Identifying relevant controls
Controls are generally defined as a systematic measure that is implemented by management to:
• Conduct business in an orderly and efficient manner;
• Safeguard assets and resources;
• Deter and detect errors, fraud, and theft; and
• Confirm accuracy and completeness of accounting data.
Risks identified in this Guide that are related to the HR function are not all equal in likelihood, impact or in financial significance.
The consideration to implement controls should have due regard to the cost benefit of mitigating identified risks.
A commonly asked question is ‘What is a relevant control?’ While there is no authoritative definition for relevant controls, there are
a number of factors that are relevant in determining which controls to implement. For example:
• Relevant controls often support more than one control objective. For instance, user access controls support the existence of financial transactions and segregation of duties. In most cases, a combination of relevant controls is an effective way to achieve a particular objective or series of objectives. Placing too much reliance on a single control could create a single point of failure.
• Preventive controls are typically more effective than detective controls. For example, preventing a fraud from occurring is far better than simply detecting it after the fact.
• Automated controls are generally more reliable than manual or process controls and the reliability of automated controls is dependent upon an entity maintaining an effective control environment. For example, automated controls that force periodic changes to user passwords are more reliable than generic policies.
Customisation vs configuration
The Gershon Review9 of 2008 stated that “Many submissions indicated that there are no specific inhibitors to using commercial off-the-shelf (COTS) solutions without customisation…there is often unnecessary excessive customisation by agencies. This erodes the inherent benefits offered by commercial off-the-shelf products, and increases costs.” The report noted that as a means to reduce expenditure, entities should reduce expenditure associated with customisation of software.
For the purposes of this Guide:
• Customisation is defined as programming changes made to the application that directly change the source code or the underlying table structures. Customisation may cause an increase in costs due to the difficulty of subsequent upgrades and could hinder future adoption of new features or functions that may be offered in later software releases.
• Configuration is defined as parameter changes that can be made without manipulating the source code or underlying table structures. Configuration is a non-invasive change to software settings or options that alters the business logic and configuration.
The system controls identified in the Online Supplement of this Guide as better practice considerations for implementation of effective system controls relate to available functionality, and do not require customisation.
www.anao.gov.au/~/media/Uploads/BPGs/2011/HRIM_Risks_and_Controls_2011.pdf