Control Design – Embedding Prevention & Detection into the Process
Controls are most effective when they operate inside the process, not alongside it.
Many organizations rely on reconciliations, reviews, and post-event checks. While these controls identify issues, they often do so after losses, delays, or errors have already occurred. Strong control design focuses on prevention first and detection second.
Process mapping allows organizations to place the right control at the right step, aligned with how work actually happens.
Types of Controls in a Process
| Control Type | Purpose | Where It Works Best |
|---|---|---|
| Preventive | Stops errors or fraud before they occur | At transaction initiation |
| Detective | Identifies issues after occurrence | Immediately after activity |
| Corrective | Fixes issues and prevents recurrence | Post-incident remediation |
When controls are disconnected from process steps, they become inefficient and ineffective.
Real Case Snapshot – Controls Added Too Late
Background
A mid-sized trading organization was experiencing recurring financial losses due to duplicate vendor payments. Management believed controls were adequate because monthly reconciliations were performed, and payment reports were reviewed regularly.
Despite this, losses continued, and each incident required manual recovery efforts and strained vendor relationships
What went Wrong
An initial review showed that:
- Invoice processing and payment runs were highly automated
- Duplicate checks were performed after payments were released
- Reconciliations were detective, not preventive
- Multiple teams reviewed the same data, but too late
The organization had controls, but they were misaligned with the process flow.
How It Was Uncovered
A detailed process mapping exercise of the Procure-to-Pay cycle revealed:
- Invoice validation occurred post-payment
- System capabilities for duplicate detection were unused
- Manual checks relied on spreadsheets and experience
The real issue was not lack of controls, but poor control placement.
What Changed
The company redesigned its controls using the process map:
- Duplicate invoice checks were embedded before payment approval
- System-based preventive validations replaced manual reviews
- Exception reports were generated in real time
Outcome
- Duplicate payments eliminated
- Faster payment processing
- Reduced manual effort
Key Lessons (Simplified)
Controls are most effective when they are designed into the process, not layered on after failure. Preventive controls stop risk before it materializes, while poorly placed controls only explain what went wrong.
NEXT WEEK – Week 6: Process Failures vs Control Failures
Next week, we explore how to distinguish between a broken process and a failed control and why fixing the wrong one leads to recurring issues.
Echoes of truth
Wednesday Deep Dive – Echoes of Truth is a weekly thought-leadership series by Crowe’s Risk Advisory – Forensic & Process Excellence Division. It delivers practical insights on forensic investigations, fraud risk, governance, internal controls and process excellence. Each edition draws from real-world engagements and global best practices to help organizations identify red flags, strengthen controls, optimize processes, and build resilient, transparent and high-performing operations.
