How to Set Up and Monitor Internal Controls to Ensure Compliance

Best practices for setting up a framework of internal controls and their practical implementation with specialized software.

The term “controls,” originally used in the GRC (Governance, Risk, Compliance) domain to describe mechanisms for managing risks and ensuring compliance, is now applied more broadly to strategic planning.

Infographic: Implementing 5 Core Internal Control Elements for GRC

In this article, we’ll share best practices for setting up controls and their practical use.

Introduction to Internal Controls

In essence, a “control” is a response or prevention mechanism used to manage risk and ensure compliance.

Example control: “Employee left company

  • Action plan: Redirect emails
  • Action plan: Notify customers
  • Effectiveness metric: Logins disabled [Evidence-Driven]
  • Effectiveness metric: % of customers notified
  • Risk: Disruption of Workflow
Automating Internal Controls with Functional Scorecards

Components of Control

Controls have specific components:

Implementation Example

From the automation perspective, a control might be:

  • As simple as an action plan with aligned progress metrics or
  • As complex as a hierarchical set of controls and sub-controls, each with its own set of metrics, risk estimations, mitigation plans, contextual dependencies, and owners.

Controls have specific application areas, defining when certain controls should be activated.

Let’s explore the tools we can use for implementing controls in strategic planning.

1. Definition of Control

At the initial stage, our goal is to properly map the past experiences of the management team into controls or formal response mechanisms.

General Properties

The basics of identifying a control include giving it a meaningful name and explaining its purpose in the description. Define:

  • Conditions that trigger the control,
  • Scope of the control.
Implementation Example

In BSC Designer:

  1. Use the Add button to create a new item.
  2. Identify the control via the name and description fields.
  3. Cross-link the control with relevant past goals, events, or regulatory requirements.
How to Describe Goals and Indicators in a Scorecard
Strategy Cascading or Alignment on Practical Level

Supporting Documentation

More complex controls require supporting documentation, such as policies and procedures. Link to the relevant documents or upload them to the control.
Implementation Example

In BSC Designer:

  • Add documents to a control via the Description dialog.
  • Add documents to the control’s action plan via the Initiatives dialog.
How to Describe Goals and Indicators in a Scorecard

Custom Properties

Organizations follow their own standards of control definition, implying specific properties for controls or associated action plans.
Implementation Example

In BSC Designer:

  • Define required properties of controls via custom fields.
  • The new fields will be available for controls, metrics, and initiatives.
How to Define Custom Fields for a KPI or Initiative on the Scorecard

Ownership

Most controls require some level of human intervention. Even if a control is set to run autonomously, oversight remains essential.
Implementation Example

For example, software maintainability controls may automate updates, but an IT specialist is needed to resolve conflicts if an update fails.In BSC Designer:

  1. Add responsible persons for the control as users; assign the person to a team.
  2. Assign the person or team as the owner of the control via the Owner field.

Owners will receive notifications relevant to the control.

Assign Owners for Goals, KPIs, and Initiatives to Ensure Accountability

Certification / Approval

To complete the definition of a control or indicator, formal certification or approval might be required. Management attests that the internal control is compliant with regulatory and internal requirements.
Implementation Example

In BSC Designer:

  • Use custom fields to define properties of control such as “Certification state” and “Certified by.”
  • When attesting the controls, the management team can update these properties.
  • Use filters in reports to identify controls without proper certification.
How to Define Custom Fields for a KPI or Initiative on the Scorecard

To disable uncertified control but keep it in the scorecard:

  1. Select a control.
  2. Switch to the Performance tab.
  3. Activate the Raw data indicator checkbox.

Alignment of Controls

Controls do not exist in isolation. Establish necessary contextual connections between various controls, goals, risks, and events. As discussed in the Strategy Implementation System, controls are implemented in strategy via functional scorecards.
Implementation Example

In BSC Designer:

  • Copy and paste items between scorecards.
  • When prompted, use the connection by context option to link two items.
Strategy Cascading or Alignment on Practical Level

Catalog of Controls

For repetitive controls, create a library of controls. In the case of a certain event, you can easily deploy a control by copying it from the library.
Implementation Example

In BSC Designer:

  1. Create a scorecard dedicated to controls.
  2. Use a hierarchical structure to organize controls.
  3. When needed, copy the control to the active scorecard.
Automating Internal Controls with Functional Scorecards

2. Quantification of Controls

Effectiveness Metrics

Using metrics for the controls makes the control more specific and avoids different interpretations.Define metrics to track:

  • Adherence to the standards
  • Effectiveness of the control
  • Progress of action plans
Implementation Example

For example, in incident reporting:

  • The efficiency metric might be the “% of personnel trained in incident reporting.”
  • The effectiveness metric might be “% of incidents not communicated properly.”

