Chapter 5

Control Frameworks
“You can’t win just by playing defense.”

COSO IC-IF Model

(COMMITTEE OF SPONSORING ORGANIZATIONS’ INTERNAL CONTROL-
INTEGRATED FRAMEWORK)
Five components of the COSO IC-IF Model
1. Control Environment
This refers to the workplace environment, characterized by the way the organization is
structured, the manner of leadership, the degree of openness, management’s operating
style, having and practicing the tenets of its code of ethics and statement of values.
According to Trompenaars, organizational culture includes three key elements:
1. The general relationship between employees and their organizations
2. The vertical or hierarchical system of authority defining superiors and subordinates
3. The general views of employees about the organization’s destiny, purpose, and
goals, and their place in it.

Form over Substance

This consists of the management practices whereby on the surface it appears as though
an essential activity has been performed, when in fact that is not so.
Principles underlying the control environment are:
1. The organization should demonstrate a commitment to integrity and ethical
values.
2. The board of directors demonstrates independence from management and
exercises oversight of the development and
performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objective
Lewin’s equation: states that behavior is a function of the person and the environment,
Developed by Kurt Lewin
B= f (P, E),

Where: B is the person’s behavior,

P is the person, and
E is the environment.

What is the significance of Lewin’s equation for internal auditors?

Internal auditors are tasked with verifying that employees do what is appropriate to
pursue organizational goals and this often implies they must follow internal and external
policies, procedures and practices.
Internal auditors must work with management to make sure there are clear standards of
performance, that rewards and sanctions are clearly communicated, and that
employees are managed and aligned effectively.

2. Risk Assessment
Risks are those events that can jeopardize the organization’s ability to achieve its
objectives.
Risk assessment is the process of identifying, assessing, and measuring risks to the
organization, program, or process under review.
Involves a dynamic and iterative process of identifying, analyzing, and deciding how
best to respond to these risks in relation to the achievement of objectives.
Risks are typically assessed along two dimensions:
1. Likelihood, or the probability that these events occur
2. Impact, or the consequence if these events occurred
Management specifies objectives within three separate but related categories:
Reporting: It includes the reliability, timeliness, transparency, or other terms set by
regulators, the organization’s policies or other recognized standard setters.
Compliance: These are related to adherence to laws and regulations to which the
organization is subject.
Operations: This includes operational and financial performance goals, safeguarding
assets against loss, damage or obsolescence, and making sure resources are obtained
economically.
Business and Process Risk

This is the risk that the organization’s processes are not effectively obtaining, managing,
and disposing their assets, that the organization is not performing effectively and
efficiently in meeting customer needs, is not creating value or is diluting value by
suffering the degradation of financial, physical, and information assets.
◾ Capacity risk
◾ Execution risk
◾ Supply chain risk
◾ Human resources risk
◾ Product or service failure risk
◾ Product development risk
◾ Cycle time risk
◾ Health and safety risk
◾ Leadership risk
◾ Outsourcing risk
◾ Competitor risk
◾ Catastrophic loss risk
◾ Industry risk
◾ Organization structure risk
◾ Integrity and fraud risk
◾ Trademark erosion risk
◾ Reputation risk
◾ Data integrity
◾ Infrastructure risk
◾ Commerce risk
◾ Access risk
◾ Availability risk

Technological and Information Technology Risks

These risks relate to conditions where IT is not operating as intended, the integrity and
reliability of data is compromised, and significant assets are exposed to potential loss or
misuse.
◾ Data and system availability risk
◾ Data integrity risk
◾ System capacity risk
◾ Data integrity
◾ Infrastructure risk
◾ Commerce risk
◾ Access risk
◾ Availability risk
Personnel Risks
Personnel risks relate to conditions that limit the organization’s ability to obtain, deploy,
and retain sufficient numbers of suitably qualified and motivated workers.
◾ Availability risk
◾ Competence risk
◾ Judgment risk
◾ Malfeasance risk
◾ Motivation risk

Financial Risks
Financial risks can result in poor cash flows, currency and interest rate fluctuations, and
an inability to move funds quickly and without loss of value to where they are needed.
◾ Resources risk
◾ Commodity prices risk
◾ Foreign currency risk
◾ Liquidity risk
◾ Market risk

Environmental Risks
Environmental risk relates to the actual or potential threat of negative effects on the
environment by emissions, wastes, and resource depletion.
◾ Energy and other resources risk
◾ Natural disaster risk
◾ Pollution risk
◾ Transportation risk
◾ Pandemic risk

Political Risks
It has to do with the complications organizations may encounter as a result of political
decisions.
◾ Regulations and legislation risk
◾ Public policy risk
◾ Instability risk

Social Risk
Social risk relates to dynamics where an issue affects stakeholders who can form
negative perceptions that can cause some form of damage to the organization.
◾ Demographics risk
◾ Privacy risk
◾ CSR
◾ Mobility
The SMARTER Model for Effective Goals
The SMARTER model is very useful when developing organizational and personal
goals. SMARTER is a mnemonic that helps you remember the elements of well-
developed goals. It is very effective, and two enhancements that add the letters “E” and
“R” make it even more effective.

