Chapter 5 Pt.

2 organization to compensation liabilities, loss of

business reputation, and other costs.
Business and Process Risk
Leadership risk – workers are not being led
This is the risk that the organization’s processes are
effectively resulting in lack of direction, motivation to
not effectively obtaining, managing, and disposing
perform, customer focus, management credibility,
their assets, that the organization is not performing
and trust.
effectively and efficiently in meeting customer
needs, is not creating value or is diluting value by Outsourcing risk – outsourcing activities to third
suffering the degradation of financial, physical, and parties could result in these third parties not
information assets. performing in a way that is consistent with the
organization’s strategies, objectives, values, and
Capacity risk – insufficient capacity limits the ability
behavioral standards and expectations.
to meet demand in the short and long term, or
excess capacity threatens the firm’s ability to Competitor risk – risk that actions by competitors
generate competitive profit margins. may threaten the organization’s competitive
advantage or survival.
Execution risk – inability to produce consistently
without compromising quality. Catastrophic loss risk – risk that a catastrophe
threatens the organization’s ability to continue
Supply chin risk – being unable to maintain a steady
operating and provide goods and services.
stream of supplies when needed.
Industry risk – changing conditions that affect the
Business interruption risk – this risk stems from the
attractiveness of the industry.
unavailability of raw materials, IT, skilled labor,
facilities or other resources that threaten the Planning risk – lack of, unrealistic, irrelevant, or
organization’s ability and capacity to continue unreliable planning information = poor conclusion
operations. and decisions. This risk is often triggered when plans
and budgets are unrealistic, not based on
Human resources risk – lack of knowledge, skills,
appropriate assumptions or performance metrics,
and experiences among the organization’s key
are not relevant to organization goals, or unaccepted
personnel that threatens the ability to achieve
by managers and workers.
business objectives.
Organization structure risk – the organization’s
Product or service failure risk – faulty or
structure does not support change, flexibility, or the
nonperforming products and services that do not
organization’s strategies. Ann ineffective
meet customer expectations = customer complaints,
organizational structure can threaten its ability to
warranty claims, returns, field repairs, product
change.
liability claims, litigation causing lost revenues, lower
market share, and damage to business’ reputation. Integrity and fraud risk – risk of management or
employee fraud, illegal or unauthorized acts =
Product development risk – ineffective product
reputation loss. Management fraud is the intentional
development threatens the organization’s ability to
misstatement of financial and operational reports
meet or exceed customer’s expectations
that negatively affect external stakeholders’
consistently over the long term. EX: developing a
decisions. Fraud could also be perpetrated by
product that customers do not need or want,
suppliers, customers, agents, and brokers against
products and services that are priced at a level
the organization for personal gain. Illegal acts
customers are not willing to pay or while the goods
committed by managers and employees can result
or services meet a need, they are late to market and
in fines, penalties, sanctions, loss of licenses to
a competitor reached first.
operate, loss of customers, and reputation damage.
Cycle time risk – unnecessary activities threaten the
Trademark erosion risk – over time, this threatens
organization’s capacity to develop, produce, market,
the demand for the organization’s products and
and deliver goods and services in a timely manner.
services. It also limits its ability to develop and grow
Health and safety risk – failure to provide a safe revenue streams. Trademarks and brands usually
working environment for workers exposes the help the organization build and retain demand for its
goods and services. These include brand name,
service, and certification marks/symbols.
Reputation risk – risk of loss generally related to
ethics, safety, security, quality, innovation, and
sustainability causing lost revenue, higher capital
and regulatory costs, lower stock price, or difficulties
raising capital due to potentially criminal event.
Reputation risk may also cause loss of customers,
profits, and the ability to compete.
Data integrity – reliability and completeness of data
flows, inbound and outbound from/to customers,
vendors, regulators, investors, and other
stakeholders. It also relates to the authorization,
completeness, and accuracy of transactions as they
are input, processes, and reported.
Infrastructure risk – risk that the organization’s IT
infrastructure is obsolete, or lacks the IT
infrastructure, such as hardware, software,
networks, and people it needs to effectively support
the information requirements of the organization to
remain viable in the sort and long term.
Commerce risk – events that compromise B2B (a
type of e-commerce where exchange of products,
services, or information are between businesses),
and B2C (business and consumers) financial and
data flows, data integrity, and security.
Access risk – failure to adequately restrict access to
information = result in unauthorized use of
confidential information. Conversely, overly
restrictive access to information could limit the ability
of personnel to perform their assigned
responsibilities.
