Continuing great job on the discussions. I appreciate your responses and I learn from you. You raised most of the important points but let me summarize my view.
Q1: How much automation of controls is best? When should they be introduced? Automated controls are ideal but not always possible or cost effective (e.g. complex scenarios or decision making). My experience is leverage automation where possible and easily implemented.
As many of you pointed out ‘baking in’ the controls from the start is the easiest and most cost effective. However they will added to as an organization grows, changes, etc. Also, as the process matures and the external world changes you need to respond.
Q2: Describe the character of the leaders involved in the Real World control failures we reviewed. The words you used I agree with: Arrogant, greedy, above control (‘absolute power corrupts absolutely’), self-interested, self-preservation response to pressures, etc.
These leaders were not necessary ‘bad’ leaders – many were very effective in accomplishing the goals of their organization. However, good leaders can have ‘bad’ character. Creating a climate of controls need to balance (e.g. Sox type regulations) when this character drives illegal, immoral, or unethical behaviors.
Q3: A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry? This is something you have to do yourself.
I appreciate how Paul phrased it: Paul: ‘IT Governance: which is to “do the right thing, the right way”. Character is doing the right thing because it is the right thing to do.’ Integrity goes beyond the skills you have or knowledge of right things, but always doing the right things.
This integrity requires personal courage to stand up and be independent in our ‘end justifies the means’ world.
Q4: SAP’s GRC module may be important and effective, but can the cost of GRC be justified?
You all outlined in some detail what’s in this functional tool. However in making the decision where to use you must weigh GRC’s costs vs. the cost of implementing controls other ways (often higher) plus the cost of not having needed controls or strength of controls in place.
Thanks for all your work in the participation blog this semester. I trust it helped your learning. Also remember to: do the right thing because it is the right thing to do.