- How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
- In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
- A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
- SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
Penghui Ai says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
Regardless of whether the control depends on execution by an individual or is mechanized (i.e., a computerized control would by and large be relied upon to bring down hazard if pertinent data innovation general controls are viable), a blend of both manual and robotized is the best practice. On the other hand, a substance may have data frameworks that utilization robotized methods to start, record, process, and report exchanges, in which case records in electronic arrangement supplant such paper archives as buy orders, solicitations, shipping records, and related bookkeeping records
I figure the association ought to consider controls at the underlying plan stage however much as could reasonably be expected and include controls when needs emerge. Quality improvement begins with coordinating assumptions regarding usefulness with spending plan and degree amid arranging and configuration audits and proceeds through development conveyance with a program of assessments, tests, and affirmations.
2. In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
I remembered that 3 major leaders in my Real World Control Failures case are: Geisha Williams: President and CEO, Karen A. Austin: Senior Vice President and CIO, and Laurie M. Giammona: Senior Vice President and CCO. 3 major processes: Gas Operations: transmission, storage, and distribution, Electric Operations: automated “plug-and-play” platform, and Sustainability: safe, reliable, clean, and affordable energy. E.g. solar and wind.
In May 2016, PG&E left 30,000 records about its information security assets exposed online for 70 days, which contained details for over 47,000 PG&E computers, virtual machines, servers, and another device. No username or password required for viewing this information. In addition, their initial response said that those data were non-sensitive, mocked-up data. The failure of the company leaders is bad initial response, poor information security policy. E.g. password policy, poor access controls, and poor segregation of duties.
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
We can manufacture a positive business notoriety by “organizing connections, satisfying your qualities, and profiting by significant minutes.” This implies you have to use your every day encounters to proactively develop the picture you need to depict to the world.
Manufacture your own prescribed procedures:
A standout amongst the most proactive things you can do to secure your business’ notoriety is to guarantee your representatives stay unquestionably sound. Each industry has best practices and a code of morals. Utilize these as your core values when fabricating a positive business picture.
Turn into an expert in your field:
Try not to give other individuals a chance to characterize your organization. Take control of the discussion by putting yourself out there. Individuals need to work with organizations that are experts in their field. All things considered, on the off chance that you will purchase an item, it bodes well to purchase from “the best.”
Increment your corporate social obligation:
It’s essential to recall that supporting a Little League group or some other altruistic undertaking is as much about making yourself a piece of the network for what it’s worth about getting your name out there.
4. SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
For SAP clients, SAP GRC Process Control can offer real advantages to key practical zones inside a business, including activities, consistency, hazard the board, controls and interior review. Once set up, it can go about as a controls center point, giving a solitary, center inner control framework that affirms controls and progressing consistency over an association. On account of its ability, SAP GRC Process Control is in some cases unjustifiably seen as being enormous and confounded. Indeed, it tends to be an incredible asset, yet it shouldn’t be unpredictable to actualize or run. We’ve built up this direction to enable you to comprehend SAP GRC Process Control better and to demonstrate to you how it could make GRC less complex.
Rouying Tang says
Hello Penghui, thank you for your sharing. I agree with you that SAP can provide real advantages for giving a solitary center inner control framework. And I believe the pressure form the pear competitors can also be a reason to implied such a incredible module.
Haitao Huang says
Hi Ai,
Asset security focuses on collecting, handling, and protecting information throughout its lifecycle. This includes sensitive information stored or processed on computing systems or transferred over a network and the assets used in these processes. Sensitive information is any information that an organization keeps private and can include multiple levels of classifications.
Deepa Kuppuswamy says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
Companies rely on a sophisticated system of automated controls to provide efficient and effective operations. Automated controls are the key part of strong internal control which increases efficiency of operations, improve accuracy, and help to mitigate fraud. From my experience, I would recommend having automated controls rather than manual controls because chances of fraud always increases with human interventions.
Automated controls when implemented correctly they present a number of benefits including: the reduced risk that controls will be circumvented, enhanced segregation of duties, and timeliness and availability of information.
