- How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
- In the Real World Control Failures we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
- A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
- SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Sean Patrick Walsh says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
I think automated controls are the ideal control type since they remove, at least as much as possible, the potential for human error whether deliberate or not. Although, I don’t think automated controls are suitable for every type of control. Any control that is highly complex and/or requires judgement should not be left to automation since it would probably be nearly impossible to automate that type of control to cover every possible input needed, and output desired.
I believe it is more beneficial to “bake in” controls when creating a system, program, application, process, etc. Generally, when building controls into the product from the beginning there is less of an opportunity for thee controls to cause issues within the code or process itself. Whereas, trying to create and implement controls after creation there is an increased chance of conflicts being created within the system from the introduction of a new step or control. That said, if the need for a control arises after something is already in place then that need for a control should be addressed as efficiently and practically as possible as fast as possible to mitigate its associated risk. After implementing the initial control personnel can make improvements or completely overhaul the control with a more efficient option when presented.
Priya Prasad Pataskar says
Sean, you mentioned about integrating controls while system is implemented. Definitely that is the time when system is new and ready to take in changes as less or no data is present. However I think the need for more controls would arise as company grows and the process becomes mature. Unless the process is explored in depth, employees may not be in a position to understand how many more controls they can automate. I thus feel, there will be many instances where controls would have to be added later. This might cause disturbance with data or system but taking that hit for disturbance is okay in comparison to having manual controls.
Sean Patrick Walsh says
I totally agree with your point regarding the maturity of a business, or more importantly the maturity of its processes. A business would have to have some type of “crystal ball” to fully define a process on day 1 of operations to know exactly what controls it needs 20+ years later. Just the rate at which technology changes would prevent a business from having the foresight needed to anticipate controls needed to implement today to prevent errors and fraud X years from now.
Brou Marie Joelle Alexandra Adje says
Sean, I agree when you say that “any control that is highly complex and/or requires judgement should not be left to automation.” In fact, automation provides predictable, consistent performance, it lacks judgment, adaptability and logic. Whereas humans provide judgment, adaptability and logic, we are unpredictable, inconsistent and subject to emotions. Automated operations are thought to be more efficient, reliable and accurate than humans. It is often thought that a machine can perform a particular function at a lower cost than a human can. While many of these reasons are true in some cases, humans still provide the valuable roles of decision-making, planning and creative thinking. That is why every business need a mix of both. But with the way technology evolves do you think that machines will ever take over humans job?
Sean Patrick Walsh says
Good question, but we might need to specify which jobs. Machines have already taken over many jobs in manufacturing and sales for instance. Ford doesn’t need a human to do each step in the assembly process for a vehicle anymore, and Amazon doesn’t need a person to take every order placed for their goods or services. I saw an article recently that talked about Artificial Intelligence (AI) being sought to play a role in business planning for companies in the future. The premise being that AI given enough of the correct data needed can make better planning decisions than a human being can for a company. Now, I am not exactly sure that we can quantify and qualify all the “correct” data needed for a machine or AI to make business decisions, but than years ago I never imagined we’d have the technology to do a lot of the things that it is able to do now. Also, we have maybe a dilemma or ethical question to ask ourselves with regard to machines doing human jobs; should we allow machines to displace so many jobs when we do not provide options for those displaced workers to work elsewhere to make a living? As technology improves and we automate more and more work we eventually have to ask ourselves if our push to cut costs doesn’t actually externalize those costs onto society in more harmful ways than it did for businesses to begin with.
Abhay V Kshirsagar says
Interesting points. I think the fundamental idea of machines replacing human work force is based on the idea that machines can do it better and cheaper. Just a general observation, a simple job of picking fruits is still not replaced (at least from what I have seen) the machines are still having a hard time to visually locate the fruits and then pick them up in a way different fruits are supposed to be picked. Also, I think that as the technology advances, humans will have more jobs, but different from what we see right now. Like, for instance, after industrial revolution, jobs certainly increased. As long as the effects of all this on society goes, i think this will make things we buy cheaper and our buying power will increase; so if you think about it, we will not need much cash to sustain. Hope it wasn’t a topic drift.
Sean Patrick Walsh says
Technology has already displaced more jobs than it has created, so it may be wishful thinking to believe technology will create more jobs in the future at this point. Also, it isn’t just that machines can do a job cheaper than a human based upon salary costs. Businesses that automate work pay less in insurance, benefits, and taxes since machines need none of those. Machines also can work around the clock, are never late to work, and never get sick. You can only cut costs so much to sell a good or service cheaper, and just because a business makes a product more cheaply does not mean the consumer will pay less ultimately.
Victoria A. Johnson says
Great post Sean! I definitely agree with the points you made.
Sean Patrick Walsh says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
Integrity is the backbone of a solid reputation in anything one does, but with humility in close second. Integrity takes time to build, but can be destroyed instantaneously if neglected. I think the best way to build a solid reputation is to first know what the right things to do are. Next, is to take that knowledge of the right things and to put it into a continual daily practice in everything you do at your job from the smallest to the most crucial detail. Don’t carry yourself as if you know all there is to know, but don’t allow yourself to be taken advantage of either. You can trust people, but always confirm so you have the correct information, and once it is known that you re the type of person to always confirm information you will be less likely to be given too much bad gouge. Lastly, use your voice and speak up when appropriate. Having the gumption to stand up and question misconduct, potential fraud, or any impropriety in any way, especially when junior or new, can help reinforce your reputation of being known as somebody that does the right thing regardless of your position.
Said Ouedraogo says
Sean,
I totally agree with you. I just want to add that an auditor reputation also depends on his/her results in the field. You can have integrity and everything else, but if you do not provide good services to your clients your reputation will take a hit. In this industry, ethic is not enough. You will have to prove yourself by offering quality services and maintaining at the same time a good ethical character.
Binu Anna Eapen says
I agree with Sean. Integrity is a quality that should be in an auditor. An auditor should not be biased and be truthful to both to the organization and client. .Two qualities I would like to add here are assertiveness and being independent.
An auditor should be assertive as he/she must be able to establish confidence with the auditee and should be able to control the agenda. They need to ensure that the processes are in place and if it is deviating, get it on the right track. In case of stating any bad news the auditor must be able to do it confidently with the right facts so as to get the client/organization to believe in him.
Auditor also need to be independent as they would be required to work alone most often with little help and are required to travel often. They would be required to make decisions on their own and the business sometimes completely relies on their work.
Priya Prasad Pataskar says
I agree with your point Said. Auditor sure has a difficult job to do. Auditor must be friendly enough to let the auditee open up to discussions, but firm enough to give a non compliance for however small a concern may be. A smallest of non compliance has a potential to cause biggest breaches.
Auditors integrity determines his ability to make best judgement while maintaining a fair attitude. To bring up reputation it might take several audits and result of each audit will be judges on the basis of how the company performs. A auditor would be known, if there are no major security breaches in the company or his audit catches the flaws that prohibit the breaches. Many a times auditors have to put a stand in front of other auditors, auditees and management. Auditor must delver integrity and honesty in all his activities right from collecting samples to verifying compliance.
Brou Marie Joelle Alexandra Adje says
Sean, success come and go, but integrity is forever. It pretty much means doing the right thing at all times and in all circumstances, whether or not anyone is watching. But it takes having the courage to do the right thing, no matter what the consequences will be. I totally agree with you when you say that building a reputation of integrity takes time, but it takes only a second to lose. The idea is that an auditor should never allow yourself to ever do anything that would damage your integrity. Unfortunately we live in a world where “the end justifies the means” has become an acceptable school of thought for too many people. What we should all remember is that yes dishonesty provides instant gratification in the moment but it will never last. so Is it even worth it?
Said Ouedraogo says
True…but sometimes doing the right think can be hard. What if as an auditor your are asked to hide some findings? If you don’t do it you will get fire. We all have integrity but sometimes we can encounter situations where doing the right thing is wrong for us. I think that sometimes auditors face some situation where they just close their eyes. I believe auditors have the hardest job to the extent that they will be judged no matter what they do.
