**Internal Controls: Governance, Risk, and Compliance (GRC) – A Practical Guide**

Internal Controls: Governance, Risk, and Compliance (GRC) – A Practical Guide

What Is This?

Internal controls are policies, procedures, and mechanisms organizations use to ensure operational efficiency, financial accuracy, compliance with laws, and fraud prevention. You use them to protect assets, detect errors, and mitigate risks—whether in finance, IT, supply chain, or AI-driven automation.

Today, internal controls matter because regulatory scrutiny is rising (e.g., SOX, GDPR, CCPA), cyber threats are evolving, and AI/automation introduces new risks (e.g., biased decision-making, unauthorized data access). Without controls, companies face financial losses, legal penalties, and reputational damage.

Why It Matters

• Prevents fraud and errors: Controls like segregation of duties (SoD) stop employees from approving their own expenses.
• Ensures compliance: Frameworks like COSO help companies meet legal requirements (e.g., Sarbanes-Oxley for public companies).
• Improves efficiency: Automated controls (e.g., AI-driven anomaly detection) reduce manual audits.
• Protects data: Access controls (e.g., role-based permissions) prevent breaches.
• Supports AI/automation: Controls ensure algorithms operate within ethical and legal boundaries.

Real-world impact: - A $2B fraud at Wirecard happened because internal controls failed.
- Equifax’s 2017 breach (147M records exposed) stemmed from a missing patch—preventable with proper IT controls.
- AI bias in hiring tools (e.g., Amazon’s scrapped recruiting algorithm) could have been caught with governance controls.

Core Concepts

1. The COSO Internal Control Framework (The "Bible" of Controls)

COSO (Committee of Sponsoring Organizations) defines 5 components of effective internal control:

Key takeaway: Controls aren’t just paperwork—they’re living processes that adapt to new risks (e.g., AI, remote work).

2. Fraud Prevention: The Fraud Triangle

Fraud happens when three conditions align:

1. Pressure (e.g., financial stress, unrealistic targets).
2. Opportunity (e.g., weak controls, lack of oversight).
3. Rationalization (e.g., "I’ll pay it back," "Everyone does it").

How to break the triangle: - Reduce pressure: Fair compensation, realistic goals.
- Remove opportunity: Segregation of duties (SoD), access controls.
- Eliminate rationalization: Ethics training, whistleblower hotlines.

Example: A payroll clerk can’t both process payroll and approve timesheets—this violates SoD.

3. Control Activities: The "How" of Internal Controls

Control activities are specific actions to mitigate risks. They fall into three categories:

Pro tip: Automate detective controls (e.g., AI flagging duplicate invoices) to reduce human error.

4. Governance, Risk, and Compliance (GRC)

GRC is the strategic integration of: - Governance: How decisions are made (e.g., board oversight).
- Risk Management: Identifying and mitigating risks (e.g., cybersecurity threats).
- Compliance: Adhering to laws/regulations (e.g., GDPR, SOX).

Why it matters: Siloed GRC leads to redundant efforts, gaps, and inefficiencies. Unified GRC (e.g., using tools like ServiceNow GRC) ensures consistency and real-time visibility.

5. AI and Automation in Internal Controls

AI/automation enhances controls but also creates new risks:

Key question: Does your AI control system have a "human override"?

How It Works: A Simple Control Workflow

Here’s how a purchase-to-pay (P2P) control works in practice:

1. Request: Employee submits a purchase requisition.
2. Approval: Manager approves (preventive control).
3. Vendor Selection: System checks vendor against a blacklist (detective control).
4. Payment: Two signatures required for amounts >$5K (preventive control).
5. Reconciliation: AI matches invoice to PO and receipt (detective control).
6. Audit: Internal audit reviews a sample of transactions (monitoring).

If a step fails: - Preventive: Transaction is blocked (e.g., unapproved vendor).
- Detective: Alert is triggered (e.g., duplicate invoice).
- Corrective: Issue is escalated (e.g., fraud investigation).

Hands-On / Getting Started

Prerequisites

• Knowledge: Basic understanding of business processes (e.g., procurement, payroll).
• Tools:
• Spreadsheet (Excel/Google Sheets) for simple controls.
• GRC software (e.g., ServiceNow, MetricStream) for enterprise use.
• Python/R (optional) for automating controls (e.g., anomaly detection).

Step 1: Design a Simple Control (Segregation of Duties)

Scenario: A small business wants to prevent payroll fraud.

Control Activity: Segregation of duties (SoD) for payroll.

Steps: 1. List roles:
- HR: Enters employee hours.
- Manager: Approves hours.
- Finance: Processes payment.
- Auditor: Reviews payroll reports.

1. Define rules:
2. No single person can both enter and approve hours.

3. No single person can both approve and process payment.

4. Implement in Excel:
   plaintext
| Employee | Hours Entered (HR) | Hours Approved (Manager) | Payment Processed (Finance) |
|----------|--------------------|--------------------------|-----------------------------|
| Alice | 40 | ✅ Bob | ✅ Carol |
| Bob | 35 | ❌ (Conflict: Bob can't approve his own hours) | - |
   Expected outcome: Bob cannot approve his own hours—Excel flags the conflict.

Step 2: Automate a Detective Control (Duplicate Invoice Check)

Scenario: Detect duplicate vendor invoices.

Tool: Python (using pandas).

