Internal controls and audits

1) Purpose and area

Objective: to ensure the achievement of business goals safely and legally, reducing operational, financial, compliance and reputational risks.
Coverage: process and IT controls in all domains: payments/cassouts, KYC/AML/sanctions, anti-fraud, RG, marketing/data exports, DevOps/SRE, DWH/BI, privacy/GDPR, TPRM.

2) Protection principles and model

Three lines of defense: 1) process owners (operations/product), 2) risk/compliance/security (methodology, monitoring), 3) independent internal audit.
Risk-based: controls are built according to the priority of residual risk.
Evidence-driven: Each control has measurable criteria, data sources, and provability artifacts.
Automate-first: if possible - automatic and continuous controls (CCM) instead of manual.

3) Risk map → objectives → controls

1. Risk register: identify causes/events/consequences (finances, players, licenses).
2. Control objectives: what needs to be prevented/detected/corrected (for example, "illegal withdrawal of funds," "unauthorized access to PII").
3. Control activities: selection of specific policies/procedures/automatics to achieve the goal.

• Preventative: RBAC/ABAC, SoD (4-eyes), limits and scoring, data validation, WebAuthn, mTLS.
• Detective: SIEM/alerts, reconciliations, SLA/SLO dashboards, audit logs (WORM), anomaly control.
• Corrective: auto-locks, release rollbacks, key rotation, manual parsing and returns.
• Compensating: if the main control is impossible - strengthening measures (additional monitoring, double verification).

4) Control Library

• ID/Name, objective, risk, type, frequency, control owner, performer, execution method (manual/auto/guide), sources of evidence, KPI/KRI, communication with policies/procedures, dependent systems.
• States: Draft → Active → Monitored → Retired. Versioning and change log.

• 'CTRL-PAY-004 '- 4-eyes approve for payments> X (preventive, daily, Owner: Head of Payments, Evidence: applications/logs, KPI: 100% coverage).
• 'CTRL-DWH-012 '- PII masking in storefronts (preventive, permanent, Owner: Head of Data, Evidence: test requests, KPI: ≥95% masked reads).
• 'CTRL-SEC-021 '- MFA for admin consoles (preventive; Evidence: IdP reports; KPI: 100% adoption).

5) RACI and owners

6) Planning audits and tests

The annual plan is formed risk-oriented (high residual risk, regulatory requirements, incidents, new systems).

• Design Effectiveness (DE): whether controls are correctly designed to reduce risk.
• Operating Efficiency (OE) - Whether it works stably and at a given frequency.
• Thematic/Process Audit: end-to-end domain validation (e.g. KYC/AML or Cassouts).
• Follow-up/Verification - confirmation of CAPA closure.

Approach: Walkthrough (tracing), interview, artifact/log review, analytics, performance (repetition).

7) Evidence and samples

Types of evidence: log uploads (signature/hash), IdP/SSO reports, tickets and approval logs, configs, screenshots with timestamps, xls/csv from storefronts, records of PAM sessions.
Integrity: WORM copies, hash chains/signatures, specifying 'ts _ utc'.
Sampling: statistical/judgmental; size depends on frequency of control and confidence level.
Criteria: pass/fail; de minimis thresholds for manual operations are allowed.

8) Evaluation and classification of non-conformities

Gradations: Critical/High/Medium/Low.
Criteria: impact (money/PII/licenses), probability, duration, repeatability, compensating controls.
Reporting: find card (risk, description, examples, root cause, impact, required actions, timing, owner), tracking status.

9) CAPA and Change Management

Corrective and Preventive Actions: elimination of the root cause, not only symptoms.
S.M.A.R.T.-measures: specific, measurable, dated; responsibility and milestones.
Change Advisory Board: High-risk changes pass CAB; updating policies/procedures/roles.
Performance verification: re-audit after N weeks/months.

10) Continuous Monitoring (CCM) and Analytics

CCM candidates: high-frequency and formalized controls - SoD conflicts, JIT issues, abnormal exports, MFA coverage, payment limits, sanctions hits.
Tools: SIEM/UEBA rules, Data/BI dashboards, circuit/masking validators, access tests (policy-as-code).
Signals/alerts: threshold/behavioral; SOAR tickets; auto-blocks for critical deviations.
Advantages: speed of detection, reduction of manual load, better provability.

11) Metrics (KPI/KRI)

• Coverage by controls of critical processes ≥ 95%
• On-time execution of manual controls ≥ 98%
• CAPA closed on time (High/Critical) ≥ 95%
• Share of automated MoM ↑ controls

• SoD disorders = 0
• PII accesses without 'purpose' = 0
• Leaks/incidents notified ≤ 72 h - 100%
• Fail-rate of operational controls <2% (trend decreases)

12) Frequency and calendar

Daily/continuous: CCM, anti-fraud signals, payment limits, masking.
Weekly: reconciliation of payments/registers, export control, alert analysis.
Monthly: MFA/SSO reports, access register, vendor monitoring, KRI trends.
Quarterly: rights re-certification, thematic reviews, BCP/DR stress tests.
Annual: full audit plan and risk map update.

13) Integrations with existing policies

RBAC/ABAC/Least Privilege, Access Policies and Segmentation - a source of preventive controls.
Password policy and MFA are mandatory requirements for admins/critical operations.
Audit logs/log policy - detective and evidentiary controls.
TPRM and third party contracts - external controls: SLA, DPA/SCCs, audit rights.

14) Checklists

14. 1 New control design

• Objective and associated risk described
• Defined type (preventive/detective/corrective)
• Owner/Performer and Frequency Assigned
• Data sources and evidence format specified
• Built-in metrics (KPI/KRI) and alerts
• Links to policies/procedures
• DE/OE test plan defined

14. 2 Audit

• Scope and DE/OE criteria agreed
• List of artifacts and accesses retrieved
• Sampling agreed and fixed
• Results and findings classified
• CAPAs, deadlines and owners approved
• Report issued and communicated to stakeholders

14. 3 Monitoring and reporting (monthly)

• KPI/KRI for all critical controls
• Failure/False Positive Trends
• CAPA and Delinquency Status
• Automation/JMA Proposals

15) Typical errors and how to avoid them

Control without goal/metric: formalize objective and KPI/KRI.
Manual controls without evidence: standardize forms/scripts and store artifacts in WORM.
Outgrowth of exceptions: a register of exceptions with an expiration date and compensatory measures.
"On paper" works - in reality not: regular OE tests and CCM.
Open CAPAs: automatic escalation and status on the monthly risk committee.

16) Implementation Roadmap

Weeks 1-2: update the risk map, compile a catalog of controls, appoint owners, approve evidence templates.
Weeks 3-4: start KPI/KRI monitoring, select 5-10 controls for automation (CCM), approve the annual audit plan.
Month 2: conduct 1-2 thematic audits (high risk), implement SOAR alerts, establish board reporting.
Month 3 +: Expand CCM, conduct quarterly reviews, reduce manual controls, increase DE/OE coverage and CAPA closure rate.

TL; DR

Effective internal controls = risk card → goals → clear activities with owner and evidence, plus regular DE/OE tests, CAPA and CCM automation. This makes risk management measurable, audit predictable, and compliance provable.