- How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
- In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
- A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
- SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
Binju Gaire says
A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
A person’s character is very crucial in the audit industry. Having worked as an auditor before. I completely agree with this statement. From my experience, in order to build reputation and maintain a good ethical character in audit industry, auditors should demonstrate strong professionalism. Auditors meet different clients in different audit engagements. It is important that auditors maintain professionalism at all the time. Sometimes clients may be very friendly, and auditors find themselves in a “non-auditing” conversation with their clients more than it is required. In this instance, auditors should ensure that they do not get carried away with the relationship they build with their clients. Demonstrating professionalism will help the auditors to perform their tasks independently and practice strong ethics despite the friendly relationship that they share with their clients.
Parneet Toor says
I agree with Binju, I just want to add that an auditor reputation also depends on his/her results in the field .You can have integrity and everything else, but if you do not provide good services to your clients your reputation will take a hot. In this industry, ethic is not enough. You will have to prove yourself by offering quality services and maintaining ethical character at the same time
M. Sarush Faruqi says
Binju,
Great points. You’re correct in saying that the audit industry is one where many contacts and relationships are made. I think it is ok to make personal relationships with clients but the auditor should not let that connection get in the way of audits and recovering findings. As you said, professionalism is a must when conducting audits. The auditor should encourage things like ethics and compliance to show that he or she is doing their job with due diligence. An auditor should want the best for their clients and seek their benefits. However, the key is to do it in an honest manner and not to discredit the standards set forth by professional bodies or associations.
Anonymous says
I totally agree with you Binju. Imaging without the expertise of the audit, how could we call ourselves auditor? And to add to your point, in order to build reputation and maintain a good ethical character in this industry, we should also have a good communication skill, Clients and coworkers would not trust you if you are not reliable and personable.
Xiaomin Dong says
This is Xiaomin Dong’s reply, sorry I forgot to log in when I post this comment.
Mengting Li says
I agree with you. I also think it is important that auditors maintain professionalism at all the time. To add your point. In order to build a good reputation, auditors should treat every customer fairly. At some point, anyone in business gets an angry customer. They could be screaming at you over the phone, they could be cursing you out in front of other customers in person, they could be sending you a nasty email or posting a hostile review online. Remember that replying calmly, politely, and clearly is your best tactic, even if you’re incensed. If potential customers see that you treat even the worst customer fairly, it’ll impress on them that they’ll get a fair shake, giving you a positive business reputation.
Michelangelo C. Collura says
Professionalism is indeed valuable, and I’m happy to hear you learned about it early. That will allow your future career to go much smoother. Some mistakenly feel that building rapport helps the interaction, butI believe you are correct that it is better to remain professional and distant.
Jing Jiang says
Well said, Binju.
Always reminding yourself to maintain professionality in the work is a good way to build a good image. Sometimes people may be doing wrong unconsciously because without enough knowledge. Professionalism can be challenged when many lures around. I think that’s one of the reasons why the policy, ethical training, and a strong corporate governance would be enforced in an organization. By adding your point, understanding and obeying the code of ethics and related laws and regulations (e.g. SOX) would also be helpful to maintain ethical characters.
Parneet Toor says
I agree with Binju, I just want to add that an auditor reputation also depends on his/her results in the field .You can have integrity and everything else, but if you do not provide good services to your clients your reputation will take a hot. In this industry, ethic is not enough. You will have to prove yourself by offering quality services and maintaining ethical character at the same time
Parneet Toor says
2. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
Automated controls are desired as it provide strong internal control environment also it increases the efficiency of the operations improving accuracy and thus reducing the fraud or human errors to great extent. These are more reliable than manual controls.
I feel that Controls to be at the initial phase of building the process itself. When a business processes are defined, the risk involved should be realized and possible controls should be placed. But with the growth and enhancement of technology more and more risk to arise and more controls required
Michelangelo C. Collura says
I agree that the increased risk from emerging technologies means that more controls should be required. One might see new technology acting as controls, perhaps decreasing risk and decreasing the need for more extensive controls.
Yijiang Li says
Generally, automated controls are more reliable that manual controls, because it could respond to the threats rapidly and save human resources. However, manual control is also indispensable, becasue the business world is changing rapidly but the automated cannnot be always placed in time, Also, sometimes human could play a key role which cannot be repalced by a machine. Therefore, manual and automated controls should be implemented in the same time.