Code:

import pandas as pd

# Sample invoice data
data = {
    "Vendor": ["Acme", "Beta", "Acme", "Gamma"],
    "Invoice_Number": ["INV-001", "INV-002", "INV-001", "INV-003"],
    "Amount": [1000, 2000, 1000, 3000]
}
df = pd.DataFrame(data)

# Find duplicates (same vendor + invoice number)
duplicates = df[df.duplicated(subset=["Vendor", "Invoice_Number"], keep=False)]
print("Duplicate invoices found:")
print(duplicates)

Output:

Duplicate invoices found:
  Vendor Invoice_Number  Amount
0  Acme        INV-001    1000
2  Acme        INV-001    1000

Expected outcome: The script flags the duplicate invoice from "Acme."

Step 3: Implement a Preventive Control (Approval Workflow)

Scenario: Require manager approval for expenses >$1K.

Tool: Google Forms + Apps Script.

Steps: 1. Create a Google Form for expense submissions.
2. Use Apps Script to route submissions >$1K to a manager for approval.
3. Only approved expenses are added to the spreadsheet.

Code snippet (Apps Script):

function onFormSubmit(e) {
  const expense = e.values[1]; // Amount (assuming column 2)
  const managerEmail = "[email protected]";

  if (expense > 1000) {
    MailApp.sendEmail(managerEmail,
      "Approval Required: Expense $" + expense,
      "Approve here: [LINK]");
  }
}

Expected outcome: Expenses >$1K trigger an email to the manager for approval.

Common Pitfalls & Mistakes

1. "Set It and Forget It" Controls

• Mistake: Designing controls but never testing or updating them.
• Fix: Schedule quarterly control reviews (e.g., test SoD rules after staff changes).

2. Over-Reliance on Manual Controls

• Mistake: Using spreadsheets for complex controls (e.g., SoD in a 1000-person org).
• Fix: Use GRC software (e.g., ServiceNow) for scalability.

3. Ignoring "Soft Controls"

• Mistake: Focusing only on technical controls (e.g., firewalls) and ignoring culture (e.g., ethics training).
• Fix: Combine hard controls (e.g., access logs) with soft controls (e.g., whistleblower hotlines).

4. Not Documenting Controls

• Mistake: Assuming everyone knows the rules.
• Fix: Document controls in a Control Matrix (see example below).

5. Failing to Monitor AI Controls

• Mistake: Deploying AI for fraud detection but not checking for bias or drift.
• Fix: Implement model monitoring (e.g., track false positives/negatives).

Best Practices

1. Start with a Control Matrix

Map controls to risks and processes:

2. Automate Where Possible

• Use RPA for repetitive controls (e.g., invoice matching).
• Use AI for anomaly detection (e.g., unusual spending patterns).
• Rule of thumb: If a control is rule-based and high-volume, automate it.

3. Test Controls Regularly

• Design testing: Does the control theoretically work? (e.g., SoD rules).
• Operating effectiveness: Does the control actually work in practice? (e.g., sample transactions).

4. Integrate GRC into Business Processes

• Don’t silo controls: Embed them in workflows (e.g., expense approvals in Slack).
• Use APIs: Connect GRC tools to ERP systems (e.g., SAP, Oracle).

5. Train Employees on Controls

• Mistake: Assuming employees know how to follow controls.
• Fix: Run quarterly training (e.g., phishing simulations, SoD workshops).

Tools & Frameworks

Real-World Use Cases

1. Fraud Prevention in Banking (JPMorgan Chase)

• Problem: Credit card fraud costs banks $28B/year.
• Control:
• Preventive: AI flags unusual transactions (e.g., $10K spent in 5 minutes).
• Detective: Machine learning models detect patterns (e.g., same card used in two countries).
• Corrective: Automated SMS alerts to cardholders.
• Outcome: Reduced fraud losses by 30%.

2. SOX Compliance in Public Companies (Microsoft)

• Problem: Sarbanes-Oxley (SOX) requires financial statement accuracy and internal control testing.
• Control:
• Preventive: Access controls (e.g., only CFO can approve financial reports).
• Detective: Automated reconciliations between ERP and bank statements.
• Monitoring: Quarterly internal audits.
• Outcome: Passed SOX audits with zero material weaknesses.

3. AI Governance in Healthcare (IBM Watson Health)

• Problem: AI models for diagnostics must be accurate and unbiased.
• Control:
• Preventive: Model validation (e.g., testing on diverse datasets).
• Detective: Continuous monitoring for drift (e.g., accuracy drops over time).
• Corrective: Human-in-the-loop reviews for high-risk cases.
• Outcome: Reduced misdiagnosis rates by 20%.

Check Your Understanding (MCQs)

Question 1

A company discovers that an employee approved their own expense report, violating segregation of duties (SoD). Which type of control would have prevented this?

A) Monthly expense report reviews B) Requiring manager approval for all expenses C) Automated duplicate invoice checks D) Quarterly access reviews

Correct Answer: B) Requiring manager approval for all expenses
Explanation: This is a preventive control that stops the employee from approving their own expenses. SoD requires that no single person controls all steps of a process.
Why the Distractors Are Tempting: - A: This is a detective control—it finds the issue after it happens.
- C: This detects duplicate invoices, not SoD violations.
- D: This is a monitoring control, not preventive.

Question 2

A retail company uses AI to detect fraudulent transactions. Over time, the model’s accuracy drops because customer behavior changes. What is the most effective control to address this?

A) Retrain the model annually B) Implement a human review for all