Plus ethic, is something really complicated and difficult to measure and define.
Sean Patrick Walsh says
Said,
“We all have integrity but sometimes we can encounter situations where doing the right thing is wrong for us,” raises the age old concept of the moral dilemma. We can make the right decision for the whole and have one outcome, or we can make the right decision for ourselves and have another outcome. If we consider a decision due to where we come out on the other end of the decision, is that decision really rooted in integrity? Do we have to come out safe to have integrity when making a decision? Wouldn’t making a selfless decision often be a decision of integrity? I would be remiss to think people don’t make decisions based upon self-preservation first and foremost, but then the fact that so many people do make their decisions based upon that basis is probably why integrity is so rare, and so valuable.
Priya Prasad Pataskar says
Said, I think when i comes to audit, management would be fine and good to hide some facts, but when a breach would happen no one would be spared. In fact the auditor would the one who would be questioned.
I agree that in some cases, nothing can be done but accept the risks. In such cases, it should be documented that the risk is accepted or there should be an exception process. With exception in place, auditor can conform that the issue was highlighted, the management has approved it and this would ensure auditor’s integrity along with reducing the complexity.
Paul Linkchorst says
Hi Said,
To answer your question, there are some guidelines of how to go about reporting a fraud if someone is asking you to hide it. The IMA’s guidelines (Institute of Management Accountants) states that if you are asked to hide a fraud, talk to your supervisor. If the supervisor is involved, move up the chain of command which ultimately ends with the Board of Trustees and Audit committee. Likewise, it would be a good idea to consult an ethical counselor from an audit organization as well as consult an attorney. It is a hard thing to do as you said, but if fraud is occurring and you look away, you could be responsible for when the fraud is found. Likewise I know in the world of accounting, CPAs can lose their accreditation if found involved in fraud, which I would imagine would be similar to that of CISA and CISSP certifications. With that being said, fraud from the audit standpoint is not a common finding and therefore hopefully many auditors do not come across this dilemma.
Source: https://www.imanet.org/-/media/0d9349d680634dfba6ff9fce2fa89b12.ashx
Jaspreet K. Badesha says
Sean, I completely agree with your response to characteristics of an auditor. Integrity is definitely one of the most important if not the most important quality an auditor can have. Without integrity and unbiased an auditor is nothing as they will never truly see a process for what it actually is.
I also strongly agree with your statement / advice towards an auditor “Don’t carry yourself as if you know all there is to know, but don’t allow yourself to be taken advantage of either.” I agree that this is the most important of all. Not carrying yourself as know it all will help you build an acquaintance with the team you are auditing to gather information and it will help you get tips from other auditors.
Priya Prasad Pataskar says
SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
SAP GRC module will help organization plan governance, establish regulations and compliance within the organization. Our guest speaker last week mentioned that spreadsheets come into picture while managing data which is not the most convenient way once the data size increases. Not are spreadsheets acceptable form of document for evidence.
The cost of SAP GRC is high. But when GRC as a package can help companies establish governance that is directed towards targeted company profile, the cost is worthy.
SAP GRC helps manage governance activities which are very hard to keep track of including many of the following
• Non-standardized controls and visibility of controls
• Lack of efficient communication between business
• Difficulties in controls optimization
• Lack of visibility of controls
• Unclear roles and responsibilities
• Inconsistent processes
• Disconnected from business objectives and performance management
• High cost and disruption to management
There are several modules which help manage governance and that is why companies do not mind paying for the implementation costs.
1. SAP GRC process control – Helps manage life cycle of policy, compliance to the policy.
2. Fraud management – Helps monitor internal control environment to detect fraud or chances of fraud. IT makes investigation and documentation of fraud easy.
3. Risk Management – Helps in identification of risk. This module helps decision making process to handle risks.
4. Audit Management – Helps in evidence collection, creating audit issue to deploy monitoring. It has a user friendly interface for auditors to deal with complexities of audit.
Global Trade service – this module helps manage business beyond borders and establish same set of governance objectives with the integrity along with country specific diversities.
5. GRC Capability module – Helps the 3 main tasks of governance – monitor, manage and analyze.
Binu Anna Eapen says
Great points Priya. One of the common concern that any organization has is that the cost of ensuring that their systems are compliant with internal as well as external requirements especially as companies expand and change their IT landscape through acquisition and divestment. The compliance of the new systems with the existing requirement can be time consuming as well as a costly preposition. The stakeholders need
assurance that risks are being addressed else if the vulnerabilities are publicized, companies are exposed to violations, fines, and the loss of business, which increases cost concerns even further. GRC technology is used to streamline the compliance work through process efficiency, data management and reporting capabilities.
Abhay V Kshirsagar says
Good post, Priya.
I would like to add another module to the list, the security module. The top issue that organizations see is reactionary to audit findings. A lot of times the issue is about excessive access users have, ability for users to perform multiple functions in a system that organizations want to further restrict. Also, auditors want these restricted as well to ensure that they are preventing fraud and taking measures to manage the access to their systems. This day and age, everything is on the system, everything can be managed through the system, so I think it’s very important that the users are limited to what they should be doing in the system and organizations have the ability and visibility into seeing what users are actually doing in the system
Binu Anna Eapen says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
Ans: Automated system control provide strong internal control environment as it increases the efficiency of the operations improving accuracy and thus reducing the fraud/human error to a great degree. They are more reliable than manual controls. It is not subjected to human failure or error.
I feel that automated controls can prevent errors but for monitoring and evaluation, approvals there should be manual controls as well. For example, reconciliation of assets needs to be done to match if the inventory physically present and the record are the same. The amount of automated control depends on the firm and the requirement s of the industry that we are looking at and may vary from process to process as well.
Mostly the controls need to be at the initial phase of building the process itself. When a business process is defined, the risks involved should be realized the possible controls should be established. But with the growth and enhancement of technology more and more risks tend to arise within an organization. These risks too need to be studied and controls need to be defined whenever the need arises.
Priya Prasad Pataskar says
Well said Binu. I think automated controls should be in place to strengthen the system. How much ever manual controls you make, as humans we are prone to errors, importance must be given to automate most of the controls. Except for those which need judgement based decision making. The important thing is to train employees to ensure they know what is the objective of having automated controls. This should be done with one reason, if automated controls fail or there is system failure, company should not find it difficult to shift to manual controls.
Brou Marie Joelle Alexandra Adje says
Binu I agree with you when you say that “automated controls can prevent errors but for monitoring and evaluation, approvals there should be manual controls.”
In fact, today’s businesses need both manual and automated controls. Some industries will have more of one than the other, but should not only rely on one type of controls. Airlines, for example, could program cockpit computers to shift control back and forth between computer and pilot during a flight. By keeping the aviator alert and active, that small change could make flying even safer. Similarly businesses should have automated controls in place for processes such as backups of application and data files, network security (the use of firewalls, intrusion detection system etc) to ensure consistency and reliability in control operations over a period of time without manual intervention. There are controls, however, that should require manual operation. For instance, approvals of changes prior to implementation into a production environment, periodic user access reviews, reconciliations of transactions, are all controls that organizations should certainly consider having in place.
So, in term of how much of automated controls should be desired, I think that as long as there is a combination of powerful automated systems and experienced human insight, businesses should have the best risk management outcomes.
Ming Hu says
Nice point Binu. I agree with you that for monitoring and evaluation, it must be done manually. If a supervisor review and sign-off of a document, or bank reconciliation, or having an employee sign a privacy policy acknowledgement, it would be no meaningless if these done automatically, what worse it may provide opportunities for bad guys to commit fraud.
Brou Marie Joelle Alexandra Adje says
In the Real World Control Failures we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
Most of the leaders were arrogant and had unethical behavior which eventually had a negative impact on their company. So yes, bad leadership is a root of control failures because if you think about it leaders make the crucial decisions so if these decisions turn out to put the company at risk, it is their fault.