Candace Nelson says
Hi Parneet,
I find your comment that automated controls are more reliable than manual controls. Perhaps this is true from the perspective of automated controls being more consistent than manual controls, assuming that there are no system or configuration changes. Also, both automated and manual controls can be overridden, though it may be easier to override a manual control than an automated one.
However, some of the more complex internal controls over the accuracy of financial reporting (ICFR) require judgment, which automated controls cannot provide, including reserves, accruals and other types of estimates.
Parneet Toor says
3. In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
I agree that leaders are the root cause of control failures in most of the cased leaders being greedy. When you think about it those guys were victim of their own greed. I am not saying that what they did is justified, but they are not the only one to be blamed. In order, to have fraud there must be pressure to make profit, opportunity to manipulate the books to make their own profits.
M. Sarush Faruqi says
Parneet,
Great points. You hit the nail on the head. It all comes back to the Fraud Triangle. Most of the leaders had an opportunity to commit fraud because of weak internal controls. Whether it be a lack of checks and balances or how the organizational structure was set up, they knew they could commit a crime and get away with it. When it comes to pressure, most of the leaders I read about were doing these types of things because they wanted to look good in the eyes of stakeholders or they were trying to save a ‘sinking’ organization. The higher up the hierarchal structure of an organization you go, the more pressure comes to make the company profitable as a whole. Unfortunately, this pressure comes back to lower level managements and their employees. Many of these leaders rationalized and believed what they did was acceptable. Again, there is no excuse for breaking the law. The outcomes these leaders ended up enduring is a product of their own choices. Properly implemented internal controls could definitely reduce the likelihood of them being able to do what they did but I don’t think the weak controls themselves were the root cause failure especially if multiple people were involved and they could have made more ethically sound decisions.
Matthew J. Dampf says
” It all comes back to the Fraud Triangle. ”
I completely agree, Sarush. Many employees may have an opportunity or face pressure to commit fraud, but it is those of weak character that can rationalize that into action. The more responsibility an employee has the higher the company has to factor character into its hiring decisions.
Michelangelo C. Collura says
I believe stakeholders want some of that ill-gotten wealth too, so they’re willing to look the other way and claim ignorance if problems arise. This is to avoid legal danger and to assuage their own guilt. Such people may include board member, c-suite, vendors, or even entry-level staff. In other words, we’re all potentially corrupt no matter where in the organizational structure we fit.
M. Sarush Faruqi says
A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
An individual’s good ethical character is one of the major factors in being an effective auditor whether working in a company as an internal auditor or being an external auditor. In order to build and maintain a good ethical character, an auditor must demonstrate the work they are performing is following the ethical standards the audit industry is held to. This requires maintaining a degree of professionalism during audits and being patient with clients when asking for certain audit evidence. This also means not overlooking a finding because the auditor has a personal connection with a client. Another way to build reputation and maintain a good ethical character is educating clients on governance and compliance. Many clients do not have the knowledge of certain governance and compliance standards to the level auditors to. By explaining the governance and compliance behind any findings, auditors can demonstrate they base their work on legal standards. An auditor should also work to maintain the privacy and confidentiality of client information during the course of their audits. This will will demonstrate to clients that the auditor is concerned about exposing the data to someone who may use it for unethical purposes.
Parneet Toor says
I agree with your points. Also maintaining our credit ability is essential as it speaks for our work. Communication skills are a vital component as well as clients and staff must feel comfortable speaking to auditor so that he /she can perform their job effectively.
Michelangelo C. Collura says
Very good points. So many of them, in my mind, should be simple axioms to auditors. You will vanish if you try sharing client PII, for example. Joking aside, people are more likely to commit fraud if they feel that there is some flexibility some ‘wiggle room’ in the ethics of the situation. This is, I believe, an important consideration for auditors. We should simply not allow ourselves to think that some situations would make it acceptable to share PII. This moral absolutism might help to avoid the slippery slope.
Matthew J. Dampf says
2. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
Automation should be desired as often as possible for multiple reasons. Anything controlled by humans is vulnerable to error by humans, whether intentional or not. An automated process has no agenda and is not prone to error or malice.
As in all things systems related, it’s better to consider controls during the design phase. A well done design phase catches problems before they arise, and before they create other problems that could potentially be more widespread and costly. It also allows employee training on the final process, as opposed to retraining certain tasks that may be changed by controls that were added later.
