, detective and corrective controls
> Monitored and updated for continued relevance
> Understandable
> Multi-dimensional

Business Objectives

To ensure that the organization has established procedures and controls to prevent and detect criminal or noncompliant conduct
To establish the entity's expectations regarding specific compliance and ethics activities

Considerations

The size and formality of the entity may affect the design and implementation of policies and procedures

Critical Success Factors

Tailoring policies and procedures to target audience knowledge level, education, and cultural biases
Use of simple language and avoidance of "legalese"

Guideline

Featured In

PR-Prevent, Protect & Prepare >>