Risk Management

Get Involved. Join the Conversation.


    Christine Doxey
    Compensating Controls to Mitigate Risk
    Topic posted February 20, 2019 by Christine DoxeyRed Ribbon: 250+ Points, tagged Advanced Controls, Compliance, Financial Transactions, Fraud, GRC, Risk Management, Sarbanes Oxley, Separation of Duties, SOX 
    Compensating Controls to Mitigate Risk
    Learn about compensating controls as an additional risk management tool.


    Segregation of duties promotes the use of sound business practices and supports the achievement of a business process objective.  When designing segregation of duties controls for a business or financial process, most business process owners start with identifying incompatible functions and then define the segregation of duties and systems access controls. However, the segregation of duties control cannot always be achieved in certain situations due to staffing limitations.

    In some cases, an employee will perform all activities within a process. In this scenario, segregation of duties does not exist and risk cannot be identified nor mitigated in a timely manner. As a result, the implementation of additional compensating controls should be considered.

    Definition of Compensating Controls

    A compensating control reduces the vulnerabilities in ineffectively segregated functions.  A compensating control can reduce the risk of errors, omissions, irregularities and deficiencies,  which can improve the overall business process.

    Compensating Controls, CSA and CCM

    However, it should be noted that many companies include compensating controls in their internal controls programs as additional measures to reduce risk. These controls can be embedded in continuous controls monitoring (CCM) and controls self-assessment (CSA) processes.

    Continuous controls monitoring (CCM) refers to the use of automated tools and various technologies to ensure the continuous monitoring of financial transactions and other types of transactional applications to reduce and mitigate risk. A CCM process includes the validation of authorizations, systems access, system configurations and business process settings.

    Examples of Compensating Controls

    1. Skim through detailed transactions report: A manager should consider performing a high level review of detailed report of transactions completed by an employee that performs incompatible duties.  As an example, a manager may simply skim through the report sections that contain high risk transactions or account and may review specific payment types or amounts before the payment is made.
    1. Review sample of transactions:  Using a CSA or CCM process, a manager may select a few sample of transactions, request for the supporting documents and review the documents to ensure that they are complete, appropriate, and accurately processed. In addition to detecting errors, the knowledge of a periodic review could create a disincentive (that is, reduce the opportunity) for the person performing the incompatible duties to process unauthorized or fraudulent transactions. This review identifies transactional anomalies which can be used as a flag to indicate collusion.  As an example, unchanged pricing and using the same suppliers for several years can indicate possible collusion between a buyers and suppliers.
    1. Review system reports: Applications that support business or office operations have embedded reporting capabilities that enable the generation of reports based on pre-determined or user defined criteria. A review of relevant system exception reports can provide good compensating controls for an environment that lacks adequate segregation of duties. As an example, I suggest a review of report of deleted or duplicated transactions, report of changes to data sets and report of transactions exceeding a specific dollar amount on a quarterly basis.
    1. Perform analytical reviews: Another example of compensating control is the comparison of different records with predictable relationships and the analysis of identified unusual trends. For example, a budget vs. actual expenditure comparison or current year vs. prior year subscription fees analysis or comparison of selected asset records to actual physical count of asset might indicate unusual variances or discrepancies that may need to be investigated.  In this review, an analytical review should occur on a monthly basis.  
    1. Reassign reconciliation: If there is an opportunity to reassign one activity from the person performing incompatible function to another employee, a manager may consider re-assigning the reconciliation activity. As an example, reassigning the bank account reconciliation function to someone other than the person receiving cash and depositing it to the bank could improve the quality of internal controls in the cash receipt process. Reconciliations should occur monthly as a standard of internal control.
    1. Increase supervisory oversight: Other forms of activities a manager may perform as compensating control are observation and inquiry. Where appropriate, increasing supervisory reviews through the observation of processes performed in certain functions and making inquiries of employees are good administrative controls that may help to identify and address areas of concerns before a transaction is finalized.
    1. Rotate jobs: Many companies rotate jobs in the finance and accounting department every 1-2 years. This creates an environment of control and can prevent collusion. As example, accounts payable processors should be rotated on a regular basis so that they don’t become too involved with specific suppliers. And as noted above a buyer’s responsibility should be rotated within the purchasing organization.


    Effective compensating controls can reduce the risk for a process that has limited or inadequate segregation of duties and ultimately can provide reasonable assurance to management that the anticipated objective(s) of a process or a department will be achieved.  As a detective risk management technique, compensating controls tend to look at the accuracy of a transaction after it has occurred but can be used as preventive controls within CSA and CCM processes.