M. Sarush Faruqi says
Matthew,
Great points. I completely agree that automation controls should be desired as much as possible. As you said, anything controlled by humans is prone to error. I think automation controls would be a suitable option where there is high volume of similar transactions. Segregation of duties can also be more enhanced at various steps in the business process and information will be more readily available when needed. Manual controls can be implemented to make sure automation controls work as expected. In cases where a high degree of judgement is required, I would feel much more comfortable implementing manual controls knowing that any additional analysis can be made when making important business decisions reducing the risk of loss.
Michelangelo C. Collura says
Excellent point about intention. Manual controls might fail due to human error, but they might also fail due to human moral error. If some employees wish to commit fraud or steal some PII, they will likely do so if they understand the control environment. It’s even more likely if they can get multiple people, with different permissions, in on the scheme.
Matthew J. Dampf says
“A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?”
Building your reputation is something done over a lifetime – it’s not something that can be done overnight. Personal references are always a factor in hiring and promoting, so the way you carry yourself always matters, Some of us (both students and faculty) may be references for each other somewhere down the line, and when we’re hired we’ll be building a reputation with a new group that will be referenced at some point further down the line. If you can build an excellent reference portfolio at each stop in your personal and professional life, then you’re building a reputation even if no one knows you in your current environment yet.
Binju Gaire says
Great points, Matthew! Reputation cannot be earned easily. It certainly requires great deal of hard-work. To earn prestige/reputation one should be cautious in each step of his/her professional life and personal life. With just one great action at a given time does not help a person to earn prestige overnight. However, It does contribute as small fraction to earning that reputation. In order to build reputation, such great actions, that define integrity, good character, are required all the time.
Xiaomin Dong says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
There are many benefits of automated controls. The automatic controls can reduce the human error especially in some basic functions. In addition, the automatic controls usually cost less than human controls and more available. However, there are also challenges when automated controls implemented. For example, there might be resource constraints, insufficient knowledge of GRC-enabled technology, and automated controls might increase short-term audit costs, risk of false controls reporting. Also, there is significant dependency on business input. Therefore, I think the combination of automated controls and manual controls are the best solution for businesses.
Khawlah Abdulaziz Alswailem says
Xiaomin Dong,
I understand your point of view, but I think that automated controls are better control since Automated system controls are an essential part of a strong internal control environment. It can help organization increase efficiency of operations, improve accuracy and help eliminate fraud. Also, the main advantage of the automated controls is that they are more reliable than manual controls. They work automatically and are not subject to human error or failure. At the end, i think it depends on the company’s situation, a certain type of control may fit better than others.
Binju Gaire says
Great points, Xiamoin. While automated controls are great in improving efficiency, reducing costs and human errors, it has its own complexities. Automated controls require adequate oversight, malfunction issues, incorrect use of commands, security vulnerabilities, abuse of privileged access and denial of service. These complexities can certainly cause troubles. Therefore, it is important that business organization should not entirely depend on automated controls. A combination of automated controls and manual controls is a must.
Xiaomin Dong says
2. In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
The Real World Control Failures project I did was PTC. Inc., on the one hand, it was failed to undertake periodic risk assessments of PTC China and to ensure that its internal accounting controls were tailored to address PTC China’s ongoing dealings with SOEs. On the other hand, it was lacked independent compliance staff or an internal audit function to review and test its internal accounting controls processes. In this case, although there is no mention about what leaders did, I believe the character of negligence and ambitious of the leaders is the root cause of control failures in many real world control failures cases. The “tone at the top” sets an organization’s guiding values and ethical climate. The management should make sure they implemented adequate policy and procedures, and all the controls are taking place to maintain a healthy organization.
Michelangelo C. Collura says
Lacking any internal audit staff is definitely a warning sign, but the compliance staff absence seems worse. They might outsource their auditing, but they don’t have anyone to check compliance? This indicates the tone at the top, as you say – a tone of not caring about all of that, presumably because they believed they were smart enough to avoid it or they felt it didn’t apply to them. It’s incredibly foolish, but that level of arrogance is very common in the industries we deal with, so perhaps there’s a reason they continue to behave that way after years of bankruptcies and investigations.
Xiaomin Dong says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
Do the right thing—Ethics is about how we meet the challenge of doing the right thing when that will cost more than we want to pay. There are two aspects to ethics: The first involves the ability to discern right from wrong, good from evil, and propriety from impropriety. The second involves the commitment to do what is right, good, and proper. Ethics entails action; it is not just a topic to mull or debate.
