CHAPTER 5 : CONTROL

FRAMEWORKS
INTRODUCTION

Key points about control frameworks:

1. Need for frameworks: Complex business environment requires organized
internal controls.
2. Purpose: Create value, minimize risks, and evaluate results systematically.
3. Examples of frameworks:
- COSO's Internal Control Integrated Framework (IC-IF)
- COBIT (IT controls)
- ISO 17799 (IT controls)
- ITIL (IT controls)
- CMMI (project management and process improvement)

These frameworks help organizations manage risks and improve business

results.
CONTROL FRAMEWORKS

THE COSO FRAMEWORKS: ICF AND ERM

The COSO Framework, developed by the Committee of Sponsoring Organizations of the
Treadway Commission, is a widely recognized internal control framework. Key points:

1. Creation: Formed in 1985 to address fraudulent financial reporting.

2. Goal: Improve financial reporting quality through corporate governance, ethics, and
internal control.
3. Components: Five components, 17 principles, and three categories of objectives
(operations, reporting, compliance).
4. Framework structure: Represented as a cube, showing components, objectives, and
entity structure.
5. Principles: Fundamental concepts for achieving effective internal control.

The COSO Framework helps organizations achieve effective internal control and mitigate
risks.
CONTROL ENVIRONMENT

The control environment is a critical component of an organization's

internal controls, encompassing:

1. Workplace environment: Leadership style, openness, and

operating style.
2. Tone at the top: Board and senior management's attitude,
integrity, and ethics.
3. Organizational culture: Shared values, beliefs, and traditions.
4. Competence and development: Employee skills, training, and
accountability.
A strong control environment promotes:

1. Ethical behavior
2. Employee morale
3. Productivity and efficiency
4. Customer satisfaction

Unethical behavior can lead to:

1. Financial losses
2. Reputational damage
3. Legal consequences
Examples of unethical behavior include:

1. Undue emphasis on bottom-line performance

2. High-pressure sales tactics
3. Kickbacks or bribes

A well-established control environment is

essential for maintaining a positive corporate
image and achieving long-term success.
COMMUNICATION, CONSISTENCY
AND..

Effective communication and

consistency are crucial in promoting
a strong control environment.
Key points:

1. Clear expectations: Management should clearly

communicate what is allowed and not allowed.
2. Walking the talk: Management's actions should align with
their words to demonstrate belief in the message.
3. Codes of ethics and conduct: Establish guidelines for
acceptable behavior and ethical decision-making.
4. Training and refresher programs: Educate employees on
ethics, codes, and policies.
Best practices include:

1. Regular communication: Articles, vignettes, and surveys to

reinforce ethics and compliance.
2. Lunch and learn sessions: Informal discussions on topics
related to risks and controls.
3. Partnerships: Collaborate with HR, Legal, IT, and other
departments to promote education and awareness.

By promoting a culture of ethics and compliance,

organizations can foster a positive work environment and
reduce the risk of unethical behavior.
FORM OVER SUBSTANCE

The control environment is built on five key principles:

1. Integrity and ethical values: Demonstrate commitment through actions and
consequences.
2. Board oversight: Independent board provides guidance and oversight.
3. Organizational structure: Clear roles, responsibilities, and reporting lines.
4. Competence: Attract, develop, and retain skilled employees.
5. Accountability: Hold individuals responsible for internal control
responsibilities.

These principles foster a strong control environment, promoting accountability,

transparency, and ethical behavior, enabling organizations to achieve objectives
and mitigate risks.
ENTITY LEVEL CONTROLS
Entity-level controls assess an organization's values, systems, policies,
and processes to determine if they promote proper conduct or dissuade
fraud. Key areas of interest include:

1. Management style and corporate culture

2. Organizational structure and policies
3. Controls over management override
4. Risk assessment methodology
5. Monitoring results of operations
6. Financial and operational reporting
7. Hiring and retention practices
8. Fraud prevention and detection controls
9. Internal audit function
10. Whistle-blower hotline effectiveness
Lewin's equation (B = f(P, E)) highlights the
importance of considering both the person and
the environment in shaping behavior. Internal
auditors should work with management to create
a positive environment that promotes ethical
behavior and accountability.
TONE IN THE MIDDLE

The "tone in the middle" refers to the influence of middle managers and
supervisors on workplace culture, ethics, and employee behavior. Key points:

1. Manager's impact: Employees judge the organization based on their boss's

actions.
2. Ethics and values: Managers determine and reinforce values, ethics, and
workplace dynamics.
3. Employee engagement: Workplace environment is influenced by employee
engagement levels.
4. Impact on results: Employee engagement affects customer satisfaction,
turnover, profits, and goal achievement.