Let’s take the example of Enron scandal which was one of the biggest failures in the world of business history in the US. While dubious accounting practices are said to be the reason for failure, these practices were driven by top leaders. These leaders were creating an aura of invincibility and promoted the idea that everything was fair in order to become the biggest company on the planet. Thus with the goal of achieving financial goal they put employees at risk by engaging in malicious practices including, tweaking the financials, and playing with performance measurement metrics. To make matter worst, when the company started going down, one of the top leader, Kenneth Lay, started selling Enron shares and encourages employees and investors to buy the stocks. There was a culture of fraud and cheating at Enron which was implement by leaders who encourage unethical behaviors.
Similarly, the WorldCom failure was due to an unethical leader, Bernard Ebbers, who owned hundreds of millions of dollars in Worldcom stock, which he invested in other business ventures. As the stock price dropped, Ebbers convinced the board to lend him the money so that he would not have to sell substantial blocks of stock and began an aggressive campaign to prop up the stock price by creating outright fraudulent accounting entries.
In my own real world control failure presentation focusing on Target failure in Canada, leadership failed in providing vision, strategy or execution. Leaders assumed that Target huge success in the US would be easily transferred to Canada and didn’t do their homework. they had unreasonable expectation and opened over hundred stores in one year. Why? because they were just too greedy.
Said Ouedraogo says
You are absolutely right about leaders being greedy. When you think about it those guys were only victims of their own greed. I am not saying that what they did is justified, but they are not the only one to be blamed. In order, to have fraud there must be pressure, opportunity and rationalization (Triangle fraud). Well, those leader were pressured by the Board of directors and shareholders to make profit, they had had the opportunity to manipulate the books, and they rationalized it by saying to themselves that they have to do whatever it takes to make profits. However, they have also seen it as a way to make more money for themselves because the more the company make profit the more their bonuses increases.
Annamarie Filippone says
I definitely agree that unethical leadership was a root for many of the control failures we discussed. The behavior of leaders is seen and mirrored by everyone else in the organization, which is what allows such unethical practices to be successful (for a short time, at least). If it was a few lower-level employees that were attempting to commit fraud, they may get away with it for a while. But I think others in the organization would be more willing to say something and bring the activity to light. However, when it is the top leaders engaging in fraudulent activity, very few, if any, are willing to go against them.
Paul Linkchorst says
Hi Alex,
If you have the opportunity there is a great book called “The Smartest Guys in the Room” which outlines the various characters involved in the Enron scandal as well as goes into some detail on how the company fell. It is quite long but worth the read and shows how culture and organizational leaders can steer a company toward collapse. To put short though, one of the fundamental tones that top leaders had at Enron is to “do whatever it takes”. The company had a very cut throat culture and competition among employees was nasty. However, this attitude was encouraged. Similarly, the company was willing to take on more aggressive accounting principles which got into the grey area and ultimately mislead investors. Therefore, this attitude seen at the top was taken by the more aggressive employees throughout the organization by heart, which caused the organization to not implement any safeguards and ignore the already small amount of internal controls in place by the organization.
Brou Marie Joelle Alexandra Adje says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
First of all, strong ethical characteristics are fundamental to audit success. Throughout my career as an auditor I will make sure to possess a strong ethical foundation and avoid any temptation to “let it pass” when a deeper review of an issue may reveal error or fraud. My overall character as judged by other people is my reputation. In order to build it, I have to be credible, because the greater the audit credibility, the more likely that I will have higher reputation. So I will deliver high-quality audits and adhere to strict codes of conduct, including committing to integrity in my actions and accountability.
Magaly Perez says
Alex, I agree with your post. An auditor must possess a strong ethical foundation and avoid any temptation to let things pass. As auditors we must use our sound judgement, while doing an audit to get down to the root of the risk and vulnerabilities. Maintaining our credibility is essential as it speaks for our work. Communication skills are a vital component as well, clients and staff must feel comfortable speaking with you so you are able to effectively do your job.
Yulun Song says
I agree with you Alex. It is really hard to auditors when they meet some special situations, like your close friends or family members involve in trouble and ask for your help. However, as a credible auditor, i think we all should treat them and do our job properly.
Yu Ming Keung says
Great post, Alex. As auditors, we need to use our own judgement when we are undergoing any special situation, which means we have to remain objective throughout the audit process. If we fails to remain objective based on our integrity, the results of the audit would be skewed and therefore our opinions of the result of the audit will not represent what really is happening in the companies.
Wenlin Zhou says
Yes, I agree with you. Unethical behavior is not only what you believe to be right and fair, it is a reflection of your personal brand and what people can expect from you personally and professionally. Therefore, the independence is very necessary for the auditor, and auditor should obey the ethical code such as AICPA ethical code.
Magaly Perez says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
I think the amount desired for automated controls depends on the business itself such as size, industry and the type of control. However, generally speaking, I think automatic controls are very beneficial but shouldn’t be used in complex situations. Their ability to bypass/ detect human error and improve consistency are great. As for the amount that should be used, should be contingent on the business. I do believe that automatic controls should be used when the needs arise, by doing so it would allow the control to address the specific issues and be more efficient.
Said Ouedraogo says
Magaly,
I agree with you. I would jut like to add that it also depends on the amount of money an organization is willing to spend on automated controls. Most of them, will conduct a cost-benefit analysis to decide if they should go for it or non. And yes, it depends on the size of the company. I will recommend that a small company invest it money on other aspects of the business than automated controls. In fact, as a small company manual controls are manageable. The question of automated controls should come when the company is expanding.
Magaly Perez says
2. In the Real World Control Failures we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
As we learned about the leaders involved within the real control failures, their characters seemed to be coy, eager, likeable and in positions of power. Some real world control failures were due to lack of control monitoring or actual controls. However, some of them had to deal with ethical practices, such as accounting fraud. The leaders that were involved within these cases were able to move through the ranks of the company by gaining the trust of their cohorts, while stealthily abusing their power and stealing from their company’s. An example of this would be Enron, Kenneth Lay and Jeffery Skilling led to the downfall of Enron. During their leadership, improper trade practices were used, accounting frauds were committed, corporate culture and ethics in general were unethical. I believe that they were the root of the control failures, like many other companies. The tone-at-the-top commitment towards openness, honesty, integrity, and ethical behavior. It is the most important component of the control environment. However, failure to align ethics and values to business strategies and operating plans can potentially bear heavy costs, such as in the case of Enron.
Sean Patrick Walsh says
Fraud examples like Enron are easy to paint specific individuals, especially C-Suite level, as greedy self-interested parties behind the actions and benefits of the fraud. It fits the narrative behind fraud too in that fraud is carried out for the benefit of one or a handful of individuals. What I think a lot of people miss is the type of fraud that is carried out not solely for the benefit of one or a handful of people, but for the benefit of the business. There are many examples of fraud that happen in businesses that are publicly traded due to the immense pressures placed on those businesses by their boards, shareholders, banks, and Wall Street firms. The term “financial engineering” is often used as a euphemism to describe the types of accounting fraud that takes place so those companies can shift expenses and revenues around to other reporting periods to “smooth” their growth and earnings trends because Wall Street doesn’t like to be shocked with earnings results. The immense pressure drives the businesses to carry the fraud out since all employees and stakeholders are rewarded and punished alike by those earnings results. It’s easy to single out and punish the executive who commits fraud to pay for a lavish lifestyle with their theft, but how do we single out and punish the employees who were trying to “save the business” with their actions? It’s not necessarily a question of their actions being mutually wrong and fraudulent so much as one’s actions are self-interested whereas the others actions aren’t. The underlying cause is the pressure placed on businesses to produce “growth” placed on them by wall street firms and analysts, Wells Fargo’s recent customer accounts scandal is an example, that business employees feel almost required to do whatever it takes to meet those projections to save their jobs, and the business.
Paul Linkchorst says
Sean,
I think many of the c-suite executives do certain actions because their value is directly correlated with the business’s success since most of an executive’s payment comes in stock options. But you do bring a good question. For example, what if a business is losing money due to economic conditions and to make sure the company stays afloat, an accountant might record the wrong expense to “reduce” company expenses? Personally, it’s still fraud in my book and while it might not be personally motivated, it still has the pressure portion of the fraud triangle. If an employee feels that they must commit fraud to save the company they work for, I would suggest to them to starting looking for a new position with another company. I suppose it’s easy for me to say since I am not in that position, but if I were I would hope that I would not do such a thing.