Learn as much as possible about your chosen subject matter—An efficient way to do this is to partner with someone who’s well-respected in that legal area. Offer to help on a case with some writing or research. Make sure you’re known for producing excellent work, and reinforce that reputation with others. It takes seven to nine instances of reinforcing the idea in the minds of others to get your name and a new practice area linked in a positive way.
Follow up after meeting people to build relationships—Conversations after an initial meeting will cement your reputation as someone who takes the time to follow up and schedule your next meeting.
https://www.americanbar.org/publications/youraba/2015/july-2015/how-to-become-the-lawyer-you-want-to-be-known-as-.html
http://jsmith.cis.byuh.edu/books/powerful-selling/s07-business-ethics-the-power-of-d.html
Yijiang Li says
I agreew with you, Xiaomin. Keeping a high ethics standard and obey law and regulation is quite essential for people to maintain a good reputation in audit industry. Do the right thing and do things right are equally important for an auditor. When the auditors are auditing a company, they must perform necessary procedures and steps to understand the overall business activities of this company as much detail as possible. That can be understand as do the right thing. In contrast, when they are perform the auditing work, they must obey both ethics standard and law regulation. This is that do things right.
Qiyu Chen says
Good source to explain how to build good reputation and maintain a good ethical character in this industry.
In addition, 1. Earn respect before a special request. 2.Tackle something without being asked,One of the best ways to gain the gratitude of your supervisor is showing initiative. 3.Offer opinions with tact. You’ve been hired because your boss and others at the company saw promise in you and your skills.
Anonymous says
4. SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
The cost of GRC can be significant—most leading GRC platform vendors report their average initial customer deal size is between $200,000 and $600,000 including software, hardware, and implementation services. In addition to these cost factors, you will have to factor in maintenance and support costs as well as services such as strategic consulting that might be used to guide the organizational roles and responsibilities, process improvements, and other elements of the business that the GRC platform will support.
Parneet Toor says
Great post. One of the common concern that any organization has is the cost of ensuring their systems are compliant policies and regulatory requirement’s especially, when company is growing and change their IT platform through mergers or acquisitions. Cost for making new systems compliant with existing requirements is huge and time-consuming. Assurance that risks are being identified and addressed. In such scenarios GRC technology is used to streamline the compliance through process efficiency, data management and reporting capabilities
Xiaomin Dong says
This is Xiaomin Dong. I forgot to log in when I post the comment…
Khawlah Abdulaziz Alswailem says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
Automated controls are better control since Automated system controls are an essential part of a strong internal control environment. It can help organization increase efficiency of operations, improve accuracy and help eliminate fraud. A main advantage of the automated controls is that they are more reliable than manual controls. They work automatically and are not subject to human error or failure. I think the amount desired for automated controls depends on the business itself like the business size, industry and the type of control. It also depends on the amount of money an organization is willing to spend on these automated controls, and I believe that controls should be considered when designing a process and not just when needed. This way, a process is secure from the start, if it is implemented afterward, sometimes the control placed into the process doesn’t always seem to fit as opposed to a process integrating/revolving around a control.
Binju Gaire says
Khawlah, I agree with your points. Desiring how much of control should depend on the size of the business and the amount of money it is willing to spend. For instance, a big firm, naturally, will desire adequate amount of control as it’s operations will require great efficiency and cannot afford frequent human errors. Needless to say, the big firm will have sufficient budget allocated to desire automated control. In the contrary, a small sized firm will demand less automated controls because of its minimum operations on a regular basis.
Mengting Li says
How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
I think automated controls should depend on the size of the organization. If the company is a small size, then there is no necessity to have more automated controls because most of time automated controls cost more money than manual. But talk about the big size organizations, then, I think they should put more effort on automated controls because it can prevent the risk of human error, whether it’s a mistake or intentional. Automated controls provide more accuracy, efficiency, and security. However, it doesn’t mean it is perfect. It might be failed system might occur error, or people might try to hack it. Automated controls can be introduced as and when needs arise. At the initial stage, people may not know all the risks they need to face. Therefore, new risks might need new control to mitigate it. so it is necessary to introduce more needed controls as and when needs arise.
M. Sarush Faruqi says
Mengting,
Great points. I agree that automated controls really depends on the size of the company. Automated controls provide a great deal of benefit but implementing and monitoring them take resources which company does not always have available. Certain procedures have to be documented to ensure the automated control is designed and working as expected. If a company wants to implement automated controls, there needs to be discussion at the design phase of how and what controls to implement. This will all depend on what risks the company is looking to mitigate.