Availability risk – unavailability of information when
needed could threaten the continuity of the
organization’s operations and processes.
Technological and Information Technology
Risks
These risks relate to conditions where IT is not
operating as intended, the integrity and reliability of
data is compromised, and significant assets are
exposed to potential loss or misuse. It also relates to
the inability to maintain critical systems and
processes. It includes:
Data and system availability risk – uptime of
systems, machines, and other tools to support the
needs of workers, customers, suppliers, and other
stakeholders of the organization. This involves data
acquisition, maintenance, use, distribution, storage,
and destruction.
Data integrity risk – accuracy and consistency of
data stored, processed, retrieved, and destroyed
when it reaches the end of its life-cycle.
System capacity risk – optimizing the amount of
storage and computing ability systems possess.
Data integrity, infrastructure risk, commerce risk,
access risk, and availability risk
Personnel Risks
Relate to conditions that limit the organization’s
ability to obtain, deploy, and retain sufficient
numbers of suitably qualified and motivated workers.
Management is confronted with the risk that
personnel shortages limit their ability to deliver
consistently with high quality in the short and long
terms.
Availability risk – sufficient workers and subject
matter experts to support the organization’s present
and future needs.
Competence risk – worker’s ability to perform their
duties efficiently and successfully.
Judgment risk – worker’s capacity to make sensible
decisions based on relevant circumstances
Malfeasance risk – wrongdoing perpetrated by
employees, contractors, suppliers, or customers.
Motivation risk – demotivated workers fail to apply
creativity and discipline to their tasks resulting in
lower production, lower quality, poor service, and
higher turnover and absenteeism.
Financial Risks
These can result in poor cash flows, currency and
intrest rate fluctuations, and an inability to move
funds quickly and without loss of value to where they
are needed.
Resources risk – availability of funds when needed
and their judicious use for business purposes.
Commodity prices risk – fluctuations in prices
expose the organization to lower margins or trading
losses.
Foreign currency risk – changes in foreign exchange
rates can result in the economic loss of some of the
value of the asset.
Liquidity risk – this is the loss exposure due to an
inability to meet cash flow obligations, or the lack of
buyers and sellers in a market.
Market – movements in prices, rates, and indices
affect the value of the organization’s financial assets
and stock price. This could also affect its cost of
capital and its ability to raise capital.
Environmental Risks
Relates to the actual or potential threat of negative
effects on the environment by emissions, wastes,
and resource depletion. This can be caused by an
organization’s activities and it influences living
organisms, land, air, and water.
Energy and other resources risk – inability to obtain
reliable suppliers at a reasonable price.
Natural disaster risk – events such as floods,
earthquakes, fires, hurricanes, and tornadoes, also
the lack of portable water and other resources
needed in company facilities.
Pollution risk – regulations and stakeholder
demands affecting the source of energy supplies,
and the quantity and manner of wastes allowable.
Excessive pollution that limit the organization’s
employee’s health and safety. Harmful to
environment and can expose the organization to
liabilities for bodily injury, property damage, removal
costs, and punitive damages.
Transportation risk – ensuring the availability of
adequate means of transportation. Some depend on
natural means such as navigable rivers, lakes, and
coastlines, or are directly or indirectly affected by
natural or human actions, such as having
unobstructed roads and working railroads.
Pandemic risk – bacteria or viruses that disrupt the
organization’s supply chain or availability of its
workforce.
Political
Type of risk faced by organizations, investors, and
governments. It refers to the effects that political
decisions, events, or conditions can cause when
they affect the profitability of business, or the ability
to operate freely. The implications organizations
may encounter as a result of political decisions.
Regulations and legislation risk – new or changes to
existing regulations that limit the organization’s
ability to engage in its normal business activities.
Public policy risk – stakeholder demands affecting
the organization’s operations.
Instability risk – civil or military unrest that disrupts
the organization’s activities.
Social Risk
Dynamics where an issue affects stakeholders who
can form negative perceptions that can cause some
form of damage to the organization. This can be
influenced by strategic and operational decisions
management makes that affect issues stakeholders
care about. Social risk is also influenced by societal
dynamics affecting the workforce and target
customers, such as their age, racial composition,
national origin, and family structure decisions.
Demographic risk – changes that affect purchasing
preferences, staff availability, or the cost to maintain
a healthy workforce.
Privacy risk – preferences that curtail the capture,
storage, use, and dissemination of personal
information.
CSR – requirements for social involvement and
investment that diverts time and other resources
from the organization’s primary activities.