Internal auditors should assess employee engagement and work with

management to foster a positive work environment.
RISK ASSESSMENT
Risk assessment is a critical component of the COSO framework, involving:

1. Identifying risks: Events that can jeopardize achieving objectives.

2. Analyzing risks: Assessing likelihood and impact.
3. Responding to risks: Deciding how to manage or mitigate risks.

Key aspects:

1. Establishing objectives: Precondition to risk assessment.

2. Risk linkage: Tracing risks throughout the organization.
3. Dynamic process: Regularly reassessing risks in a changing environment.
Risk assessment categories:

1. Reporting: Reliability, timeliness, and transparency of

internal and external reports.
2. Compliance: Adherence to laws, regulations, and
contractual terms.
3. Operations: Effectiveness and efficiency of operations,
safeguarding assets.

Aligning objectives with strategic priorities is essential to

ensure congruence and coordination.
 BUSINESS
PROCESS RISK
- REWARDING
Types of Risks in Business

Organizations encounter many risks that can affect their success.

These risks include:

Business Risks: Risks like not having enough capacity to meet

demand, supply chain problems, product failures, leadership issues,
and fraud.

Technology Risks: Problems with IT systems, data accuracy, system

availability, and security.
Personnel Risks: Shortages of skilled workers, lack of motivation,
wrong decisions by staff, and employee misconduct.

Financial Risks: Money-related risks such as cash flow problems,

currency fluctuations, and market changes.

Environmental Risks: Natural disasters, pollution, energy shortages,

and pandemics that affect operations.

Political Risks: Changes in laws, regulations, or political instability

that impact business.

Social Risks: Changes in society’s views, customer preferences, and

demographic shifts affecting the company’s image and workforce.
Importance of Setting Clear Goals (SMARTER Model)

Organizations must set clear goals to manage risks better.

The SMARTER model helps make goals effective by
ensuring they are:

Specific: Clear and detailed about what needs to be done.

Measurable: You can track progress with evidence.

Achievable:Realistic so that workers feel motivated, not

discouraged.
Relevant: Aligned with the organization’s mission and workers’ roles.

Time-bound: Have deadlines to avoid procrastination.

Evaluated: Checked for ethics, impact, and progress regularly.

Rewarding: Provide suitable rewards and show how work benefits

everyone.

Role of Internal Auditors

Internal auditors review how well organizations manage their risks

and controls.
 Why Risk Management Matters?

Managing risks well helps organizations

avoid losses, protect assets, maintain
good reputation, meet customer
expectations, and comply with laws.
CONTROL ACTIVITIES-
INFOMATION AND
COMMUNICATION
CONTROL ACTIVITIES

° Actions established through policies and

procedures to reduce risks.
° Occur at all levels, across processes, and
over technology.
° Manual controls – by people (reviews,
approvals, locks, paper).
° Automated controls – by
systems/technology (less human input).
Equilibrium Between Risks & Controls

° Excessive Risks → loss of assets, poor decisions,

scandals, noncompliance, failure to achieve
mission.
° Excessive Controls → bureaucracy, low
roductivity, poor decisions, reduced morale,
duplication of effort.
° Must avoid always recommending more
controls or using outdated checklists.
Policies and Procedures (P&Ps)

° Communicate requirements, expectations,

and responsibilities.
° Policies → what must be done (principles).
° Procedures → how it must be done (steps).
° Not controls by themselves → actual
control occurs when activities are carried
out.
Types of Internal Controls

° Preventive Controls – stop errors before occurring

(segregation of duties, passwords, cameras).
° Detective Controls – identify issues after happening
(reviews, reconciliations, exception reports).
° Directive Controls – encourage desired behavior (training,
documentation, policies).
° Mitigating Controls – compensate when segregation not
possible (supervisory review).
Information and Communication

° Essential to effective internal control (COSO).

° Information must be reliable, relevant, timely.

Communication flows:

° Downward – management to staff (policies, expectations).

° Upward – employees to management (feedback, reporting).
° Lateral – across departments (coordination).
° External communication to stakeholders builds trust and
supports goals.
Information Quality

° Controls depend on accurate, complete,

timely data.
° Examples: reconciliations,
authorizations, access controls, inventory
counts, document retention.
Data & Technology Risks

° Technology provides efficiency but increases risks:

hacking, insider threats, outages, breaches,
noncompliance.
° Strong controls: access restrictions, encryption,
authentication, monitoring, compliance with laws.
° Social media: builds reputation but exposes to
public criticism if mismanaged.
Outsourcing Risks

° Common in IT, payroll, customer support.

° Operational risks – delays, errors, poor service.
° Strategic risks – supplier opportunism, data
theft, disclosure of confidential info.
° Composite risks – loss of internal capability
after dependence on third parties.
° Organizations remain accountable.
Service Organization Control (SOC) Reports

Provide assurance in outsourcing.