Mengting Li says
In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
In the Real World Control Failures we have reviewed, I do think the character of the leaders is a root cause of the control failures. The Real World Control Failures project I did was Target. The leaders just invest a large amount of money on the firewalls and anti-malware security, then, they think it is enough to protect the organization’s data and information. However, they didn’t think questions comprehensive. Target didn’t train their employees to make sure they do understand how to operate anti-malware security applications. It showed the leaders’ Irresponsible.
Mengting Li says
A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
I would build my reputation and maintain a good ethical character by being ethical strengthens people’s trust in mine, which can attract support for my ideas, cooperation at work and leadership opportunities. In addition,
trying to be a great listener. What’s more, I would conduct audits with integrity. Staying true to my values and ethics builds integrity.
Binju Gaire says
Great answer, Mengting! I agree with you that auditors can build their reputation by being a great listener. Being a great listener suggests that you care about the concerns of the clients and that your are willing to guide properly to conduct a good business practice. This way the clients can look up to auditors and auditors in return build their reputation effortlessly.
Mengting Li says
SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
SAP GRC helps organization to manage their regulations and compliance and perform the following activities −
Easy integration of GRC activities into existing process and automating key GRC activities.
Low complexity and managing risk efficiently.
Improve risk management activities.
Managing fraud in business processed and audit management effectively.
Organizations perform better and companies can protect their values.
SAP GRC solution consists of three main areas: Analyze, manage and monitor.
Most, if not all, organizations today are committed to driving greater efficiencies across their business. It’s no different for those departments responsible for GRC. Centralizing, standardizing and automating the control of processes can help significantly reduce the growing costs of compliance while putting you more in control of
your risks.
Jing Jiang says
Well said, Mengting,
As you mentioned, GRC will provide many benefits such as improving risk management, reducing fraud, better compliance the laws and regulations. The violating of the laws and regulations and weak risk management can be destructive for even a big company and cause significant penalties, which may be much larger than the cost of GRC. But the implementing of the GRC may need additional costs and workforce to support the operation besides the GRC model itself. Companies should leverage all the costs and the benefits of the GRC before implementing.
Binju Gaire says
Great points, Matthew! Reputation cannot be earned easily. It certainly requires great deal of hard-work. To earn prestige/reputation one should be cautious in each step of his/her professional life and personal life. With just one great action at a given time does not help a person to earn prestige overnight. However, It does contribute as small fraction to earning that reputation. In order to build reputation, such great actions, that define integrity, good character, are required all the time.
Michelangelo C. Collura says
How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
I recall from class that the ideal would be total automation, or 100%. As far as when to consider controls, I would say they should indeed be built into the process, from design to monitoring. Security is particularly concerning for firms today, and so security is increasingly seen as something that must be baked into the project, from start to finish. This is more noticeable in retail, particularly in IoT devices. This means that controls should be considered in the beginning, continuing to be incorporated into planning well after that. As needs arise, controls must be processed through some change management process in order to avoid problems unforeseen from simply implementing without any consideration, testing, or review of current controls.
Khawlah Abdulaziz Alswailem says
2. In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
In most of the cases, leaders were arrogant and had unethical behavior which eventually had a negative impact on their company. So, I agree that leaders are the root cause of control failures as they make the critical decisions so if these decisions turn out to put the company at risk, it is considered as their fault. Creating an organization that respects the controls in place starts at the top, and trickles down to those working as a lower-level employee. These leaders knowingly worked around controls and often pressured lower-level employees to do the same, in order to achieve their goals.
Michelangelo C. Collura says
In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
I believe leadership character does matter, but I do not know if it should be considered the main root cause. In cases involving data breaches – such as Target – character was not relevant, though managerial hubris and ignorance perhaps were. In the Enron example, character was front and center, as the crisis was not technical or unexpected. This indicates that fraud is mostly caused by character failure in leadership. The problem with this is that character will be defined differently by different people. One person may consider Enron too sloppy but not bad, while another may consider the company’s leader to be monstrous. And does the profit matter more than the ethics? If so, then why worry about character? If not, then why take the dangerous path?
Jing Jiang says
Well said, Michelangelo.
You are right that it is hard to say if those leaders the root cause, but they are the main causes for the business failures. Those leaders may be good leaders since all they have done were to maximize profits. They may not wrong to achieve company’s goal, but they are wrong for achieving goals by conducting illegal activities.