Said Ouedraogo says
I agree with you guys. As I said in one of my post, management is at the same time the defrauder and the victim. The C-suite are victims because they are under pressure from the board and shareholders ( who can be us). They are pressured to make profit and increase stock price…However, this is where moral comes into play. And as you said Paul, once you feel that you must commit fraud to save the company, you need a new job. But, it is really easy for us to say that because we have not been in a situation like this. As Tyson said, “Everybody has a plan until they get punched in the mouth.”
Magaly Perez says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
Strong technical and ethical characteristics are fundamental to audit success. These are not news to anyone and should be considered a starting point set of characteristics that is expected of all auditors. A good auditor continues to build upon these over the course of their career. I would build my reputation while maintaining good ethical character by honing in on my people skills, ability to communicate effectively, ability to intuitively understand what the client’s business is all about, while carrying out the audit determine a bigger picture of any issues at the business and to translate them into what they might mean in the future. I believe leadership characteristics can be taught but leadership must be earned day in and day out. I would use my leadership skills along with my ability of decision making to overall, build upon my reputation throughout my career, while maintaining a good ethical character.
Yu Ming Keung says
You are absolutely right about having strong technical and ethical characteristics. As auditors, we are using our professionals skills to audit and study our clients, who may intend to bribe the auditors so that ethical characteristics are absolutely important to keep us clear and stay away from any business fraud.
Wenlin Zhou says
I agree with you. Audit independence refers to an unbiased mental attitude in making decisions throughout the audit and financial reporting that without independence, audit has no value, as the result, auditor should maintain independent and exists to professional ethics, Independent auditor is expected to be without bias with respect to the client under audit and should appear to be objective to those relying on the results of the audit. Similarly, auditor independence refers to the auditors’ ability to maintain an objective and impartial mental attitude throughout the audit.
Magaly Perez says
4. SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
The objective of GRC is to help a company efficiently put policies and controls in place to address all its compliance obligations while at the same time gathering information that helps proactively run the business. Done properly, GRC creates a central nervous system that helps you manage your business more effectively. Although, the cost of SAP GRC is steep, but the services it supplies can be extremely beneficial. Overall, GRC supports governance activities which are very hard to keep track of, such as the following:
– Access governance
– Audit management
– Business partner screening
– Controls and compliance management
– Enterprise risk management
– Fraud management
– International trade management
Overall, the capabilities mentioned above, which help navigate risk, manage controls /compliance confidently with governance, back the reasoning in which companies do not mind forking out the money for the SAP GRC Module.
Deepali Kochhar says
Great answer Magaly. Implementing SAP in itself demands a big cost. Looking at that cost, the cost of GRC is worst putting in in order to make sure a good ROI of the SAP tool. It provides good governance, risk and compliance control to monitor the activities and processes happening in SAP. This ensures that system is following compliance and also provide assurance to the clients that their data is in the safe hands.
Paul Linkchorst says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
I think that in cases where it will be reasonable for a control to be automated, then there is a preference for that control to be automated than a manual control. The major benefit that an automated control has over a manual control is that of reducing the human element of error from the equation. It is one of the major reasons why we see applications perform automated reconciliations or populate textboxes automatically. On top of that, I do think controls should be considered when designing a process and not just be an afterthought. This way, a process is secure from the start, if it is implemented afterwards, sometimes the control placed into the process doesn’t always seem to fit as opposed to a process integrating/revolving around a control. An example can be the Order to Cash process. If I were designing this process from scratch, then the vast amount of controls within the process should be thought out ahead of time. Within the OTC process, segregation of duties is a huge control that is better implemented at the design phase so adequate staffing of the process is made available. If you start the process and then decide you need 2 or 3 more employees to properly segregate it, then that can affect the implementation’s effectiveness and efficiency going forward
Paul Linkchorst says
2. In the Real-World Control Failures we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
In a majority of the control failures that I have been exposed too in reading and through the class presentations, it would seem that the leaders involved did lack character. In my control failure presentation, the leader who committed the fraud was motivated by greed, since he inflated the company’s revenue which ultimately increased the valuation of his personal stocks within the company. I would not paint a broad stroke and say that a lack of character is the root of all control failures, however, I would say that a lack of character is the root of many and more notable control failures. Character is very similar to the saying that we learned in IT Governance, which is to “do the right thing, the right way”. Character is doing the right thing because it is the right thing to do. Therefore, for many individuals who look to circumvent controls either due to wanting to complete the task quicker or for personal reasons such as monetary value, would lack character. From control failures as large as Enron to a control failure at a mom and pop shop, many of the leaders involved have lacked character due to trying to cheat/gain advantage immorally even though they had “reasons” to do so. However, some control failures could be due to straight negligence or lack of business understanding when designing the controls and due to this poor design, an error can occur. With that being said, I do think character can often times be associated as the root of control failures.
Paul Linkchorst says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
Overall, ethics is a big area in the audit environment and something that should frequently be reinforced. In the case of an external auditor, credibility, integrity, and objectivity principles play a big role. A company or department undergoing an external audit could try to bribe an external audit team to look the other way in regards toward insufficient controls or fraud. It is up to the auditing team to have “integrity” in order to refuse bribes and mitigate conflict of interests, as well as “credibility” as to disclose all information in an objective manner that is free from bias. Also, external auditors should be competent in their work in regards to keeping up with the most recent changes in IT practices, laws, and regulations. Auditors also need to practice confidentiality in regards to keeping the auditee’s documentation and IT systems confidential and not using the information to gain an unfair or illegal advantage. I think overall, a person in this industry needs to be reminded that they are the voice of reason within a company if their work internally or work on behalf of the public if they are external auditor.
Paul Linkchorst says
4. SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
GRC is a SAP module that is utilized to centralize and link the business risks, controls, and operations of an organization. Like other SAP implementations, implementing the GRC module can be a costly task. However, SAP states that this module can help maximize performance by managing regulations and policy compliance. With that being said, I believe this module gears more toward compliance with federal regulations such as SOX. Just like SOX is aimed at protecting shareholders, I do think the cost of a GRC can be justified for that reason and is something that stockholders should be supportive of. Essentially having an effective control environment, which can be achieved utilizing GRC, will reduce the risk of fraud and error throughout the company. This means that while the dividend or ownership value might not be as high due to the additional expenses, it makes a company one is investing in much more secure. In the perfect world, there would be no need for internal controls or a system like this. However, the cost of assuring that a business is running effectively, efficiently, and within laws and regulations should not outweigh the benefits from such a project.
Annamarie Filippone says
Q1. How much of automated control should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
Automated controls are useful for certain controls, specifically ones that are simple and do not require much judgment. Automating these controls can remove the risk of human error, whether it’s a mistake or intentional. Controls that require judgment calls on proper courses of action should remain manual, as these are typically too complex for automation. I believe controls should be considered at the initial design phase, to an extent. Risk assessments can help an organization determine which controls should be implemented immediately. But as time goes on, new risks and thus new, previously unneeded controls may be required, so organizations will also have to consider controls as the need arises.
Yu Ming Keung says
I totally agree with you. Risk assessments are very useful to determine what controls need to be determined and what controls need to be automated or manual. I think it is better for organizations to controls the risk assessments every 1/2 year to look for new risks and controls the company might need to consider to add. Either way, organizations still cannot avoid adding / adjusting its controls when needs arise even they design it initially.
Vu Do says
Annamarie, you raise a good point about unforeseeable controls that could arise later on after the design phase has been completed and production is in order. New controls would have to be put in place to deal with any new problems that arise and during the design phase you cannot predict that this problem would occur to deal with it. This is a time factor with new technology being introduced, we have to now adjust things to incorporate it. For example, the new machines that uses iPad as registers now, that is new and has to be adjusted to fit into the companies’ location and such. These are new and good things but again controls must be put in place to make sure those machines do not get hack.