During the initial audit planning phase, we cannot really decide on all the systems that we are going to test and conclude because we could encounter scenarios when the new applications are scoped-in as part of new implementation or sometimes we would need to scope out based on the audit so it is not beneficial to consider controls at the very initial phase. However, I would also not recommend to introduce controls as and when needed because there should be “milestone” set in order to have reasonable coverage to conclude on control effectiveness.
2. In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
When I was trying to understand the traits of the perpetrators, somewhere I felt that frauds committed by owners/executives were really high in all the real world control failures that we had discussed. High-level perpetrators cause the greatest damage to the organizations and it actually takes much longer time to detect.
Corporate misconduct and lack of ethics in the leadership is the root cause of control failures in many of the examples. Following are some of the traits in bad leaders:
> Their action don’t match words
> They try to control everything
> Focus on feature rather than company’s performance
> They care more about money than their customers
> They are driven by their ego
> They don’t create company culture
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
As auditors, we should comply with the auditor’s fundamental principles:
> Maintaining integrity – we should be honest in business and professional relationship
> Objectivity – should not influence to override professional and business judgements
> Confidentiality – auditors should not use the information for the personal advantage and refrain from sharing client information to third party
> Professional behavior – comply with law and regulation and avoid any activities that discredits the professio
Penghui Ai says
Hi Deepa. You answer s for these questions are very interesting. Especially for question #3, you mentioned four important characters for an auditor, which are: Maintaining integrity, Objectivity, Confidentiality, and Professional Behavior. These are very important qualities for an internal auditor.
Peiran Liu says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
In my opinion, with a good system designer, we should have as much automated controls as we can have because it is the most effective way to avoid fraud from happening. The more manual controls are involved, the more chances that the human can be mistaken or be bought over. I think it’s beneficial to add most critical controls into the system at first and have some reserve rooms for add on controls in the situation that more controls are needed.
2. In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
There are mainly one reason why fraud, trying to make the company looks good in order to steal money from investors or stakeholders. If they simply want to earn money with the normal way, to run a good company, there will be no fraud happening. But if they have some wishful thinkings to earn money from a different way, there will be a very high chance to fraud. In conclusion, it is a root cause of the control failures.
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
In order to build my reputation and maintain a good ethical character, in my opinion, the main thing to do is doing whatever the job needs you to do and don’t involve in any kinds of fraud. Doing the job needs you to do means don’t do superior force you to do. If you have any suspicion, simply go through the process and examine it.
4. SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
SAP GRC solution enables organizations to manage regulations and compliance and remove any risk in managing organizations’ key operations. So the question of can the cost of GRC be justified simply becomes whether the risks organizations are going through are comparable to the cost.If the risks are higher than the cost, then the cost can be justified. Vice Versa.
Imran Jordan Kharabsheh says
1. After looking back at my own experiences with automated and manual controls while working for an investment bank, I’m beginning to realize the intricacies of the company’s decision to adopt both types of controls. It also reminded me of a lesson I had learned from one of my undergrad professors regarding automated information systems security, which was “even automated controls requires a human moderator to perform maintenance and monitor for deviancy”. One of the best examples I can think of regarding this a phishing and spam filters on the company’s network, which needs someone monitoring and constantly updating the system in order to remain as efficient as possible without having hundreds of people sifting through thousands of incoming and outgoing emails. In terms of when controls should be thought of, I believe it is best to prepare controls during the design phase because you don’t want to wait till a catastrophe happens to the company before you secure it from such threats. Prevention is the best defense.
2. While the first real world control failure we reviewed may not relate as much, the other leaders we have reviewed have shown similar unenthusiastic traits and bore heavy consequences for their lack of action. In our cases and projects that we’ve worked on, we’ve seen leaders refrain from action, refuse to be transparent with stakeholders, fraudulently feed their own bank accounts, and/or fraudulently cook the accounting documents. It can very well be said that the character of these leaders and their actions, or lack thereof, played a considerable role in determining the magnitude of the control failure.