Yijiang Li says
Good point, Michelangelo. Management level always has Inescapable responsibilities for control failure within an organization. For Yahoo’s example, CEO Marissa Mayer’s current goal is to rescue Yahoo from desperation, so she utilized resources as much as possible to create revenue growth, therefore, she ignored the data security inevitaly to some extent.
Michelangelo C. Collura says
A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
I believe it is by simply allowing my actions to speak for themselves. Words don’t mean a whole lot, especially if I’m concerned with trying to get a client to increase our billable hours. If I continuously show concern for suspected fraud and have access to a whistleblower hotline if need be, I will probably maintain my soul, but I may not maintain my job (if I end up in a risk-taking company). In any event, I’d be building a reputation for ethical decision-making, and that would be more important in the long run.
Michelangelo C. Collura says
SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
Given the centralized combination of tools, I imagine any firm would want to pay for the GRC module. However, smaller firms likely would not be able to afford it, unless they were expanding and implementing GRC early in order to streamline that expansion process. In small businesses, I imagine they wouldn’t even use SAP, so they’d not use GRC for similar scale and cost reasons. In larger multinationals however, the complexity of their IT landscape, their huge footprint, their huge costs and their laundry list of risks would make GRC quite useful. I imagine the cost of the module would be lower than the firm having a staff of risk management or IT auditors, so they’d save money by having GRC. Of course, this can be wildly different calculus from one firm to the next.
Jing Jiang says
How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
The automated control will help to perform a work more effectively, and possibly, more accurately and unbiasedly. But it is less flexible when changes or other unforeseen situations occur. I think how much of automated controls should take many factors into considerations, such as company’s industry, economic capability, the difficulty level of implementing automation, and etc. The automated control may be costly and time-consuming. Companies should leverage the potential benefits and costs of implementing the automation. I think the controls are introduced at the initial design phase should be more beneficial. If a company introduces the controls as needs arise, the existing program may incompatible with the new program you want to add in, which would arise more issues or need more efforts to achieve the goal. But if consider the control at the initial design phase would avoid many similar potential conflicts.
Jing Jiang says
In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
In the Real World Control Failures, many leaders went wrong since their greed and arrogance. Most of them aimed to peruse higher profits and a business goal in spite of laws and regulations (e.g. cooking books). To some extent, the leader is the main cause of the control failures. They create a bad climate in the organization and mislead the organization even the whole industry to a wrong direction. Some may say the illegal behaviors may be conducted by part of employees. However, this can attribute to leader’s malpractice like providing insufficient employee training, poor management and leadership, and etc.
Jing Jiang says
A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
Understanding the code of ethics of the industry where you are in is important. Sometimes you are doing the wrong thing, but you may be unconscious about it. Knowing the code of ethics will reduce the possibility of similar situations happening. When meeting ethical dilemma, the code of ethics can also be a guidance to lead people to do the right thing and work in an ethical method. Thus, in my point of view, understanding and following the code of ethics in the industry will help to build a positive image and maintain a good ethical character to some extent. In addition, associating with the well-respected person in the industry will also be helpful. You can learn a lot from them and know how they are doing in their work, and you will be impacted to do the right thing as well.
Khawlah Abdulaziz Alswailem says
Building an individual character for any major is not easy. Intensifying an auditor character needs fundamental skills that require being strong technical, so that person must be ‘ commitment to learning ” since technology today is updating each second, Also, building an auditor character includes;
1- Visionary and urge person: as an auditor, you need to understand and imagine the picture and translate it from/ to the business side. Also, you must push your noise on any issue and do not settle when you saw something wrong.
2- Think out of the box:: having a checklist is not mean that is as an auditor you must think out of the box and see the bigger picture to be able to solve your client problems.
3-Listening: is being a simple concept, but it is one of the essential skills for an auditor. as an auditor, you should not ask a close question, or try to check your list to finish your job, so you must ask an open question and listen to them and repeat ” why ” as much as you can.
4- Decision making: take action when it needs to be done
5- Leadership: as an auditor, you should perceive authority, and trust from your client. Moreover, your job is helping others to succeed Henry Ford said quote “Don’t find fault, find a remedy.”