Annamarie Filippone says
Q2. In the Real World Control Failures we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
In many cases, the leaders involved in high-profile control failures were greedy, always looking to increase the value of their company, and were definitely a root for the control failures. Creating an organization that respects the controls in place starts at the top, and trickles down to those working beneath. These leaders knowingly worked around controls, and often pressured lower-level employees to do the same, in order to achieve their goals.
Yulun Song says
True. Greedy is a key that leads them to bend the rules. Someone is greedy to money, someone is greedy to position, someone is greedy to fame. A person who is in a key position of a business or a government position should not only work for benefits of an organization, but also gain positive and true reputation to the entire environment(both business and society).
Annamarie Filippone says
Q3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
I believe that the way in which auditors conduct themselves while interacting with customers is a key to building and maintaining a good reputation. It is important to balance personality with professionalism. No one enjoys being audited, but clients are typically more agreeable when the auditors are personable and reliable, regularly communicating important information in a pleasant way. But, at the same time, auditors must keep space between themselves and their clients in order to maintain their independence and not tarnish their reputation with perceived conflicts of interest.
Yulun Song says
That is true, independence in any types of auditing areas is the most important word to measure the auditors. Many large auditing companies involved economical crimes due to the lack of independence. Even the client is your close friend or family member, we should still keep space to them and do our job properly.
Yulun Song says
2. In the Real World Control Failures, we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
It is a root of the control failures, those failures were due to the negligence and failed controls to lead negative results. For example, what I did was Morgan Stanley’s control failure, the internal control failures related to avoidance of conflicts of interest; comprehensive documentation of its electronic trading systems, disclosure of short selling orders, compliance with position limits and reporting of large open positions, and execution of client instructions in connection with futures and stock options contract reporting obligations. Those control failures truly related to the character of the leaders.
Yulun Song says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
It is crucial to build reputation and maintain a good ethical character in audit industry. one important element is Do your Job. These three words are really easy to understand but they are hard to reach. First thing is treat every customer fairly. Some customers may be angry customers, some may be nice customers, some may be your friends, may be your family members. How to treat to different relationships? Do you job. Some angry customer may scream on you, may curse you, may post bad reviews online, however, we should treat them in a calm motion. Some may be nice, but we still need to keep our calm to do our job. Do not do beyond your job depending on people’s attitude. Nice people may ask you more to do something but we should still do our job. Some friends or family members may ask you to do job on their companies or businesses, we should still consider that do not bend the rules, and use independence as our measurement.
Paul Linkchorst says
Hi Yulun,
Interesting answer to this question with the “do your job” mentality. I think one of the key takeaways from this moto is that employees are tasked with performing certain actions or providing certain knowledge. While it is important to create efficiencies, it is not part of one’s job to take shortcuts or circumvent controls. Therefore, from a decision-making standpoint to either do a job right or take some sort of short cut, this motto might help employees decide to do the right thing and thus maintain or improve their character.
Yu Ming Keung says
How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
I think the amount of automated controls desired by organizations should depend on the type and size of the organizations. Automated controls are the ideal control because Automated system controls are a key part of a strong internal control environment. It can help organization increase efficiency of operations, improve accuracy and help eliminate fraud. A major advantage of robust automated controls is that they are more reliable than manual controls. They work automatically and are not subject to human error or failure. In my opinions, it is more beneficial to consider controls at the initial design phase than introduced than needs arise so that the process will be secure from the start.
Ming Hu says
Nice point Yu Ming. Automated controls do have many advantages over manual controls for improving efficiency, eliminating fraud or reducing costs of human resources. But it can’t help us to make decision or judgement, for example, a company might use automated procedures to initiate, record, process, and report transactions, in which case records in electronic format would replace paper documents, but for those procedures such approvals and reviews of transactions, and reconciliations and follow-up of reconciling items, it only could be done by authorized employees.
Yu Ming Keung says
12. In the Real World Control Failures, we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
In my case, the CFO and CEO who were involved in the case cooked the book to make its annual report look better than it was supposed to. I think the characters of the leaders are greed and a heart of ambition to meet expectations, since the CFO who falsified walnut costs in order to boost earnings and meet earnings estimates of Wall Street stock analysts. Diamonds needed to pay more to its growers in order to maintain longstanding relationships with them. The CFO wanted to meet the expectations of the Wall Street so that he could maximize the valuation of his bonus or stocks. I would say the characters are not the root cause but a relevant cause of the control failure because the lack of internal controls and communication would be the root cause to create room to motivate him to commit this fraud.
Wenlin Zhou says
A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
Learn as much as possible about your chosen subject matter. An efficient way to do this is to partner with someone who’s well-respected in that legal area, Summerville says. Offer to help on a case with some writing or research. Make sure you’re known for producing excellent work, and reinforce that reputation with others. It takes seven to nine instances of reinforcing the idea in the minds of others to get your name and a new practice area linked in a positive way, she adds.
Do some public speaking. Speak to groups where you might find clients or at least build relationships, Mitchell said. You might also write an article for a trade publication that potential clients might read.
Stay current with best practices. For instance, clients increasingly value efficiency, so although perfectionists have many admirable qualities, firms likely would not seek out someone with a reputation as a perfectionist, Summerville says.
http://www.americanbar.org/publications/youraba/2015/july-2015/how-to-become-the-lawyer-you-want-to-be-known-as-.html
Tiesha Christian says
Wenlin Zhou – I like your points about offereing to help whenever possible. Becoming a subject matter expert and remaining eager to learn. People do love to witness such behavior, especially in the audit industry. Having great work ethic gets you great visibility in front of management as well as clients. It may get you awesome exposure to some great projects as well.
Wen Ting Lu says
I agree with you! Chambers said, ” “If you want to be successful, you have to be willing to invest in yourself,” Nonstop curiosity helps even the most experienced auditors gain new insight. As business needs shift, professionals should be proactive about developing new areas of expertise. In order to build up reputation and maintain a good ethical character in the audit industry, there is so much auditors need to learn simply from a business standpoint, not from a technical standpoint, and not from a leadership or interpersonal standpoint.
Source:https://global.theiia.org/news/Documents/7%20Attributes%20of%20Highly%20Effective%20Internal%20Auditors.pdf
Fred Zajac says
How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
The automated controls should be identified during the implementation stage. The automated controls should be used when a new user is added to the system. The system will set the automated controls based on the user group. This is an effective way to quickly set controls on users.
There are instances were automated controls can’t fulfill the requirements. The IT personnel initiate these controls, and on an as needed basis. The proper change management procedures should be performed and approved by the required personnel.
It is beneficial to consider both the design phase and during operations. The benefit for automated controls during the design phase is time management. It would take long time to set controls on each user / machine. Automated controls reduce time, saving money. But, these are standard and at times need to be customized based on the roles of the user. This should be allowed as long as the proper changes are reviewed and approved.
The important thing is to remain firm, but flexible. Follow the rules and don’t deviate from the controls unless it is discussed with all appropriate parties.
Fred Zajac says
In the Real World Control Failures we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
The tone at the top sets a company culture many employees will take as gospel. Especially to a young, inspiring adult with limited exposure to different company cultures. The leaders involved in the control failures is the root of the problem, and their actions breed a similar fruit.
It isn’t uncommon for leaders to be admired by lower level employees. The façade of a great person is created because of the success, but the success is bred from fraud and deception. The lower level employees see what the leaders are doing and believe the actions, morally or ethically correct or not are the standards.
The characters we saw in the real-world control failures were scared and insecure with the business. The fraud activities were a direct result of “losing control”. They somehow or another fell off track and were afraid of the problem being discovered and blamed on them. So, they resorted to unethical actions.
Maybe, it might be a good idea for a company to provide a therapist for their employees.
Fred Zajac says
A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
One of the most valuable things I took away from my time in the military was the 7 core Army Values.
Staying true to these values will ensure a good reputation and solid ethical character.