George Doran first mentioned SMART goals in the November 1981

Letter Major Descriptor Related Descriptors or Minor Terms

S Specific
M Measurable
A Achievable
R Relevant
T Time-bound
E Evaluated
R Rewarding
Significant, simple, stretching, and sufficiently
detailed
Meaningful, motivational, and manageable
Appropriate, assignable, ambitious, aspirational,
attainable, agreed, actionable, and aligned
Realistic and resourced
Timed, timely, time-specific, trackable, and tangible
Excitable, ethical, engaging, ecological, and
enjoyable
Reevaluate, revisit, recordable, and reaching

Effects of Risk
• Loss of assets • Negative publicity
• Erroneous decisions • Customer dissatisfaction
• Fraudulent financial or operational reporting • Erroneous record keeping and
accounting • Noncompliance with rules and regulations • Purchase
of resources uneconomically
• Failure to accomplish established goals

3. Control Activities

Controls are actions established through policies and procedures that mitigate the
likelihood and/ or impact of risks. Controls are performed at all levels of the
organization, at various stages within processes and over the technological
infrastructure of the organization.

Control activities can be categorized as:

Preventive
Detective
Directive
Compensating
4. Information and Communication

The fourth component in the COSO IC/IF model refers to the flow of
information in an organization.
Communication helps to improve motivation, builds trust, creates a shared
identity and corporate culture, and engenders engagement.

Bruce Berger states that internal communication occurs on multiple levels.

1. Interpersonal or face-to-face (F-T-F) communication
2. Group-level communications
3. Organizational-level communications

Three broad types of risks that outsourcing creates:

Operational risks: This usually occurs because the service provider does
not fully understand
the client’s requirements or has the capability to
achieve them.
Strategic risks: Generally caused by deliberate and opportunistic
behavior by service
providers or their employees.
Composite risks: This occurs when the client loses its ability to implement
the process
for itself because it has outsourced the process for a
long time.

5. Monitoring Activities

Monitoring activities consist of ongoing, separate or a combination of

evaluations used to determine whether each of the five components of
internal control is present and functioning.

In general, the monitoring component serves as a very effective tool to

assist management in understanding how all components of internal control
are being applied and can enhance organizational effectiveness when
applied as intended.
ITS FRAMEWORKS
COBIT AND GTAG
(CONTROL OBJECTIVES FOR INFORMATION AND RELATED
TECHNOLOGY)
(GLOBAL TECHNOLOGY AUDIT GUIDE)

The COBIT Framework addresses more than technical subjects, but also
includes critical managerial and accounting/financial activities such as:

1.Establishing IT direction: The IT direction should inform organizational

priorities, the assignment of resources, and the identification of appropriate
metrics to track performance and the achievement of those goals.
2. Project management: conversion of ideas into deliverables over a period
of time,
3. Purchases: activities often require the purchase of hardware, software,
and the payment for technical knowhow. All of this must be paid for, so the
subject of planning for, making payments, and accounting for these
expenditures appropriately in financial reports is an ongoing priority in the
IT environment.
4. Training end users: it is essential for the organization to make sure that
end users are trained thoroughly, promptly, and cost-effectively

ISO
(INTERNATIONAL ORGANIZATION FOR STANDARDIZATION)
ISO is an independent, nongovernmental organization.
The organization is based in Geneva, Switzerland.
It brings together experts to share knowledge and develop voluntary
standards that support innovation and provide solutions to global and
business challenges.

They are also instrumental in facilitating international trade by providing

standardized parameters and criteria and establishing expectation.

Internal auditors should become familiar with ISO standards as they drive
the decisions, goals, and operational practices of the management team at
many organizations. They can help internal auditors supplement their audit
programs by incorporating the wealth of knowledge that these standards
contain.
Popular standards include:
ISO 9000 Quality management
ISO 14000 Environmental management
ISO 3166 Country codes
ISO 26000 Social responsibility
ISO 50001 Energy management
ISO 31000 Risk management
ISO 22000 Food safety management
ISO 27001 Information security management
ISO 45001 Occupational health and safety
ISO 37001 Anti-bribery management systems

ITIL
(INFORMATION TECHNOLOGY INFRASTRUCTURE LIBRARY)

It began in the 1980s

ITIL is a comprehensive set of best practices for IT service management
that promote a quality approach to achieving business effectiveness and
efficiency in the use of information systems.
ITIL describes processes, procedures, tasks, and checklists which are not
organization-specific, but can be applied by an organization for establishing
integration with the organization’s strategy, delivering value, and helping to
maintain a minimum level of competency.

In terms of service, the five ITIL 2011 volumes provide the following
guidance:
1. ITIL service strategy: Understanding organizational objectives and
customer needs
2. ITIL service design: Turning the service strategy into a plan for
delivering the business objectives
3. ITIL service transition: Developing and improving capabilities for
introducing new services into supported environments
4. ITIL service operation: Managing services in supported environments
5. ITIL continual service improvement: Enhancing service delivery and
making large-scale improvements.

Its major goals and characteristics include:

◾ Provides a process-driven approach
◾ Improves resource utilization
◾ Helps organizations become more competitive
◾ Decreases rework
◾ Eliminates redundant work
◾ Helps to improve project deliverable quality and turnaround time
◾ Improves availability, reliability, and security of mission critical IT
services
◾ Justifies the cost of service quality
◾ Provides services that meet business, customer, and user demands
◾ Integrates central processes
◾ Documents and communicates roles and responsibilities while
providing services
◾ Provides performance indicators

CMMI
(CAPABILITY MATURITY MODEL INTEGRATION)
Administered and marketed by Carnegie Mellon University.

CMMI states that it can improve the key capabilities within project and
work management, process management, support infrastructure,
people management, product development, service delivery and
management, supplier management, and data management.

There are five characteristic maturity levels as follows:

Level 5 Optimized Process focus is continuous improvement and automated

Level 4 Managed Process is measured, monitored, and controlled
Level 3 Defined Process is standardized, documented, and communicated
Level 2 Repeatable Process is unpredictable, poorly controlled, and reactive
Level 1 Initial Process follows a regular pattern