6- Communication Skills: no one can argue the key to be successful is building great communication skills
In conclusion, significant character skills are not always taught directly but often learned indirectly through experience and practice.Also, the immeasurable auditor who care about his technical ability and solid ethical foundation; furthermore, he/she recognizes those as baseline and work to gain exceeding the “rules and guidance” mindset of our business
Khawlah Abdulaziz Alswailem says
4. SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
The SAP GRC’s modules that deals with fraud management can help organizations minimize their financial loss through early detection functionality and its effective alert investigation functionality. SAP GRC, although expensive is crucial to navigate different risks and manage controls, compliance with governance, risk and compliance solutions.
The cost is justified as it will help organizations integrate and automate important GRC activities into existing processes. It will also help organizations mitigate reputational risk by protecting them and also the financial health by ensuring strong risk management practices are followed. In another instance, one of the most common risks faced by organizations is fraud.
Yijiang Li says
I agree with you, Khawlah. the cost of GRC is always justified, because governance, risk management, and compliance are revelant to all business activities. Governance can help a company to be more effective in internal environment. Risk management can help a company avoid fatal blow on business. Compliance can help a company avoid violating any law and regulation when they are doing business around the world.
Lezlie Jiles says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
It would be nice to say that everything should be automated, but that is not realistic. Therefore, automation should be used as much as possible to mitigate risks. As for if it’s beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise, I believe both of these responses are accurate. Implementing controls during the initial process is important because you have the opportunity to look at the full scope and process lines as they are built. Nevertheless, once the system is implemented situations will arise were a control that was not originally implemented needs to be.
Lezlie Jiles says
2. In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
The leaders discussed in the real world failures were unethical and corrupt. They used their position to make personal gains regardless of the impact on the organization and others. Sometimes there is an area within a process that was not fully vetted and still creates an exposure. I believe it is the employee’s ethical duty (upper or lower level) to report/mitigate the exposure and not utilize it for personal gains. As for the root cause, I would have to say the root cause of these controls failures was greed and selfishness.
Edward Gudusky says
Lezlie, I agree with you that the root cause of these failures were greed and selfishness. You would like to think that the leaders are making enough money where they could avoid such situations.
Lezlie Jiles says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
Yes, having integrity and a good ethical character is important in any facet of life. I believe you would build a reputation of good ethical character by remaining professional at all time, and by not co-mingling personal feeling with the auditing process. Focusing on the auditing task at hand and following all policies and regulation regardless of your personal connection with the auditee is important. Remaining consistent throughout your audit career is also a way to build a reputation.
Yijiang Li says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
Automated controls are quite critical for an organization to improve effeciency. Initially, automated controls can provide a rapid response to the company, Second, automated control can save necessary human resources on supervision. For example, password expiration, account lockout, and patch management should be committed automacitally.
If the controls are considered at the initial design phase, it could save R&D and future maintain costs because these controls are desired to deal with common business operation. However, if the controls are introduced with the business need arising, the company could spend more money on it and couldn’t realize the effect in advance. Since the business world is changing rapdily, the company is supposed to have both to deal with the different kinds of circumstances.
Qiyu Chen says
1.How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
The automated controls can significantly improve the efficiency of the control, so it should involve in more basic controls to enhance the availability of a control. The importance of the design input and verification of design outputs is illustrated by this example. When the design input has been reviewed and the design input requirements are determined to be acceptable, an iterative process of translating those requirements into a device design begins. The first step is conversion of the requirements into system or high-level specifications.
Candace Nelson says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
Automated controls are clearly more efficient when it comes to testing, but they can be challenging and costly to implement. Therefore; it is important to determine the cost benefit of automating certain controls while others continue to be performed manually.
I don’t know of a formula that would apply to all industries when it comes to determining the % of controls that should be manual vs. automated. 50/50 seems to be a stretch since all manual controls are not necessarily able to be automated. Based on my experience, the measure is probably in the range from 70/30 to 60/40, with the trend towards continuing to automate as many controls as is feasible and cost efficient.
Controls should absolutely be contemplated during the initial design phase because it is easier and less costly to build a control into a system/process than it is to re-engineer the process after-the-fact to add missing controls.
Qiyu Chen says
2.In the Real World Control Failures, we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?
In the real world control failure, such as case of the Heartland Payment System company, the company was lacking of monitoring controls, and the management did not consider the reports from the IT department. When data breach occurred in 2009, over 100 million credit and debit cards information was breached by a cyber attacker. To answer the question about why this serious data breach would happen, the CEO of the company blames the PCI auditors did not correctly evaluate the risk of the system. But the fact is, because the company was lack of security monitoring programs, when the cyber-attack occurred in the first place, the administrator of the system only got a secondary warning signed as a yellow flag, and missed the timing to stop the attack.