In BSC Designer:

  • Use the Add button to add metrics inside the Control item.

Overall Performance

When the effectiveness metrics are defined for the control, the total effectiveness of the application of control can be calculated using the weighted average of the performance of individual metrics.
Implementation Example

In BSC Designer:

  1. Select a metric
  2. Switch to the Performance tab
  3. Change the weight of the metric

The performance/progress of the control will be displayed in the corresponding column.

Creating an Index Indicator with Weighted Metrics

Efficiency Metrics

Depending on the context use leading metrics. Unlike lagging metrics, leading metrics won’t contribute to the overall performance of the control directly, but will suggest valuable insights in understanding the efficiency of the control.

Implementation Example

In BSC Designer:

  1. Select a metric
  2. Switch to the Context
  3. Change the type of the metric to Leading
Leading vs. Lagging Indicators in BSC Designer

Risks Estimation

A control can include a risk definition or be aligned with risks from a risk register.

Risk estimation can be:

  • A trigger for the execution of the control or
  • A condition for selecting a certain course of action.
Implementation Example

In BSC Designer:

  1. Create a new indicator
  2. Change its type to ‘Risk’
  3. Update risk Probability and Impact indicators
Steps to Add a Risk to an Objective in BSC Designer

Binary Control

The possible states of binary indicators:

  • Unassigned – the part of the control was not executed yet
  • Yes – to indicate that the part of control was executed successfully
  • No – to indicate that the part of control wasn’t executed successfully
Implementation Example

Example: “Business continuity plan updated taking into account a newly identified threat” can be automated with a binary indicator.In BSC Designer:

  1. Select an indicator
  2. Switch to the ‘General’ tab
  3. Change its measurement units to “Yes/No”
Binary Indicators: An Example of Usage for Internal Controls

Qualitative Control

Qualitative indicators are used for the controls when a more specific quantitative estimation is not developed yet, or it is not cost-effective to develop one.

Implementation Example

Example: a control Policy Management and Communication can be assessed with a qualitative metric Effectiveness of Communicating Compliance Policies with possible states:

  • Highly Effective (100): Employees clearly understand compliance policies.
  • Moderately Effective (60): Some employees understand the policies.
  • Ineffective (10): Employees are generally unaware of policies.

In BSC Designer:

  1. Select an indicator
  2. Click the Edit button next to the measurement units to add custom measurement units
Using Qualitative and Quantitative Measurement Units on Scorecards

Quantitative Control

For making the controls more specific, quantitative or numeric indicators are used. For quantitative indicators we can define their performance formula, e.g., how the current state of an indicator impacts the output performance.

Implementation Example

Example: to assess the effectiveness of the implementation of a specific control, we do an internal audit to track the % of Policy Compliance. In this case, the performance formula is linear maximization, with target = 100%.Another example can be Mean Time to Detect metric, configured as linear minimization with a target of 24 hours.

In BSC Designer:

  • Switch to the ‘Performance’ tab to define the performance function.
  • Switch to the ‘Data’ tab to define the indicator’s current state, baseline, and target.
Practical Use of the Optimization Function for KPIs in BSC Designer

Evidence-Driven Control

Evidence indicators will change their state according to the number of uploaded documents/evidences.

Implementation Example

For example, backup and recovery test control might require uploading test results or logs as proof of successful execution of the control.

In BSC Designer:

  1. Select an indicator
  2. Change its measure units to Evidence
  3. Upload document to the indicator to change its state
Automate Evidence Tracking in a GRC Scorecard with Controls

3. Initiatives for Controls

Action Plans

Applying controls involves following specific prevention or response actions, similar to classical project management with due dates, budgets, and responsible persons.
Implementation Example

In BSC Designer:

  • Use the Initiative tool to add action plans to the controls.
  • Align risks and efficiency metrics with the initiative.
  • Assign an owner to the initiative; the person will receive notifications when the status changes.
How to Add an Initiative to a Goal in Strategic Planning

Tracking Action Plan

Tracking the execution of the action plan is typically part of the control’s scope. One of the metrics aligned with the control can be used to track the progress of the action plan.
Implementation Example

In BSC Designer:

  1. Add a new initiative to the control.
  2. Open the initiative dialog.
  3. Select the progress KPI in the ‘Aligned KPI’ field.
Using KPIs to Track the Progress of an Initiative

4. Tracking Controls Over Time

Periodic Controls

Some controls require periodic revision. Such revisions involve the mechanics of the control, as well as the periodic application of the control. Certain controls need to be activated just once.
Implementation Example

Example of revision of mechanics of the control:

  • Revision of Compliance Checklists – annual revision
  • Knowledge Retention, % – quarterly revision

Examples of periodic application of the control:

