If you see something, say something.
Fast-moving subway train
I spent many years living in NYC, where the subway announcement, “If you see something, say something,” was a constant reminder that we all share the responsibility of keeping each other safe. The same principle applies to internal controls in organizations, particularly in the realm of tech security. Internal controls are not just technical tools; they are the policies, activities, and safeguards that help prevent failures, detect issues when they happen, and minimize the damage that follows.
Syracuse University’s Office of Internal Audit defines internal controls as “activities designed to provide reasonable assurance that operations are effective and efficient, financial reporting is reliable, and applicable laws and regulations are followed” (Syracuse University, n.d.). They outline five key types of controls: preventive, detective, corrective, directive, and compensating. Preventive controls are the first line of defense and are “designed to discourage errors or irregularities from occurring.” Examples include requiring strong passwords, restricting access, or separating duties so no one person has unchecked power. Detective controls are “designed to identify errors or irregularities after they have occurred,” such as audits, reconciliations, or monitoring logs. Corrective controls are “actions taken to reverse the effects of errors or irregularities that have been detected,” like restoring data from backups or updating flawed processes. Directive controls set expectations in advance through “policies, procedures, and training that guide employees toward desired behaviors.” Finally, compensating controls provide a safeguard when the ideal measure is not possible, ensuring there is still coverage if other controls fall short.
This breakdown is powerful because it shifts the focus from high-tech fixes to the fact that people and processes are as important as firewalls and encryption. For example, imagine a departing employee who does not return their laptop. On the surface, it may appear to be a minor issue or petty theft. In reality, that laptop could hold confidential client information, internal communications, or financial records. Without preventive policies like exit checklists and equipment logs or detective controls such as an asset inventory review, that oversight could expose a company to serious risks.
When I think about this, it reminds me that controls are less about red tape and more about building resilience. They create an environment where everyone, not just IT staff, understands they have a role in protecting the organization. As the article emphasizes, “internal control is everyone’s responsibility” (Syracuse University, n.d.). The everyday choices matter: reporting suspicious emails, following security protocols, or simply locking your workstation before stepping away. Controls make sure those habits become part of the culture.
At the end of the day, internal controls are really about trust. We help prevent harm to ourselves and our community by "seeing something and saying something," like in the subway.
Sources:
Top ten internal controls to prevent and detect fraud! (n.d.). https://omh.ny.gov/omhweb/resources/internal_control_top_ten.html
Internal Control Types and Activities - CFO – Syracuse University. (n.d.). https://finance.syr.edu/audit/general-internal-controls/internal-control-types-and-activities/
New York City Subway voice announcements. (n.d.). https://ilyabirman.net/meanwhile/all/nyc-subway-voice-announcements/
