Does a bike really need brakes?

The importance of controls in an enterprise, especially in the IT environment.

It was Labor Day, just a few days after I arrived in the US for my PhD program. I had to do some things at the laboratory but did not have a drivers’ license neither did I know how to drive a car. Since the school bus was not working, I decided to use my brother’s bike. What could go wrong? It’s only been a few years since I last rode a bicycle so I thought I could just put my legs on the floor to stop the bike if I sensed any danger, but it was not that simple. I rode the bike down a hill in West Virginia; lots of hills around. I went down the hill screaming my head off, I had lost control of the bicycle. It was a mere miracle that I ran the bike into a parked car and not a moving one. That day I realized the value of knowing where the brakes are on a bike before attempting to ride one. I believe anything that moves at a speed above 10 miles an hour requires a brake; just my conservative opinion though.

Controls are measures designed to manage and mitigate risks around process in a business or IT environment, just like the brakes on a bike. 

IT Controls are very important in any enterprise for many reasons, a few of which are: 

Financial Objectives: Well-designed controls that operate effectively could help an organization maintain completeness, accuracy, validity, and authorization of transactions and thereby prevent financial losses. Controls are very important even in financial reporting as the fundamental characteristics of financial reporting (relevance and faithful representation) can only be attained in the premise of IT general controls and application controls which are well designed and operating effectively. 

Operational and IT objectives: The objectives of the IT group must be in alignment with the organization’s objectives for the organization’s operational and strategic goals to be achieved. Well-designed controls around the IT environment could help enhance the confidentiality of information, the privacy of data, data integrity as well as the availability of data. With the right controls in place, the organization can meet its requirements for the effectiveness and efficiency of operations, as well as achieve necessary compliance with applicable laws and regulations. 

To be more precise, it is very difficult if not impossible for an enterprise to achieve its objectives without the presence of IT general controls and application controls that are well designed and operating effectively. 

Fraud prevention: The three elements of the fraud triangle (opportunity, pressure, and rationalization) would have limited avenues to find expression in an organization with good controls in place. As said earlier, well-designed controls that operate effectively are required for the accuracy and fairness of presentation in financial reporting; which also enhance fraud prevention.

Reducing the likelihood of Cyberattacks: While some attacks on information assets use simple techniques like phishing or social engineering, others could adopt special tactics like the Golden SAML attack. Whatever the tactics used in a cyberattack, whether on-premise or in the cloud; even the most sophisticated cyberattacks could be prevented with the appropriate controls. I am not saying attacks would be impossible, but their likelihood and impact could be minimized with controls that are designed appropriately and operate effectively. 

Loss of reputation: The consequence of a cyberattack is the fear of a loss of reputation or a bad public image associated with the victim (the attacked company). Companies involved with major fraud often lose their public image over time.

Impairment of goodwill: Goodwill is an intangible asset that accounts for the excess purchase price of another company based on its proprietary or intellectual property, brand recognition, patents, or some vital technology. An Impairment to goodwill has been seen in situations where some of these assets acquired no longer generate the financial results that were previously expected of them at the time of purchase. Weak controls could be implicated in the inability to generate expected financial results. When goodwill impairment occurs investors and creditors often do not look favorably at such companies. 

To sum it all up, appropriate controls can help build a competitive advantage, as a business is able to take more risks when the right mitigating controls are in place. Competitors of such businesses would have to avoid the same risk and lose the reward associated with such investment. Some organizations with the appropriate controls can successfully expand their business operations to countries and regions of the world with high corruption index while the company’s competitors may avoid such expansion. Controls can contribute greatly to a company’s risk appetite. 

Top companies focus on continuous risk assessment to identify the changing risk affecting their business, but much more they do so to adopt the appropriate response to the identified risks, which often involved improving on the controls in the business and IT environment. 

My bicycle crash experience taught me that it’s not just enough to know that your bicycle has a brake, but it’s more important to know where the brakes are and how to use those brakes. Just as bicycles brakes protect the rider from unpleasant events (like crashes), the right controls can protect your organization from events which could adversely affect your ability to achieve your business objectives or execute your strategies.