Mobility – dynamics that change the preferences of
workers and customer to work, and live in ways that
support the organization’s needs and products.
The SMARTER Model for Effective Goals
Specific – significant, simple, stretching, and
sufficiently detailed.
Measurable – meaningful, motivational, and
manageable.
Achievable – appropriate, assignable, ambitious,
aspirational, attainable, agreed, actionable, and
aligned.
Relevant – realistic and resourced.
Time-bound – timed, timely, time-specific, trackable,
and tangible.
Evaluated – excitable, ethical, engaging, ecological,
and enjoyable.
Rewarding – revaluate, revisit, recordable, and
reaching.
The SMARTER model is very useful when
developing organizational and personal goals.
George Doran first mentioned SMART goals in
November 1891.
Specific
By being specific, goals become clearer and they
avoid the ambiguity that can often impair goal-
setting. Managers and employees know what they
are expected to do and can focus their energy,
resources, and priorities accordingly to accomplish
them.
Specific goals are easier to quantify and monitor for
performance evaluations.
- What has to be accomplished?
- Who is involved in getting this done?
- What is its importance to me and the
organization?
- Where must this happen, if applicable?
- Which requirements or restrictions apply, if
any?
Measurable
When goals are measurable, it is easier to link their
completion to the performance monitoring and
rewards mechanism. The lack of oversight and clear
metrics to gauge performance is a common reason
goals are ineffective and individuals fail to achieve
them.
- What must be done to demonstrate
progress?
- What is the quantitative and qualitative
evidence that will show we achieved the
goal?
Achievable
Impossible goals demotivate workers. When goals
are viewed by workers as unrealistic and
unachievable, they feel impotent because the goal
cannot be reached. Unachievable goals may also
lead to employees to fabricate financial and
operational results in their attempts to appear to
achieve their goals.
Goals can be deemed achievable when they are
aligned with the mission of the organization and the
individual. By making them ambitious and
aspirational, they build confidence and serve to
motivate those involved to purse something great.
- Does the goal carry specific parameters so it
is tangible?
- Are there adequate resources available to
work on the necessary task?
- Is there a strategy and/or plan to get this goal
accomplished?
- Is there enough motivation propelling this
endeavor?
Relevant
Goals should also be aligned with the mission and
strategy of the organization, the process, and the
individual.
Nonvalue adding activities constitute a waste and do
not add value to the process or customer.
- How does this activity help to meet the needs
of the customer?
- Is this activity essential?
- Is this the best way to perform this activity in
terms of time, effort, and related tools?
- What is the significance of this goal to my
career and those of my team?
Time-bound
A goal without a deadline is nothing but a dream.
Goals should precipitate a plan to accomplish the
goal. The deadline should create a sense of urgency
and time pressure. The combination of goals, plans,
and deadline brings out the talents in people with
proper management, synergies can be leveraged
among all involved.
- Are the milestone dates that must be met in
the interim to show we reached a significant
change or stage of development in our work
- When must the goal be achieved and what
evidence is needed to prove it was done?
- What is the most efficient way of achieving
the goal so we can accomplish it as quickly
as possible?
Evaluated
Goals must be evaluated to determine if they meet
the SMARTER elements, but also to determine if the
meet ethical and ecological considerations.
Excitable goals motivate workers and make
stakeholders more willing to provide the needed
resources and approvals. Goals must also extend
the capabilities of those involved in working toward
its completion.
- Are the metrics associated with this goal
evaluated? How frequently?
 - Does the goal infringe on my values, the
organization’s, and society’s?
- Will there be negative environmental impacts
while pursuing this goal?
- Who has to evaluate the appropriateness,
timeliness, and other attributes of the goal?
Rewarding
The rewards received should be commensurate with
the effort exerted and the outcome achieved. If the
amount of effort is greater than the reward, chances
are that workers will eventually lower the amount of
sacrifice made.
Goals should also be reviewed by those involved in
their formulation and performance toward their
completion so everyone is clear about what the
goals mean, what the implications are, and the short-
and long-term benefits to the individual,
organization, and customers.
- What are the benefits to my customers for
achieving this goal?
- What are the benefits to the organization for
achieving this goal?
- What emotional, financial, and professional
benefit will I enjoy?
Control Activities
Controls are actions established through policies
and procedures that mitigate the likelihood and/ or
impact of risks. Controls are performed at all levels
of the organization, at various stages within
processes and over the technological infrastructure
of the organization.
Controls can be manual, which means they are
performed by individuals and often using “hard,
tangible” items, such as paper and locks.
Whereas automated controls are performed by
computer and electronic systems often without direct
or exclusive human interaction.
