Readings
- In your own words, how would you define a control environment?
- Define the three kinds of common controls and give two examples of each from your everyday life.
- What is the difference between and IT Strategy committee and an IT Steering Committee?
The Dentdel Case
Think about the following questions before class on Tuesday.
- What processes were ineffective and allowed this situation to occur
- Where could stronger IT Administrative controls have helped Dentdel avoid this situation?
M. Sarush Faruqi says
A control environment is an all encompassing collection of policies, procedures, ethics, management style, organizational structure, and philosophy that determines how activities will be carried out by various levels of employees on a daily basis. It sets the tone for how a company will operate to meet its business objectives, mitigate risks, and perform both effectively and efficiently. Employees at all levels of an organization are responsible for establishing a well established control environment.
1. The Board of Directors is responsible for the establishment of the ‘tone’ for the control environment. They also oversee the efficiency of systems in place within the control environment.
2. Management is responsible and accountable to the Board of Directors on developing and maintaining required policies and procedures to carry out the business objectives and mitigate risk.
3. Support Services such as IT and HR reinforce these policies and procedures and report progress to management.
4. Internal Audit analyzes internal controls within the control environment and make recommendations on any improvements which need to be made.
5. Staff within the company makes themselves aware of the implemented controls.
An effective control environment is dependent on how the ‘tone’ is set for its success. This is ultimately done by the resources who are responsible for its establishment. Controls will not operate as expected and increase variability of expected outcomes if the environment is toxic. A healthy environment produces the opposite effect and can help a company operate at an optimal level.
Jimmy C. Jouthe says
What is the difference between an IT Strategy committee and an IT Steering committee?
An IT Strategy committee are board members or specialists that assist the board with an organization’s strategic goals and plans of getting there. They oversee and set controls on all matters that are IT-related and assist the board in the process of amending the strategies of the organization with IT. The IT Steering committee steers the organization towards the IT strategy set forth by the IT Strategy committee by creating the positions, managing the resources, supporting users, creating applications and etc. to help reach that strategic goal. The IT Steering committee are the CIO, users, developers, managers, etc. that assist with implementing the IT strategic plans.
M. Sarush Faruqi says
Hi Shakiya,
I like your take on having an open door policy when it comes to creating an effective control environment. To me, managers must have accurate and timely information in order to make sound business decisions and have an awareness of risks. Allowing your employees to speak to you openly will give managers a sense of how exactly a process is being implemented in ‘the field’ since they are managing most of the time and not doing the work of the employees under them. Once they have reliable information from their employees, they can adopt the best controls which would help mitigate certain risks in their department. I would definitely agree that having an open line of communication with your employees brings positive results.
Marcus A. Wilson says
The IT Strategy Committee provides strategic direction for the IT organization and provides oversight to ensure that the IT direction aligns with the company’s overall business direction and goals. The IT Strategy Committee usually consists of advisors and members of the Board of Directors and acts as a liaison for the Board. The IT Steering Committee is the functional group that has oversight to IT resources and major projects along with the alignment of those projects to the overall strategic direction outlined by the IT Strategy Committee. The IT Steering Committee consists of executive and senior IT members such as the CIO.
An example to explain the differences between the two committees would be an organization that has a core business goal to sell as many products as possible as quickly as possible. The direction from the IT Strategy Committee would be focused on supporting IT’s ability to provide the resources to be able to process the highest amount of orders in the shortest amount of time and encourage the acquisition of IT systems to support that processing. A shift in the board’s core goal to become focused on customer support and customer experience rather than the quantity of products would alter the direction given to the IT Steering Committee. The IT Steering Committee would now have the responsibility to change focus to projects that would support the change from order processing to customer service and interaction. This may mean reducing the IT investment into order processing systems and increasing their investment in call center technology and representative training.
M. Sarush Faruqi says
Scott,
I found your examples of all three types of controls informative especially from a technical standpoint. I agree with you that security is an aspect of Information Technology which is gaining a lot of attention. Hackers are finding new ways to get into systems and makes it a little difficult to pinpoint what angle they are coming from. I think your firewall example is very good at describing how the various controls work in layers to try and keep unwanted traffic out. Although it is typically hard to ‘bypass’ a firewall and gain access to a system, a misconfigured or outdated firewall can definitely open the doors for an attack. The other option is obviously accessing an entry point which does not pass through the firewall such as email. As discussed in the readings and videos, controls don’t completely guarantee elimination of risk but do provide a reasonable assurance. I feel like an area such as security constantly involves tweaking or implementing newer stronger controls as there is always a threat of an attack. A firewall is definitely a good ‘first line of defense’ from a preventive and detective control standpoint.