° SOC 1 – controls on financial reporting.
° SOC 2 – controls on security, availability,
confidentiality, integrity, privacy.
° SOC 3 – simplified, public report.
° Type 1 – design of controls at one date.
° Type 2 – design + operating effectiveness over a
period.
MONITORING
ACTIVITIES -
CMMI
Monitoring Activities
Monitoring activities consist of
ongoing, separate or a combination of
evaluations used to determine
whether each of the five components
of internal control is present and
functioning. Ongoing Evaluations are
built into business processes at
different levels of the organization
and provide timely information on
how well or poorly these activities are
performing.
CONTROL
ENVIRONMENT
RISK
ASSESSMENT
INFORMATION AND
COMMUNICATION
Control environment:

The control environment is concerned

with ethics in the organization.
These are great tools to collect
information and begin to assess the
condition of ethics in the workplace.
This entails, among other things, asking
employees. Themes of interest are
◾ Their opinions and impressions about the tone at
the top
◾ Management’s efforts to promote ethics
◾ Asking whether there is employee agreement that
ethics are important and are rewarded.
Risk assessment:
The risk landscape is constantly changing, and as such, a
risk assessment performed at one point in time may be
inaccurate a few months, weeks, or even days later.

Information and communication: Information flows

are essential to keep employees and managers aware
of business dynamics.
IT AND ITS IMPACT ON
ORGANIZATIONAL
SUCCESS
IT increasingly plays a pivotal role in
organizational success.
Organizations should think of, or
transform it if it isn’t yet, to be a
business service partner, instead of
just a back-end support unit.
It is important to align IT actions
and expenses to business needs and
revise them as the business
grows or changes direction.
 COBIT AND GTAG

The 1992 COSO IC-IF and 2004 ERM

Frameworks did not directly address
ITPlanning
considerations. That changed
Management
with
the 2013 COSO Framework, which
refers directly to IT General Computer
Controls (GCCs) in Principle 11Goals
Strategizing
ESTABLISHING IT DIRECTION
PROJECT MANAGEMENT
PURCHASES
TRAINING END USERS
Establishing IT direction: Today it is imperative that
organizations establish and communicate their strategic
direction, get all levels of management involved, and get
employee buy-in so they support those initiatives.

Project management: Since many activities within IT

involve system development, and the acquisition and
implementation of software and hardware solutions,
project management has gained a great deal of attention.
Purchases: While project management often refers to
the conversion of ideas into deliverables over a
period of time. these activities often require the
purchase of hardware, software, and the payment for
technical knowhow.

Training end users: Since IT projects often have a

hefty price tag, take a substantial
amount of time to develop and implement, and their
scope is often critical to the long-term success of the
organization.
INTERNATIONAL
ORGANIZATION FOR
STANDARDIZATION
ISO is an independent,
nongovernmental organization.
Through its 162 national standards
groups, it brings together experts to
share knowledge and develop
voluntary standards that support
innovation and provide solutions to
global and business challenges.
ISO 9000 Quality management
ISO 14000 Environmental management
ISO 3166 Country codes
ISO 26000 Social responsibility
ISO 50001 Energy management
ISO 31000 Risk management
ISO 22000 Food safety management
ISO 27001 Information security management
ISO 45001 Occupational health and safety
ISO 37001 Anti-bribery management systems
ITIL
ITIL defines the organizational
structure and skill requirements of an
IT organization and
standard management procedures
and practices to manage an IT
operation. T
five ITIL 2011 volumes

1. ITIL service strategy: Understanding organizational objectives

Increase
and customer in customer
needs
network expansion
2. ITIL service design: Turning the service strategy into a plan for
delivering the business
objectives
3. ITIL service transition: Developing and
Roll out theimproving
technologycapabilities for
introducing new services platform
into supported environments
4. ITIL service operation: Managing services in supported
environments
5. ITIL continual service
Present more improvement: Enhancing service delivery
product
and making large-scale
improvements*
PROCTER & GAMBLE

CATERPILLAR

NATIONWIDE INSURANCE

CAPITAL ONE
Procter & Gamble: Started using ITIL in 1999 and
has realized a 6%–8% reduction in operating
costs.

Caterpillar: Embarked on a series of ITIL projects

in 2000.
Nationwide Insurance: Implementing key ITIL
processes in 2001 led to a 40% reduction of its
systems outages.

Capital One: An ITIL program that began in 2001

resulted in a 30% reduction in systems
crashes and software-distribution errors, and a
92% reduction in “business-critical” incidents by
2003.
Some of the key goals, then, are to
◾ Streamline service delivery and support processes
◾ Develop repeatable procedures to help first-level support groups
◾ Reduce the number of service incidents and outages
◾ Implement standards to do things right the first time
◾ Perform proactive analysis to improve prevention and issue resolution
◾ Ensure future capacity through planning
◾ Define clear service targets
◾ Accurately allocate and recover costs
◾ Audit, manage, and improve IT processes
All of these objectives, when achieved, will reduce the cost of operations
and improve service quality, customer satisfaction, and compliance.
CMMI

The CMMI is a process improvement appraisal

program administered and marketed by
Carnegie Mellon University. It is widely used in
project management, software development,
process assessment, and performance
improvement within a project, division, or an
entire organization.
There are five characteristic maturity levels as follows:

Level 1—Initial:
Level 2—Repeatable:
Level 3—Defined:
Level 4—Managed:
Level 5—Optimized:
THANK YOU