Control activities can be categorized as
Preventive: Preventive controls are those activities
that act before the error or omission can occur and
reduce the likelihood and/or impact of the event.
A 3 way match is an internal control process that
cross-references a supplier's invoice against its
corresponding purchase order (PO) and good
received note (GRN). The goal here is to ensure that
financial details (order quantity, order amount, total
amount, PO number etc.) match across all 3
documents.
Detective: Detective controls identify errors or
anomalies after they have occurred and alert the
need for corrective action.
Directive: Directive controls are temporary controls
that are implemented to redirect employee actions.
They are sometimes referred to as corrective
controls, because they are put in place when an
undesirable action has occurred, even when there
were preventive and detective controls in place.
Compensating: Compensating or mitigating
controls are those that are put in place when a
control is not where it is expected as proper design
would stipulate. For example, if there is a lack of
segregation of duties, and more employees cannot
be hired to address the weakness, then a
supervisory review can be implemented to verify that
all transactions performed are business appropriate.
This could occur in a small office where an individual
makes purchases, receives the items, and performs
bank reconciliations.
Examples of Internal Control
Preventive – segregation of duties, authorizations,
access passwords, security cameras, competent
employees.
Detective – supervisory review, exception reports,
reconciliations, security cameras, confirmations.
Directive – training programs, policies and
procedures, required documentation.
Mitigating – supervisory review when there is a lack
of segregation of duties.
Internal auditors are generally tasked with verifying
that processes, programs, and their related controls
have been designed appropriately, and that those
controls are operating as intended. When confronted
with nonperforming controls, the natural question to
ask is “why?” Reasons vary, but the following are
some of the most common answers to that question:
Inadequate knowledge: Organizational
effectiveness is the result of realistic goals, sound
process design, sufficient resource allocation, and
effective planning and execution. Another key
element is appropriate knowledge by workers. If
those individuals performing any activ-ity within the
organization, control-related or otherwise, lack
sufficient knowledge regarding the way to perform
those duties, the outcome will be less than ideal.
Employee competence is a key determinant of
control effectiveness and this cannot be over-
emphasized.
Sabotage: Disgruntled employees can act in ways
that are very negative to their organizations. Their
actions are deliberately damaging and when they
involve control activities they may result in omission
of key responsibility or dereliction of duty, fraud, and
intentional disregard for the protection of company
assets. Sometimes their unhappiness is triggered by
poor management practices or the perception that
they have been disadvantaged in some way.
Emotional and physical reasons: Apathy,
depression, inability to pay attention to detail, or
fatigue can hamper an individual’s ability to perform
the duties assigned to him. Under these
circumstances, the quality of the work done while
performing the control activity will be inferior.
Information and Communication
The fourth component in the COSO IC/IF model
refers to the flow of information in an organization.
Ideally, there are clear, consistent, timely, and
purposeful directions emanating from the top of the
organization providing direction and establishing the
criteria to measure performance results.
There should also be information flowing up in the
organization, providing feedback about results and
any issues or unaddressed challenges employees
are facing. There should also be lateral flows of
information between individuals and operating units
to ensure cooperation and coordination among
them. Effective, timely, and clear lateral
communication can prevent confusion, duplication of
efforts, and the purchase of assets already in place
in the organization.
Bruce Berger states that internal communication
occurs on multiple levels.
1. Interpersonal or face-to-face (F-T-F)
communication occurs between individuals. For
many years organizations have worked diligently to
develop the speaking, writing, and presenta- tion
skills of their leaders, managers, supervisors, and
even lower-level workers.
2. Group-level communications occur within and
among teams, units, and interest groups. The focus
at this level is information sharing, discussing
issues, coordinating tasks, solving problems, and
gaining agreement through majority vote or
consensus.
3. Organizational-level communications focus on
company vision and mission, policies, new initiatives
such as strategic plans, and organizational
knowledge and performance. These
communications typically follow a cascading
approach where leaders communicate with their
respective subordinates. Recently, however, social
media is changing communications at this level.
Communication is the lifeblood of organizations as it
allows stakeholders to know what happened, what is
happening, and what is planned for the future. It also
defines or clarifies performance details and the
challenges employees encounter during their work-
related activities that management should address.
Note: data retention and storage for business
documentation should last for seven years.
There are several benefits of third-party service
providers, including the proficiency that they have in
their service area, lower cost per transaction, and
high quality. However, there are three broad types of
risks that outsourcing creates:
Operational risks: Often manifested as slippages of
time, cost, and quality, usually due to break- downs
in the transfer of work processes or repetitive
processes likely to succumb to human error. This
usually occurs because the service provider does
not fully understand the client’s requirements or has
the capability to achieve them.