3. Once I’ve become a certified information systems auditor, I plan to build my reputation and continually nurture my good ethical character by attending and participating in ethics seminars hosted by CISA regularly. I also hope to be a part of or create a system where there is no one authoritative body that people must turn to should people disagree or should someone notice suspicious activity. On top of this, I will do the utmost in my abilities to ensure a safe and well moderated information system with an all-encompassing audit trail.
4. The cost of implementing and maintaining SAP and a company’s entire governance, risk and compliance systems is often overestimated and thought of as being an unjustifiably expensive control with no direct influence on a company’s profits or efficiency. While it may be true that governance, risk and compliance systems have no direct impact on profits, the security that these create more than justify the costs associated with implementing them in how much estimated risk it helps mitigate. When calculating how much it prevents, the dollar amount of damage associated with each risk should be multiplied by it’s respective rate of occurrence, and then added up to to get the total annual loss expectancy that the controls prevent. So long as the amount spent on governance, risk and compliancy annually doesn’t surpass the amount of loss prevented annually, the cost can be justified.
Yuan Liu says
Hi Jordan, these are precise and clear answers and I really like your idea about question 3. As a information system auditor, we need to try our best to find the vulnerability from the system and should be ethic and be yourself to do the job.
Haitao Huang says
Question 1
Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed, but it’s common for an organization to begin threat modeling early in the design process of a system and continue throughout its lifecycle. This type of threat modeling is also known as a defensive approach. This method is based on predicting threats and designing in specific defenses during the coding and crafting process, rather than relying on post-deployment updates and patches. In most cases, integrated security solutions are more cost-effective and more successful than those shoehorned in later.
Returning back to the design phase might produce better products in the long run but starting over from scratch is massively expensive and causes significant time delays to product release.
Question 2
In the real work control failure that we have reviewed. Most of the business leaders share some common characteristics such as aggressive and unrealistic at pursuing business goals and trying to justify the decisions and actions that make.
Question 3
As a business leader, it is important to exercise due diligence and due care to produce high-quality audit work. Due care is using reasonable care to protect the interests of an organization. Due diligence is practicing the activities that maintain the due care effort. Due diligence is the continued application of this security structure onto the IT infrastructure of an organization. Operational security is the ongoing maintenance of continued due care and due diligence by all responsible parties within an organization. In today’s business environment, prudence is mandatory. Showing due care and due diligence is the only way to disprove negligence in an occurrence of loss. Senior management must show due care and due diligence to reduce their culpability and liability when a loss occurs.
Question 4
Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization. Security governance is closely related to and often intertwined with corporate and IT governance. The goals of these three governance agendas often interrelate or are the same. For example, a common goal of organizational governance is to ensure that the organization will continue to exist and will grow or expand over time. Thus, the goal of all three forms of governance is to maintain business processes while striving toward growth and resiliency.
Rouying Tang says
1. How much of automated controls should be desired? Is it beneficial to consider controls at the initial design phase or controls are introduced as and when needs arise?
It would depend on what develop methods are applied. If it is developed under the rapid application development then you may not able to support the planning required to define the information needs of the enterprise, which can reduce the cost compare the traditional classic SDLC approach. When we do the tractional development, I believe it would also reduce the cost if we can consider the necessary controls from the very beginning rather than adding them on latter.
2. In the Real World Control Failures we have reviewed, describe the character of the leaders involved. Is it a root cause of the control failures?
I do believe the character of desires toward a life of luxury can potentially meets one of the fraud triangle which is the motivation. However, the salary of most of C levels and ones on Wall Street are not low. And the desire toward a life of luxury can fulfilled via other legal approaches as well. So I don’t think it is a root cause of the control failures. Other factors including the extra environments should be considered.
3. A person’s character is very crucial in the audit industry. How would you build your reputation and maintain a good ethical character in this industry?
I won’t allow gray area in my career. I will even avoid the jokes regarding. I truly believe there is nothing can be hidden. And I will avoid working for a company without a non-fraud environment.
4. SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
Governance, Risk and Compliance module can generate potential benefit from avoiding penalties and increase the value of goodwill. The investment on this module meets the spirits of applied compliance monitoring under on-going business process, which can prevent the future risks and save money from there.