Qiyu Chen says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
1.Earn Respect Before a Special Request. Life sometimes gets in the way of everything, including work. On occasion you may need to ask your boss for an extra privilege — but it’s best not to do so straight out of the gate. 2.Tackle Something Without Being Asked: One of the best ways to gain the gratitude of your supervisor is showing initiative. 3.Offer Opinions with Tact: You’ve been hired because your boss and others at the company saw promise in you and your skills. Your opinion is valuable to the organization’s growth and future. However, remember to offer it gently and with respect. 4.Figure It Out: It’s important to ask a lot of questions when you’re new to any job, and your boss understands that. But don’t pepper her with queries all day long.
https://www.monster.com/career-advice/article/building-a-good-reputation-at-work-hot-jobs
Candace Nelson says
2. In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
Tone at the Top is included in the Control Environment component of COSO 2013, and it defines the way in which executive management demonstrates their commitment to ethics, integrity, openness and honesty.
My personal definition of Tone at the Top is when management walks the talk, meaning it is not do as I say, it is do as I do. When executive management practices what they preach (so to speak) it is more likely that their actions and attitudes will reverberate throughout the culture of the companies that they govern.
Contrarily, the character of the leaders in most (if not all) real world control failures is not above board. When employees hear management say one thing then do another, they become angry and confused, and in some cases take advantage of the vulnerabilities created by weak control environments. For instance, telling employees to do the right thing but them incenting them with stretch goals and targets that are unrealistic even under the best circumstances, as was recently the case at Wells Fargo.
Edward Gudusky says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
I think the more automated controls the better. The desire should always be to minimize risk, and if controls are automated then this becomes easier. Controls always need to be considered, both in the design phase and as an ongoing measure. New technologies arise and systems change through the course of business, this means controls need to be constantly evaluated and updated.
Edward Gudusky says
2. In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
The character of the leaders involved with the control failures is both disturbing and stereotypical. You really want to think that leaders of companies are reliable and ethical human beings, but they really are only about making money for themselves, and if they need to try to cover up an issue to help with that, then they will. Ignoring known issues is almost just as bad as covering up issues. This shows that the leaders care nothing about the customer and just the bottom line.
Qiyu Chen says
4. SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
For organizations already running GRC from SAP, Snow Optimizer provides the following additional capabilities:
Cost control based on usage
Cost savings by optimizing and adjusting user license types
Cost savings from analysis of indirect access by third party applications or internal processes
Cost savings from licensing structure analysis and “right-sizing”
Cost savings resulting from user consumption which may violate the SAP licensing agreement
https://www.snowsoftware.com/int/blog/2015/02/09/grc-equal-sam-sap#.WE3FS6IrKu4
Candace Nelson says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
I have been an auditor for a very long time, and I can attest to the fact that those of us in this profession are held to a higher standard. While clients joke about auditors, e.g. “don’t say that in front of the auditor” or “oh no, the auditors are here again” they are actually very observant of our actions and behavior. From something as simple as being late for meetings to missing deadlines, since we are all about assessing whether people are doing the right thing, they are less likely to respect us if we are not doing the same.
Accordingly, I have always endeavored to do as I say and to be genuine. What you see is what you get. I have never been a “gotcha” auditor (though I have been accused of that); rather, I endeavor to build rapport with my clients and to demonstrate that I also have skin in the game. I speak politely, I am respectful of the time clients spend with me and the help they provide me, and I always express my gratitude.
I have also gained respect from my clients by continually learning and achieving certifications, which is largely the reason I am enrolled in this MS program – to improve my ability to add value to my clients business and processes.
Lezlie Jiles says
4. SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
SAP’s GRC module is a tool which allows an organization to manage an internal security model, eliminate compliance issues, and identify any potential risks within the SAP system. It allows an organization to monitor/ restrict the ability of what a user can do, while also tracking what they are doing. With that being said, yes, I believe the cost of GRC can be justified. Given the right business circumstance, an organization could definitely justify the cost of this application. GRC essentially eliminates any risks.
Edward Gudusky says
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
The best way to build character is to be consistently ethical. This means any time there is some sort of issue, you will follow the book. I would treat every case the same and put forth the same effort in any given scenario. As soon as issues or a red flag were identified, it would be documented so that action could be taken.