Strategic risks: Generally caused by deliberate and
opportunistic behavior by service providers or their
employees. Examples include intellectual property
theft, understaffing, and significant price increases
after some years of stable pricing because the client
is locked in and will find it difficult to switch suppliers.
Composite risks: This occurs when the client loses
its ability to implement the process for itself because
it has outsourced the process for a long time. After a
lengthy outsourcing arrangement, the client may not
have any back-office operational capabilities, either
material or intellectual.
Monitoring Activities
Monitoring activities consist of ongoing, separate or
a combination of evaluations used to deter- mine
whether each of the five components of internal
control is present and functioning. Ongoing
evaluations are built into business processes at
different levels of the organization and provide timely
information on how well or poorly these activities are
performing.
Control environment: The control environment is
concerned with ethics in the organization, but what
is the state of ethics in the organization? How can
we find out and how can we monitor it? One
approach is to conduct employee surveys. These
are great tools to collect information and begin to
assess the condition of ethics in the workplace. This
entails, among other things, asking employees.
Themes of interest are
- Their opinions and impressions about the
tone at the top
- Management’s efforts to promote ethics
- Asking whether there is employee
agreement that ethics are important and are
rewarded, while unethical behavior is
punished promptly, fairly, consistently, and
universally?
Risk assessment: The risk landscape is constantly
changing, and as such, a risk assessment per-
formed at one point in time may be inaccurate a few
months, weeks, or even days later. This can be the
case with inventory shrinkage. While cyclical counts
are designed to compare the amount of inventory on
accounting records to warehoused amounts,
variances require monitoring as well. It is certainly
possible that warehouse personnel are performing
cycle counts, but the management team is not
monitoring the size and frequency of deviations. By
monitoring variances and inventory write offs,
management can intervene promptly when the
pattern begins to emerge and the theft, damage,
misplacement, or short-shipment of merchandise
begins to become evident.
Information and communication: Information
flows are essential to keep employees and man-
agers aware of business dynamics. If employees are
filing complaints with the Human Resources
department that a supervisor is unresponsive,
displays favoritism toward selected individuals, and
is abusive in the treatment of staff, management
would be well served to research the matter right
away. Otherwise, employee turnover will likely start
to increase, employees will vent their frustrations on
customers, or they will take matters in their own
hands and either commit fraud or sabotage or
become apathetic, driving operational performance
down.
COBIT and GTAG
2013 COSO Framework, which refers directly to IT
General Computer Controls (GCCs) in Principle 11.
This principle states that the organization selects
and develops general control activities over
technology to support the achievement of objectives.
In this way, IT’s pivotal role as essential for long-term
success is manifested and recognized. Furthermore,
it recognizes that there is an inherent dependency
and linkage among IT GCCs, processes, and
automated control activities.
ISO
ISO is an independent, nongovernmental
organization. Through its 162 national standards
groups, it brings together experts to share
knowledge and develop voluntary standards that
sup- port innovation and provide solutions to global
and business challenges. The organization is based
in Geneva, Switzerland.
International standards give world-class
specifications for products, services and systems, to
ensure quality, safety, and efficiency. They are also
instrumental in facilitating international trade by
providing standardized parameters and criteria and
establishing expectations. The organization has
published more than 19,000 international standards
and related documents, covering almost every
industry, from technology, to food safety, to
agriculture and healthcare.
Internal auditors should become familiar with ISO
standards as they drive the decisions, goals, and
operational practices of the management team at
many organizations. It also provides structure to
common business initiatives that some
organizations may be at various levels of
development.
(refer to the book for the standards mentioned)
ITIL
ITIL defines the organizational structure and skill
requirements of an IT organization and standard
management procedures and practices to manage
an IT operation. The operational procedures and
practices apply to all aspects within the IT
Infrastructure. ITIL describes processes,
procedures, tasks, and checklists which are not
organization-specific, but can be applied by an
organization for establishing integration with the
organization’s strategy, delivering value, and helping
to maintain a minimum level of competency.
CMMI
The CMMI is a process improvement appraisal
program administered and marketed by Carnegie
Mellon University. It is widely used in project
management, software development, process
assessment, and performance improvement within a
project, division, or an entire organization. CMMI
states that it can improve the key capabilities within
project and work management, process
management, support infrastructure, people
management, product development, service delivery
and management, supplier management, and data
management.