1. Loyalty – My company and customers are my family. I will pledge allegiance to both.
2. Duty – Fulfill all my obligation and try to go beyond the norm.
3. Respect – How I treat others will define my character.
4. Selfless Service – Company and Client Welfare before my own.
5. Integrity – Do what is legally and morally right. Moral compass and inter-values
6. Honor – Hold my values close to me
7. Personal Courage – Ability to face fear and danger
If you follow these rules, your reputation and character will blossom.
Wenlin Zhou says
How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
the IT application controls are the opposite of the manual controls. These controls are implemented in the IT or ERP systems and are used every time transactions go through the system. In other words, these controls are enabled and effective for the whole population, as these controls are normally settings in the IT or ERP systems.These controls can be tested in an efficient way, thereby reducing the cost of compliance. Examples of IT application controls are the three-way match, automatic invoicing after goods issue, purchase order approvals, interfaces, authorizations, and segregation of dutiesIdentification of automated controls and taking them into scope for management assessment or external audit constitute important steps in an efficient SOX approach. The assumption is that the automated controls do not change much after the first full test year (this is often a time-consuming change process). Although the test of operating effectiveness can be carried out much more quickly in subsequent years, a substantive effort has to be made by management and the external auditor. The challenge is to determine how the already more efficient reliance on automated controls can be used in an efficient test approach.
Wenlin Zhou says
SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
In general, we deal with GRC issues in situations involving SOX or HIPAA, and when working in the public sector. This area of control and access management is highly important, and usually narrowly focused. The SAP GRC module is targeted at this area and implemented for control and governance of users and systems. GRC is not intended to assist with license compliance and analysis. Nor is GRC intended or focused on cost savings with regards to your SAP licensing. For organizations already running GRC from SAP, it provides the following additional capabilities:
1. Cost control based on usage
2. Cost savings by optimizing and adjusting user license types
3. Cost savings from analysis of indirect access by third party applications or internal processes
4. Cost savings from licensing structure analysis and “right-sizing”
5. Cost savings resulting from user consumption which may violate the SAP licensing agreement
https://www.snowsoftware.com/blog/2015/02/09/grc-equal-sam-sap/#.WE3FS6IrKu4
Seunghyun (Daniel) Min says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
For the cost-effective and less human-error perspectives, it would be desired to have as much as automated controls implemented in an organization. This is because more controls are automated more efficient and easier to maintain a business process. Moreover, I believe an organization should consider designing controls at the initial design phase as well as introducing them as and when needs arise. If controls are designed during the initial design phase, they can be created more effectively for each specific business process. On the other hand, It is not possible to come up with every control during the design phase, so it is also necessary to introduce more needed controls as and when needs arise.
Tiesha Christian says
Seunghyun (Daniel) Min – Yes you are 100% correct. Having automated controls in place does call for less human errors. It makes things simple and causes less stress. It makes things easier to keep track of and it also makes it easier for companies to be visible. Versus when things are not automated. Errors can occur and go undetected.
Seunghyun (Daniel) Min says
2. In the Real World Control Failures we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
The common character of leaders involved in the Real World Control Failures we’ve reviewed in the class is that they had a lack of knowledge in IT security. Back then, to be honest, management didn’t pay too much attention to their IT/IS security because they didn’t really have much knowledge about it and thought it was an IT department job, which why they hired them in their organization. However, as we’ve much discussed, IT security is no longer only IT department’s chore. It should be handled by the very top of its business leaders. I wouldn’t blame everything against them; however, they definitely had much of a root of the control failures.
Seunghyun (Daniel) Min says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
I definitely agree with the question above. Doing audit is not only going in auditee’s sites and checking and making sure what they are doing rightly/incorrectly, but making a strong relationship with the auditees. As to become an IT Auditor in the future, I will build my reputation and maintain a good ethical character in this industry by 1) following every industry compliance and regulation; 2) being honest and genuine all the time; 3) caring/treating my clients as if I am their employee; 4) interacting with my clients personally; 5) having a mindset to really help to become better and grow.
Seunghyun (Daniel) Min says
4. SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
The SAP governance, risk and compliance (GRC) solution is a great way to maximize performance, both strategically and operationally, through managing regulations and policy compliance. It also mitigates any type of business risk, from Financials to Human Resources, environmental concerns to trade management. GRC is neither a project nor a technology, but a corporate objective for improving governance through more-effective compliance and a better understanding of the impact of risk on business performance. Governance, risk management and compliance have many valid definitions. The cost of GRC can be justified by quantifying its costs of damage when its governance, risk and compliance are not met. And most of the time, when an organization is determined to be failed to establish, mitigate and regulate its governance, risk and compliance, they need to pay a lot more to correct the situation.
Source: http://www.integrc.com/overview-what-is-sap-grc-integrc, http://blogs.gartner.com/paul-proctor/2013/05/13/why-i-hate-the-term-grc/
Mansi Paun says
2. In the Real World Control Failures we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
2 the character of the various leaders involved In the Real world Control Failure scenarios can be listed as below or as a combination of below qualities :
a. Irresponsible
b. Selfish
c. Lax
d. Over-confident that they will not be caught
e. Fraudulent
f. Short-sighted and Myopic
In my view, it is these very qualities that are at the root of the control failures. Many of the cases that we reviewed were related to Fraud. We know that given the opportunity, pressure and rationalization, any human has a high tendency to commit fraud.So in cases where the failures were due to non-leadership level employers, there was a shortage of good governance practices or the leadership being irresponsible. Had the leadership level set the right tone in the organization, chances are that employees would have refrained from committing large frauds. Also, in that scenario there would have been a high probability of the fraud being caught earlier on. In cases where the leadership itself was involved, they were characterized by utter selfishness and over confidence in themselves that they wouldn’t be caught. In that situation, where leadership itself is promoting fraud, I’m certain that employees wouldn’t have been encouraged to have ethics and integrity thereby propagating a culture of dishonesty and greed above everything else. Had the leadership been more vigilant and communicative of ethical practices, integrity and ensuring that business is done right, there wouldn’t have been such large scale control failures.
Binu Anna Eapen says
Mansi, I like the point about setting the tone in an organization. The tone has to be set by the senior management and should be reflected through out the organization. Tone can be analyzed in 3 different ways: 1. internal controls 2. ethical values 3. culture and behavior. Setting the tone has a great impact in the overall organization and contributes to long term success. If the leaders themselves are fraudulent then it effects the entire organization like in the case of Satyam Scandal. Even when leaders are not directly involved in the fraud, they can still cause the organization to fail if they are not able to make the right decisions at right time and punish the fraudulent. .
Mansi Paun says
Absolutely, Binu. A majority of the real world control failures occurred when management failed to set the right tone. As you rightly pointed out in the case of Satyam too this was very evident. When management tries to instill integrity and ethics and also promotes whistle-blower culture, employees tend to be more aware that their actions will have consequences. So whether it is out of personal integrity or fear of getting caught, employees would not risk committing fraud. Ofcourse this is w.r.t committing fraud. But the right tone also helps in employees taking ownership of their actions and being held accountable. A culture of openness would give even the employees at the lowermost levels to speak up and voice their concerns which is greatly beneficial to the growth of a company.
Abhay V Kshirsagar says
SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
SAP GRC, although expensive is crucial to navigate different risks and manage controls, compliance with governance, risk and compliance solutions.
The cost is justified as it will help organizations integrate and automate important GRC activities into existing processes. It will also help organizations mitigate reputational risk by protecting them and also the financial health by ensuring strong risk management practices are followed. In another instance, one of the most common risks faced by organizations is fraud. The SAP GRC’s modules that deals with fraud management can help organizations minimize their financial loss through early detection functionality and its effective alert investigation functionality.
Binu Anna Eapen says
Well said Abhay. GRC helps to control the risks to a great extend. Nice point about the Fraud management. Fraud has become a global concern for all the companies. SAP provides SAP Fraud Management which helps companies analyze and manage information that pertains to fraud risk. This capability gives management the ability to quickly identify and further investigate the potential cases of fraudulent activities.