Marcus A. Wilson says
Scott, I really like how you incorporated the company culture in your response. I agree that a positive company culture and a strong control environment go hand in hand and has to be supported and practiced from top management down. I recently did a project on the 2002 WorldCom scandal and it’s a perfect example of executive leadership not supporting a control structure to ensure the company is operating in the correct manner. It’s an extreme example but if leadership is not following a structured control environment it can create a risky workplace.
Marcus A. Wilson says
Ariana, Great examples for each type of control. Siddesh also makes a good point about the security system being a preventive and detective control. This was more difficult to think about than I initially thought. I think it can fall into both categories but it comes down to are you minimizing the risk of a physical break-in or the risk of a successful burglary with items taken. If the person breaking in doesn’t know you have a security system is that minimizing the risk of a break-in?
Richard Flanagan says
Siddesh,
Is this counter to Disney having a very compliant oriented tone? It sounds like the manager was ignoring a corporate policy and therefore saying it was OK for all of you to do so.
Mengqi He says
The three common controls are preventive, detective and corrective controls. Preventive controls are designed to mitigate the occurrence of risks before its occurrence. For example, Temple required students and faculties to show their IDs when they enter any Temple’s facility to mitigate possible hazards that threaten their safeties. Another example is that we set passwords for the lock screens of our electronic devices to avoid the risk of privacy leaks by restricting access to our personal information. Detective controls are designed to detect already occurred errors and irregularities so that they can be stopped in time to avoid greater losses. Temple established campus emergency call stations everywhere around the campus to detect possible crimes in the area. Students can press the red button and use the microphone of the station to inform the polices and report the crime occurred. Another example is the use of surveillance cameras. They can be used in buildings to detect possible crimes such as burglary and arson or used on the road to detect irregularities such as speeding and running a red light. Corrective controls are designed to limit the impacts of a risk and restore current state to an acceptable state. For example, some people use iCould to store and back up information. Even if they lose their devices, the information on the devices can be recovered from iCloud. Another common example is that people have medicines when they get sick and influenza patients are isolated for treatment to avoid further spread.
Marcus A. Wilson says
James, I like how you used the example of a change control process. As Prof. Flanagan mentioned in previous posts there has to be a balance of controls. You want to have that change control process in place to mitigate the risk of a failed implementation but you also want to make sure that process is not preventing the company from reaching their goals as far as completing projects on time. At my former company there was a formal database change process for development and production environments. It got to a point where the development change process became a bottleneck delaying projects. The development change process was eventually removed as it was determined that the cost of delayed projects was higher than a possible failed implementation in a development environment and worth the risk.
Mengqi He says
I totally agree that automobile industry is striving to sell more cars rather than to improve the safety and quality of their products for their customers. They do improve the alarm to better inform customers that “it’s time to spend money on maintenance.” What they should focus on is to better improve the preventive controls of their products to help customers avoid accidents and unnecessary maintenance.
Mengqi He says
I agree that the dental check involves all three controls and it also bring up an idea that when we break one controls down to more specific details, it may include all three controls. These three controls are closely interrelated. These controls are so common that we use them almost daily and even our bodies are using these controls to keep us healthy, For example, our skins prevent germs and dusts from getting into our bodies and once germs and virus get in, white blood cells will detect and kill them. This process involves all three controls and it happens every second in our bodies. Without any one of the three controls, we cannot be healthy.
Mengqi He says
IT strategy committee and IT steering committee are highly interrelated and sometimes overlapped with each other. I think the IT strategy committee is more related to stakeholders while IT steering committee is more related operation and execution of the IT strategy. The implementation of an IT strategy are sometimes assisted by several IT steering committees to oversee the projects and manage IT resource allocation.
Marcus A. Wilson says
Dentdel Case-
Where could stronger IT Administrative controls have helped Dentdel avoid this situation?
There could have been additional administrative controls around the project intake phase. There wasn’t a process or procedure to follow for IT to implement the new mobile order entry solution. If there was a formal process some of the technical and logistical roadblocks could have been addressed before the project kickoff. Dentdel could have also utilized a project management function that could have helped engage any impacted resources and groups instead of ad-hoc meetings that can be unorganized and leave out key stakeholders.
There also could have been better integration between IT and the business by using an IT Steering team and IT strategy committee approach to make sure the IT direction and business objectives align. It seems that there was a difference in thought of if the direction should be direct web entry or the mobile order entry solution.
Richard Flanagan says
Annamarie,
Both good points but what’s the overarching theme? Why did the CIO get away with taking these steps? What’s missing?
Richard Flanagan says
Brock,
I think the real questions is whether or not is was an organizational tone or not. Yes they have take actions to address “the problem” but if its a tone issue another problem may pop up again somewhere else because the top is not paying attention to these annoying compliance issues.
