top banner

Control Chatter                                                   September 2020
News that Control Professionals Need to Know


 Quick Links
In This Issue
Internal Control and Organization Structure Flaws
Affiliate News..
2020 Study of Enterprise Risk and Governance
Assessing Compliance Internal Controls Under the COSO 2013 Internal Controls Framework
Defining and Building Your In-House Compliance Committee
Whistleblowing and your business
Will 'compliance officer' become a regulated profession?
Cybersecurity Risk Management Process
SEC to rate entities on risks vs laundering, terror finance
Three Steps To Manage Third-party Risk In Times Of Disruption
 
HELP US IMPROVE INTERNAL CONTROL SYSTEMS WORLDWIDE
PARTNERS WANTED: 

Facebook Join My List Logo
The Internal Control Institute™ (ICI) improves organizational Internal Control worldwide by providing training, products and services and individual Professional Certifications recognized internationally. The Institute's Board of Advisors has determined it would like to further expand into areas where it is not directly represented. ICI provides world-class programs and its intellectual property to affiliates free of charge and shares all program revenue with them. If your organization is interested in partnering with ICI to earn revenue while you contribute to the development of the internal control profession worldwide please contact Dr. Michael Pregmon, Jr., Chief Operations Officer, by email at: mpregmon@internalcontrolinstitute.org or by phone at 727-538-4113 in the USA. 
Test your Knowledge of Internal Control
The Internal Control Institute has developed a CICS Common Body of Knowledge Mini-Assessment that helps an individual determine their knowledge as it relates to governance and control practices. Results point out areas of knowledge that may require additional training and experience. The assessment also provides a measurement to the individual's readiness for CICS certification. The assessment measures core knowledge in eight critical areas including: Internal Control - Principles, Terms and Concepts, Internal Control Environment, Risk Management, Assessing Application Controls, Business System Control Assessment, Risk Assessment, Internal Control Measurement and Reporting, and Governance Practices
 Internal Control online courses
ici logo
Start becoming an Internal Control professional today!
The ICI "Certification Series" has been completely updated and is available online to everyone around the world! Course content prepares individuals to design and/or assess internal control and to assist management in installing internal control processes. In addition, the series prepares candidates for the Certified Internal Control Specialist (CICS) Examination.
To review the course catalog click here: ICI Course Catalog
To register for one or all of the online training programs click here:  
Online course pricing has been reduced by over 70% 
Internal Control and Organization Structure Flaws
By Michael Pregmon, Jr., Ph.D., CICP
COO and Managing Director
Dr. Michael Pregmon, Jr.
COO and Managing Director 
In our last newsletter we reported that inconsistent customer service is often the result of one or more of three common organization problems. Inconsistent customer service is particularly impactive to the organization over time. Customers will often overlook an occasional service "glitch." Repeated occurrences will turn customers away. Unfortunately, disgruntled customers just disappear and say nothing to the provider. Yet, studies show that the unhappy customer will tell at least seven others of poor company performance. The three common flaws are:
          1. Organization structure weakness
          2. Process control failures
          3. Staffing challenges
In this edition, we will address the issue in the first item.
 
Organization Structure Weakness
Structural flaws cause a span of control issues. Consultant Lew Allen some years ago completed research which revealed that supervisors can effectively manage from three to seven people. This is, of course, a general rule of application. The type of operation certainly needs to be considered. In areas where close supervision is necessary, such as a research lab, perhaps fewer people may be effectively supervised. Most often though, the higher limit is the area where deficiencies occur. Many organizations violate this limit. How can any individual supervisor effectively manage 30 people? This is unrealistic!
 
Another common flaw is supervisory proximity. Supervisors/leaders need to be near the action to exercise proper control.
 
As an example, in restaurant operations, the chef is primarily charged with food preparation and quality. He/she needs to stay close to the action in the kitchen. To entrust dining room activities to the chef's domain, strains the control parameters. That is the reason typical restaurant operations enlist the services of a maitre d'hotel to oversee activities in the dining area of the restaurant. And, waiters/waitresses who take guest orders usually deliver these to the guest. This is an internal control assurance activity. To contrast this, here is an example of a flawed organization structure.  
 
This occurs in an assisted living facility (ALF). ALFs are in the health care industry and are a type of hybrid operation between independent apartment living and a skilled nursing activity. ALF operations provide dining room service for all meals, similar to restaurant operations.
 
Nursing assistants provide the essential services to residents of this ALF. However, during dining periods, these assistants are required to perform dining room table service. This, seemingly, is an effective use of available hours, as dining activities comprise almost 20% of the workday. However, in this operation, the assistants report to the kitchen (chef) to work as servers (waiters and waitresses). There is no actual dining area supervision of these servers during mealtimes. Consequently, 20% of the workday for each of these employees goes unsupervised as it is unrealistic for the chef to provide leadership in the dining room. Further, from an organization standpoint, 20% of these employees' worktime is not monitored and is not assessed. Food is served and follow-up is often non-existent. Further, the employee who takes the resident's food order typically does not deliver the meal to that resident. So, the normal internal control process evident in most restaurants when orders are delivered to guests is non-existent. This causes poor service and residents' dissatisfaction.
 