Mansi Paun says
Rightly said Abhay, further to what you mentioned, GRC also has the following key benefits :
Better higher quality information—Integrating GRC information allows management to make more intelligent decisions faster
Process optimization—Non-value-added activities are eliminated and value-added activities are streamlined to reduce delay and unnecessary variation
Better capital allocation—Identification of areas of redundancy and inefficiency allows financial and human capital to be allocated more effectively.
The net outcome of all the activities above means GRC activities are directed to the appropriate people and departments thereby improving efficiency in the process and organization as a whole and in turn this adds reduced costs and more profitability.
Vu Do says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
A certain amount of automated controls should be implemented depending on the job procedure. They are important since they can get done more than humans and they eliminate human error. There has to be humans of course controlling the automated machines since problems can arise such as a jam that needs unclogging. The controls are important at the design phase since it could put in place what human jobs should be included. Controls at the design phase are the ideal spot since it is the blueprint for what is needed to get production started.
Abhay V Kshirsagar says
In the Real World Control Failures, we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
In real world control failures, we saw the example of Ramalinga Raju in Satyam case. He committed fraud by creating fictitious transactions in order to assert that the company’s balance sheet was strong. I think one of the biggest similarity in the characters of people like Ramalinga was excessive self-confidence. This excessive self-confidence was developed through their careers where they took risks and gained rewards. And, I think that it then pushed them to take risk that meet any moral standard nor did it make any business sense. I do believe that this is root of the control failures as leaders are expected to be the ones who will be held accountable or in some cases the ones who will protect the stakeholder interests. Therefore, there has to be a framework that prevents such leaders to get into this mental state.
Deepali Kochhar says
To add to your point Abhay,
The following character of the leaders were the root cause of most of the Control failure:
Lack of leadership
Improper accounting practice where leaders were involved
GAAP- Matching principle was broken by the leaders
Lack of full disclosure by the leadership
Improper controls and monitoring in finance division
Improper risk management and risk disclosure
Tiesha Christian says
Abhay V Kshirsagar – I see where you are coming from. But what if the controls don’t stop the leaders from getting into a negative mind state. What if they just have a knack for being unethical and just so happen to be good at their roles and made it to a high position? What do you recommend is done in this sort of scenario?
Abhay V Kshirsagar says
A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
The corporate scandals have damaged people’s confidence and credibility, which resulted into massive criticism towards corporations. So, building reputation and credibility is certainly a challenge. In one of the guest speaker meetings, the guest speaker mentioned as to how if a new auditor starts talking in their language during the research phase, it can help build credibility in the team. For instance, in a Windows audit, using keywords like DHCP, etc. The senior auditors will notice that you have the relevant knowledge (which you should have). Also, asking questions; if you ask them something and generally show that you need to educate yourself. And, building relationships always help build credibility. As long as ethics go, in addition with having the basic business ethics, one should, especially an auditor should be able to voice or question in a scenario of a potential fraud or against someone who is trying to jeopardize the audit process.
Mansi Paun says
That’s a great point, Abhay. You’re right when you say that to build a reputation you first have to have knowledge of your domain. One can have all the integrity and ethics in the world however if he doesn’t have knowledge, there is little that the integrity would add to your reputation. Basically, let your knowledge speak for itself. Also, I think that if an auditor knows in and out of the systems he/she is auditing, he/she would know how to present and report findings. In my view too, knowledge of subject matter trumps everything else when it comes to building a reputation as your knowledge is your best USP.
Deepali Kochhar says
To add to your point Abhay, an auditor should not be biased based on his knowledge to report findings. He should first focus on organization culture, goals and needs to understand their business and based on those facts should report findings which are relevant. In short he should not generalize his technical knowledge to all organizations.
Vu Do says
2. In the Real World Control Failures we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
The leaders where not IT orientated and did not oversea the work as often as needed to be. They did not focus on controls in place and that is why it failed ultimately. They need to have some interest in their work and make sure that risk is being mitigated so the work continues to flow without any issues. Controls failed and where compromise and hackers where able to get into the system to steal information. The leader clearly did not spend time looking at the controls in place and did not establish controls to mitigate the risk.
Deepali Kochhar says
Good point made Vu Du. The leaders generally don’t consider the importance of implementation and maintenance of controls which leads to control failure. Even they don’t focus on providing training to the employees which become one of the main root cause of control failure and the employees are unable to sync themselves with the controls put in place and hence the controls are not followed.
It is very important for the senior leadership to keep continues monitoring in place after implementation of controls to update them as per the need of the organisation and should provide a proper training to the employees.
Vu Do says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
I would work hard and make sure everything I do has a paper trail to prove I did this and that. I would want to build my reputation up and make sure people know that I am dependable and my work is credible. I am a very logical person and would want everything to be understandable to back my work up and to have the person view it from where I was coming from. I would also make sure that I log off and make sure that I stand up if I discover someone was using my login to make changes that I did not do. I would want to make sure all my work is backup by evidence that can show why I would take this route etc. That is how I would try to build my reputation to maintain a good ethical character in the audit industry.
Tiesha Christian says
Vu Do – I agree with your thoughts about being as transparent as possible. That is something that gains a great deal of creditability. Creditability as an auditor shows that the individual encompasses noble character. These are things that make for an enjoyable exprience when working in a team setting.
Deepali Kochhar says
Q.3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
It is very important to build reputation and maintain a good ethical character in the industry for an auditor. The auditor should have following skills to build a good person character:
Ethical: An auditor should have an ethical decision making and should take care of even the smallest finding to reveal all the errors and frauds.
Should not be biased: An auditor should not be biased based on his knowledge while conducting an audit. He should study and keep the organizational goals and needs before making a decision on the findings.
Understand Organization culture: He should have the ability to understand the culture of the organization before performing the audit.
Should have vision and Instinct: While carrying out the audit, auditor should be able to determine a picture of any issues at the business and to translate them into what they might mean in the future.
People Skills: Auditors need to have exceptional people skills. They need to have the ability to deal with all types of clients in all types of client situations.
Decision making ability: The auditor needs to determine what is relevant and what is not and based on that should take a fare decision without being biased.
Mansi Paun says
Great list there, Deepali. I particularly liked that you pointed out decision making ability as one of the qualities that would help build a good reputation. While the auditing role may not really require big decision making, this is a great skill that would benefit just about anyone. One could look up to you when in a dilemma if they know that you have great decision making skills. I’d like to add that the other point you mentioned about having vision and instinct also goes hand in hand with decision making. If an auditor has foresight, it would help him make better decisions which could probably save time and effort later.
Jianhui Chen says
How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
I think the management can get a lot of beneficial from the Automated. Automated controls can reduce the possibility of human error. The automated control cannot replace the human being as many procedure of the task needs some human judgement. Nowadays, I think automated control is fine to used in some simple process rather than some complex one.
Deepali Kochhar says
Definitely Chen, automated controls helps:
Reducing errors
Reducing time and effort
Centralize the tasks
Helps in creating a sync in the processes
Managing complicated process in an easier way
Save cost
In my point of view controls such as quality assurance review can be manual where the reviewer evaluates the process and related requirements in order to confirm that the entire process was executed correctly and controls such as point of sale needs to be automated.
Fangzhou Hou says
I totally agree with you that the automatic controls can reduce the human error especially in some basic functions. On the other hand, the automatic controls usually cost less than human controls and also more available. However, since the automatic control do not involve human beings in controlling processes, therefore, it may skip some human factors and may cause other problems.
Wen Ting Lu says
You are correct. There are many benefits of automated controls. However, there are also challenges when automated controls implemented. For example, there might be resource constraints, insufficient knowledge of GRC-enabled technology, and automated controls might increased short-term audit costs, risk of false controls reporting. Also, there is significant dependency on business input. Therefore, I think the combination of automated controls and manual controls are the best solution for businesses.
Tiesha Christian says
A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
In the audit industry whether you are a client, a liason or the auditee it is very easy to distroy your reputation. I truly belive that one of the easiest ways to avoid such thing. Is to always maintain a certain level of transparency with all parties involved. By conducting business this way, it creates a comfortable environment for all parties involved until the task at hand is fulfilled. It is not always the easiest thing to work with new people in certain settings. However, if all people keep the bigger picture in mind it can be a productive and peaceful situation.