  • Vulnerability Scanning – monthly revision/update

Examples of control initiated once:

  • Initial Risk Assessment – to be updated once

In BSC Designer:

  • Use the Update Interval setting of the indicator to schedule regular revisions.
Ensure Data Consistency with Update Intervals

Updating State of Control

For periodic controls, update the state of the metrics that were defined for the control.
Implementation Example

In BSC Designer:

  1. Select a control’s metric
  2. Select a date in the internal calendar
  3. Switch to the ‘Data’ tab
  4. Enter the new state in the ‘Value’ field
Continuous Monitoring of KPIs in BSC Designer

Inheritance of Control’s State

Some indicators used for controls will inherit their previously known state, while others will use only specifically entered updates.

Implementation Example

For example:

  • % of Employees Trained – is likely to be an inherent indicator, as we can assume that the percentage of employees trained in May will remain the same or increase in June.
  • Monthly Sales Revenue – is likely to be a non-inherent indicator, as we are interested in tracking actual sales data over months.

In BSC Designer:

  1. Select an indicator
  2. Click on the Values Editor button
  3. Change the inheritance type of the indicator
Two Options for Inheriting Previous State of an Indicator

5. Reporting Controls

Controls on Dashboards

Create visual representations of controls and their states. Track the evolution of metrics over time, the state of risks, and risk mitigation plans.
Implementation Example

In BSC Designer:

  1. Switch to the Dashboard tab.
  2. Add relevant charts, including Gantt charts for initiatives, risk diagrams, and diagrams listing controls and their states.
Adding a Chart to a Dashboard in BSC Designer

Controls for Risk Estimation

The lagging metrics that quantify the effectiveness of the controls can be used to quantify the probability or impact of a risk.
Implementation Example

In BSC Designer:

  • Connect the lagging part of the control with the Risk Impact or Risk Estimation metrics in the risk register by data.
Identify and Assess Risks by Effectiveness of Internal Controls

Controls in Reports

The state of the controls, as well as the results of their implementation, can be reported to the stakeholders involved.
Implementation Example

In BSC Designer:

  • Use the ‘Report’ menu to generate various reports
  • Use the ‘Schedule’ button in the ‘Report’ menu to send reports to the stakeholders automatically
Report the Status of Goals and KPIs to the Stakeholders

Accountability

Recording the execution results of a control is important for accountability and future learning.
Implementation Example

In BSC Designer:

  • All activities related to the design and execution of controls are recorded in the audit log.
  • The administrator of the account can access audit logs via Menu > Users > Audit Trail.
Accountability and Transparency with Audit Trail in Strategic Planning

Practical Example of Using a Control

Let’s discuss a practical example. Consider the control activated when an employee leaves the company.

Example structure:
An example of the library of GRC controls

An example of the library structure for GRC controls. Source: View Library of GRC Controls online in BSC Designer Library of GRC Controls.

Controls Library

In the controls library, I have an HR section where one of the controls is “Employee left company.”

This control has three action plans:

  • Redirect emails.
  • Contact customers.
  • Knowledge transfer plan.

It also has two metrics:

  • Logins disabled (evidence-driven).
  • Percentage of customers notified.

Another metric is used for the periodic revision of controls:

  • Knowledge Retention (%)

A risk is defined for the control as:

  • Risk: Disruption of Workflow
  • Mitigation plan: Document critical functions

Events Scorecard

I have a scorecard named “HR events” where relevant HR events are logged. The scorecard is organized by event type.

Applying the Control

Here are the steps to follow when an employee leaves the company:

  1. Create a new event in the Events scorecard, e.g., “Alex left company.”
  2. Copy and paste the appropriate control from the controls library to the Events scorecard.
  3. The person responsible for the control will be automatically notified about new action plans created.
  4. Upload evidence (screenshots) that the logins were disabled.
  5. Notify customers and update the “% of customers notified” indicator.
  6. Update the status of the action plans to “In review.”

More Examples

You can find more examples of using controls in articles about:

What's next?

  • Sign up for a free account at BSC Designer to access the scorecard templates, including 'Library of GRC Controls' discussed in this article.
  • Follow our “Strategy Strategy Implementation System to align stakeholders, strategic ambitions, and business frameworks into a comprehensive strategy.

More About Strategic Planning

Strategic Planning Process:
BSC Designer software will support your team on all steps of strategic planning.
Examples of the Balanced Scorecard:
Examples of the Balanced Scorecard with KPIs
Strategy Maps:
8 Steps to Create a Strategy Map By BSC Designer

Cite as: Alexis Savkín, "How to Set Up and Monitor Internal Controls to Ensure Compliance," BSC Designer, May 26, 2024, https://bscdesigner.com/grc-controls.htm.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.