Yuan Liu says
1. Automated system controls are a key part of a strong internal control environment. They increase efficiency of operations, improve accuracy and help eliminate fraud. A major advantage of robust automated controls is that they are more reliable than manual controls. Compared with automated controls, Manual controls are applicable when judgment and discretion are required. Additionally, manual controls can be used to monitor automated controls. Additional risks arise with the use of manual controls as they can be more easily overridden, susceptible to human error, and are inherently less consistent than automated controls. I think at the beginning of system setting and create standard of programing, we should use manual controls to set up a standard of whole system, and then let the automated control run the system because it is more efficient and accurate.
2. In my opinion, I think leader’s attitude and ability is root cause of company failure in the most time. As we know, most of companies focus on the profit, which means the purpose of these companies created is for make profit. This idea can be in leaders’ mind for an important position, so they would put making profit in the first position of company running. Sometimes, there would be a conflict between social repressibility and profit during the period of company development. For example, there is a significantly negative example to show this question. Enron was crushed by hiding companies’ huge bad debt. After the research, we know this fact, which company’s leader knew what exactly happened and just let it go. He did not show the problem as a public company. As a public company, he should be responsible for company’s investor and its employees. The reason why the leader did that is that he want to make more money to cover the negative economic situation of the company and transfer the debt to new investors. I think he has totally forget about the control of risk. The leader just let company fall into the risk. Therefore, leader should be the root cause of companies’ failure. With great power comes great responsibility。
3. HONESTY. Ethical executives are honest and truthful in all their dealings and they do not deliberately mislead or deceive others by misrepresentations, overstatements, partial truths, selective omissions, or any other means.
2. INTEGRITY. Ethical executives demonstrate personal integrity and the courage of their convictions by doing what they think is right even when there is great pressure to do otherwise; they are principled, honorable and upright; they will fight for their beliefs. They will not sacrifice principle for expediency, be hypocritical, or unscrupulous.
3. PROMISE-KEEPING & TRUSTWORTHINESS. Ethical executives are worthy of trust. They are candid and forthcoming in supplying relevant information and correcting misapprehensions of fact, and they make every reasonable effort to fulfill the letter and spirit of their promises and commitments. They do not interpret agreements in an unreasonably technical or legalistic manner in order to rationalize non-compliance or create justifications for escaping their commitments.
4. There are four ethical principles I think should be important to build reputation in auditing industry. The first idea come with is loyalty. Ethical executives are honest and truthful in all their dealings and they do not deliberately mislead or deceive others by misrepresentations, overstatements, partial truths, selective omissions, or any other means. The second is integrity. Ethical executives demonstrate personal integrity and the courage of their convictions by doing what they think is right even when there is great pressure to do otherwise; they are principled, honorable and upright; they will fight for their beliefs. They will not sacrifice principle for expediency, be hypocritical, or unscrupulous. Then should be promise&keeping attitude. Ethical executives are worthy of trust. They are candid and forthcoming in supplying relevant information and correcting misapprehensions of fact, and they make every reasonable effort to fulfill the letter and spirit of their promises and commitments. They do not interpret agreements in an unreasonably technical or legalistic manner in order to rationalize non-compliance or create justifications for escaping their commitments. The last one is leadership. Ethical executives are conscious of the responsibilities and opportunities of their position of leadership and seek to be positive ethical role models by their own conduct and by helping to create an environment in which principled reasoning and ethical decision making are highly prized.
4. SAP GRC Process Control helps protect the organization from key risks, and can also help businesses embrace change, with the right processes in place. It can support ongoing compliance and help provide solid foundations from which to scale the management of controls more easily, as and when the business needs it.
There are five benefit of using GRC:
1. Improved user experience
2. Easier user adoption
3. Enhanced integration
4. Better process optimisation
5. Improvements to SAP Risk Management and SAP Process Control
Based on these benefit I think it is worth to invest on its development.
https://www.turnkeyconsulting.com/keyview/five-key-benefits-of-sap-grc-12.0
Yuan Liu says
To answer the question three, The paragraph beginning with “4. There are four ethical principles I think should be important to build reputation in auditing industry” is the answer and other three shot paragraphs are end parts of the answers, so sorry about that format mistake.