Jianhui Chen says
In the Real World Control Failures we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
In the case of ENRON control failures, I think the unethical leadership is a root of the control failure. The main reason of the Enron control failure are improper trade practices, accounting frauds, corporate culture and ethics in general. The source of the reason mentioned above can be traced to the unethical practices of the leadership. Not all the control failures’s root cause is the leadership, for example, the scandal of the Domino pizza on 2009 is caused by the lack of monitoring.
Fangzhou Hou says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
The automated controls can significantly improve the efficiency of the control, so it should involve in more basic controls to enhance the availability of a control. The importance of the design input and verification of design outputs is illustrated by this example. When the design input has been reviewed and the design input requirements are determined to be acceptable, an iterative process of translating those requirements into a device design begins. The first step is conversion of the requirements into system or high-level specifications.
Fangzhou Hou says
2. In the Real World Control Failures, we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
Within the real world control failure case of the Heartland Payment System company, the company was lacking of monitoring controls, and the management did not consider the reports from the IT department. When data breach occurred in 2009, over 100 million credit and debit cards information was breached by a cyber attacker. To answer the question about why this serious data breach would happen, the CEO of the company blames the PCI auditors did not correctly evaluate the risk of the system. But the fact is, because the company was lack of security monitoring programs, when the cyber-attack occurred in the first place, the administrator of the system only got a secondary warning signed as a yellow flag, and missed the timing to stop the attack.
Fangzhou Hou says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
1. Earn Respect Before a Special Request. Life sometimes gets in the way of everything, including work. On occasion you may need to ask your boss for an extra privilege — but it’s best not to do so straight out of the gate
2. Tackle Something Without Being Asked: One of the best ways to gain the gratitude of your supervisor is showing initiative.
3. Offer Opinions with Tact: You’ve been hired because your boss and others at the company saw promise in you and your skills. Your opinion is valuable to the organization’s growth and future. However, remember to offer it gently and with respect.
4. Figure It Out: It’s important to ask a lot of questions when you’re new to any job, and your boss understands that. But don’t pepper her with queries all day long.
Source: https://www.monster.com/career-advice/article/building-a-good-reputation-at-work-hot-jobs
Ming Hu says
SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
SAP GRC enables organizations to manage regulations and compliance and remove risks in managing organizations’ key operations by providing many useful modules, such as Access control, process control and fraud management, risk management. Although the cost is very expensive, it could be justified in many tangible and intangible benefits.
Tangible benefits:
Reduced cost of audit preparation
Reduced operating costs through standardization of testing, reporting, monitoring and documentation
Reduced retesting costs for failed controls, as automated controls have a much higher pass rate
Reduced cost of remediation and addressing anomalies
Reduced costs of managing compliance activities
Intangible benefits:
Reduction in likelihood and impact of risk
Improved productivity of those responsible for manual control activities
Resources to focus on more value-added activities
Prevention of fraudulent behavior
Reduction of potential for financial misstatements and associated fines
Avoid the penalties of noncompliance, particularly if you operate in a highly regulated environment
Reduction of likelihood of miscalculating the potential risk of entering a new market
Ming Hu says
In the Real World Control Failures we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
In my project, it was the CFO and CAO’s negligence that accounted for this failure, they knew the accounting stress faced by the company, and knew their accounting staff no longer able to perform monthly close process due to that stress, however, they failed to apply appropriate standards when determining the severity of that. For me, as a leader, you should be sensitive toward potential risks, and if they could have acted more sensitive to the accounting stress, the failure maybe could be prevented.
Ming Hu says
A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
Of course, an auditor’s character is very crucial for his/her success, especially you need to contact with different groups of people in different companies with different character, from top to down. The primary step is always to be an expert, if build your reputation in a specific industry. Then, I can’t stress enough on interpersonal skills, auditors don’t like traditional programmers who are dealing with computer, most audit work involves dealing with people, so interpersonal skills are essential – receiving skills, sending skills, non-verbal skills.
Wen Ting Lu says
I agree with you that interpersonal skills are very important. Especially for auditors, strong communication skill is a must. Concise, compelling reports are part of communication skill, as well as the ability to listen and to know the best format in which to present information. Also, have an open mind and be willing to accept perspectives from different people from different backgrounds is essential as well.
Wen Ting Lu says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
There are lots of benefits for business to implement automated controls. Automated control reduces cost of controls, research and avoidance. Also, it lowers the cost of audit, reduction in penalties, and increased control effectiveness and coverage. In addition, it improves process cycle time, complete validation and enterprise visibility, and decision effectiveness. Most importantly, it reduces the risk in revenue, cost and reputation. However, I think NOT everything should be using automated control system. For example, the performance of a quality assurance review should performed manually. The reviewer evaluates the process and related requirements in order to confirm that the entire process was executed correctly.
In my opinion, I think it is beneficial to consider controls at the initial design phase; however, it should be flexible to change when needs arise. Overall, I believe the combination of powerful automated systems and experienced human insight will bring the best risk management outcomes.
Source: http://www.isaca.org/chapters3/Charlotte/Events/Documents/Event%20Presentations/20131203/Mag%20Francois%20-%20Automated%20Business%20Controls.pdf
Wen Ting Lu says
2. In the Real World Control Failures we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
The real world control failures project I did was on JDA software group. JDA lacked adequate revenue recognition policies and procedures and failed to identify all service-related contracts needed for vendor specific objective evidence (VSOE) testing to determine the fair value of certain services. In addition, they company didn’t have sufficient internal accounting controls to determine whether a software license agreement and related services contract were linked to each other. All of these result the company misstated its public filling for four years. Obviously, the leader of the company, especial the CFO didn’t take the responsibility of making sure that all the financial statements are reconciled on timely basis, and policies and procedures are formalized and well-documented.
I believe the negligence of the leaders is the root cause of control failure in all the real world control failures cases we reviewed. The “tone at the top” sets an organization’s guiding values and ethical climate. The management should make sure they implemented adequate policy and procedures, and all the controls are taking place to maintain a healthy organization.
Wen Ting Lu says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
Integrity is very important in any business setting. Internal auditors need to be trustworthy but also have confidence and resilience when faced with complex problems. Credibility must be built over time. Auditors need to develop healthy, deep relationships with all levels of the business. Effective relationship-building requires several other attributes, including business acumen, knowledge of the company (and its risks), persuasion and empathy. Internal auditors should be able to walk in the shoes of the business people they audit. In addition, in order for a person to be successful in audit industry, he or she must has an open mind. This person has to be able to work with different people from various backgrounds in a collaborative environment
Source :
https://global.theiia.org/news/Documents/7%20Attributes%20of%20Highly%20Effective%20Internal%20Auditors.pdf
Jaspreet K. Badesha says
1.How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
An organization will probably want to implement majority of the automated controls offered as they will be ‘blanket’ controls that will cover basic issues that most organizations face. This will make implementing these general controls very simple. It is beneficial to consider controls at the initial design phase. If most controls are considered or implemented at the initial design phase then there can be trainings around it and other things can be built around them. Certain controls can be implemented when they arise as they might not be controls that are as common.
Jaspreet K. Badesha says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
I would build my reputation by being a great listener and not showing biased towards anyone. I would then conduct audits with integrity even when tempted with allowing items to slip through the cracks of an audit. I would also use my interpersonal skills and talkative personality to build strong relationships with colleagues and audit members.
Victoria A. Johnson says
A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
I would build my reputation and maintain good ethical character in this industry by exhibiting presence, integrity and availability to my clients. As an auditor, I will be there physically and mentally to be sure I satisfy the needs of my clients. Visiting my clients at least once a year will promote good relationship building. I also will not be shy as an auditor. I will always be open and blunt as well as being sure to reach out and have strong communication with my clients which will prove to them that I am a valuable asset to the development of their organization. Being a good listener is also important as well. I know I exhibit all these characteristics which will contribute to my success as an auditor.