Richard Flanagan says
Seunghyun,
Great example. No doubt it made an impression on everyone when the Regional Director appeared and took action. That’s setting the tone.
Richard Flanagan says
Amanda,
All true and we will be talking about some of the controls you are suggestion: an IT Steering Team, Enterprise Architecture. Project Portfolio Management. The most important thing as this point is that there is no expectation of control at the very top of the company, which means a disaster of a project should come as no great surprise.
Richard Flanagan says
Scott,
I don’t think its communication, I think its a lack of understanding about what their true role is as execs. They are ignoring a large part of this role, either through ignorance or something else. Executives must set the tone, if they don’t bad things will happen.
Richard Flanagan says
Cassandra,
See some of my other comments about communication. Generally, I find that communications is too easy an answer for most problems. I think here it is a lack of understanding of an executive’s role. There should be controls around all of these processes but they, the executives, didn’t put them in place and ignored the need for them. Their job is to ensure that those controls are there and that everyone follows them. No wonder they ran into problems.
Mengqi He says
DentDel Case: What processes were ineffective and allowed this situation to occur?
The ineffective processes are basically due to the lack of IT governance. The project team either didn’t do the right thing or didn’t do it right. For example, the subject matter experts are not available, and the IT project team felt they didn’t get enough attention and could not access needed resources. I think this was the responsibility of IT strategy and steering committee. Strategy committee failed to ensure all needed resource is available to support the project, while steering committee didn’t well allocate resources so that project team could access them when they needed. Both strategy and steering committee don’t understand their important role played in the project to provide guide and ensure the strategic goals of the project is consistent with the business goal of the company. In addition, the project went over budget but the team even didn’t report any issues to the executive committee until the CFO foresaw a $8million write-off. The project manager should realize and communicate this situation to the board earlier, while the IT strategy committee should have figured out and done something to mitigate the risk of write-off before they were worse-off. The CFO also failed to report the situation immediately to the board. Another issue was that the sales team complaint the phone services about the bad signal, and the Vice President of Sales suggested to convert project to a web-only order entry system and abandon the sales visit. These were all unexpected issues occurred during the development of a project. The project manager had the responsibility to evaluate the project to ensure it was on the right tack and consistent with the company’s strategic goals. Once a problem came out, the project manager should communicate with users and other to figure out the new requirements and then make adjustment as soon as possible.
M. Sarush Faruqi says
Dentdel Case-
Where could stronger IT Administrative controls have helped Dentdel avoid this situation?
One of the most important controls that I see which could have helped Cedric James and the other executives is to have a well defined IT strategy. In this situation, Dentdel essentially goes from a manual and time consuming order entry system process to employing wireless technology without engaging in what will truly bring the company the most value whether it be monetary or non monetary. There wasn’t enough research done as to whether or not the Pear P-phones would actually provide the network coverage necessary for the sales staff to do their job at an optimal level. Most companies gain value by having their IT systems be efficient, effective, and available and in this case, the sales staff was complaining about the lack of IT phone service by using these newly implemented phones. There could have also been a formal PMO to manage the projects in terms of time and expense. Under the guidance of the PMO, the risk of overspending on the project and completing less work in a given time period would have reduced by a good margin by employing a well defined project plan. In this case, $8 million was spent with only 25 percent of the work actually completed because everything was done through an ad-hoc committee. There also weren’t very strong controls around an organizational hierarchy especially when it came to making decisions pertaining to the business. Rafeal Colon (CFO) approved a $20 million project without being required to gain approval from the executive committee. This created a lack of checks and balances as there was essentially no one else above Rafeal to ensure he was not approving high risk projects without proper controls in place. Ultimately, this situation came down to a weak control environment. Upper management did not see a need to implement and recognize controls setting up the project to be a failure in the end.
Mengqi He says
I totally agree that the CIO and CFO should be responsible for the mess situation, but I think that the CEO also has responsibility for not discovering the situation early. The reason that the CFO and CIO can initiate the project without informing the CEO is due to a lack of control and policies on the decision making process. The company is also lack of a control environment that every one has a clear understanding on his/her role in the project and therefore can complete their jobs more effectively.
Richard Flanagan says
Vu
The right term is project sponsor, usually the one who understands the business need, secures the funding, works with the team to remove roadblocks, and who is responsible for the business success of the project. In this case it should ahve been head of marketing and sales.
Richard Flanagan says
As we will see in a couple of weeks, the monitoring of active projects is usually the responsibility of an IT Steering Committee. The work of setting plans, monitoring performance, removing roadblocks is the work of the project manager. When he or she can’t make it work they should escalate first to the project sponsor and then to the IT Steering Committee. Surprises are the worst thing that can happen.