Flawed operations such as this are tremendously counterproductive. And, this is inefficient and costly to the company.
 
Does your organization have such structural weaknesses?
ICI ANNOUNCEMENTS
ICI Affiliate News:


The Internal Control Institute is conducting certification training in a classroom and online formats for the internationally recognized CICS (Certified Internal Control Specialist) certification in internal control. Information on these programs regarding dates and schedules can be found on the Events tab on our Website (Events) or directed to the affiliate named below:

Botswana:
ICI has entered into an agreement with Internal Control Institute of Botswana (ICI Botswana":) as its representative for Products, Services and Internal Control Certifications (CICS/CICP) in this territory. ICI Botswana will be responsible for all development activities in this area, including professional training and Certification.  Individuals or companies interested in internal control training or Certification should contact:
Humphrey Chawafambira

Brazil:
Training Plans :

Rio de Janeiro - 5 to 8 October

For more details on planned training please visit the website below, or send a message to Mr. Eduardo Person Pardini. 

 
Cameroon:

ICI has entered into an agreement with Internal Control Institute of Cameroon ("ICI Cameroon") as its representative for Products, Services and Internal Control Certifications (CICS/CICP) in this territory. ICI Cameroon will be responsible for all development activities in this area, including professional training and Certification.  Individuals or companies interested in internal control training or Certification should contact:Contact: Eric Kamegne


China: 
Online CICS training and exams are being conducted due to COVID-19.  

Individuals or companies interested in internal control training and Certification should contact: 
Mr. Qiu Jianting of CCSIT
Room 1039, Block A, Jinmao Building, No. 18, 
Xizhimenwai Street,
Xicheng District, Beijing, China
Zip Code: 100044
Mobile phone: 13810588109

Europe: 


Training Plans :

ICI Belgium has started the CICS session in French with 22 participants.
Next sessions are planned in Brussels:
  • Dutch: October 2nd 2020
  • French : January 2021
For more information on scheduled training and exams please contact Mr.Yves Dupont of ICI Belgium at: 
  
India
For more information on upcoming activities in this area please contact Mr. Summit Goyal of ICI India at :
Phone: +91 9810575613


Myanmar and Cambodia:
Better Business Governance - APAC PTE LTD (BBG) has become a representative for Products, Services and Internal Control Certifications (CICS/CICP) in Myanmar and Cambodia. Better Business Governance will be responsible for all development activities, including professional training and Certification.  For more information on upcoming activities in this area please contact:
Better Business Governance
Mr. Sanjeev Gathani
1 Claymore Drive
#08-14, Orchard Towers (Rear Block)
Singapore 229594
  
Mexico:
For more information on upcoming activities in this area please contact the following:
Antonio Salas Hernandez CICP, Email: ashicimexico@gmail.com 
Joaquin Prendes Herrera, Email: jphicimexico@gmail.com 

Middle East:
The CICS exam is now being provided in Arabic. Osool Training and Consulting has courses and testing available in Egypt, Jordan, Libya, Muscat, Sudan, Qatar, the United Arab Emirates, Kuwait and Palestine. 

Training Plans: 

18 - 22 October 2020 - Amman, Jordan
25 - 29 October 2020 - Tunis, Tunisia
27 - 31 December 2020 - Dubai, United Arab Emirates

Interested applicants in the region should contact Osool for scheduling for future programs. For additional information on scheduled ICI Certification and program sessions, please contact:
Lina Salameh
Assistant General Manager
OSOOL for Training & Consulting
Mob Oman:  +968 95 98 98 20
Mob Jordan: +962 7 99589666
Tel:   +962 6 5927171 Ext. 107
Fax:  +962 6 5927172

Nigeria: 
Leadway Consulting conducts CICS training sessions and examinations in Nigeria. For more information on upcoming activities in Nigeria  please contact:
Mr. Joel Aluko  tunjialuko5@yahoo.com


Pakistan:

For more information on activities in Pakistan individuals or companies should contact : Muhammad Farooq Hammodi
E-Mail: nardac_k@yahoo.com


Romania:

ICI Romania is planning a CICS course session on October 5 - 7, 2020 and an examination on November 9, 2020.



For more information on activities in Romania contact : 
Cosmin Serbanescu at the National Institute for Internal Control in Romania.
Tel: + 40 752 525 525

 

Singapore, Malaysia, Indonesia and Taiwan China:
ICI has entered into an agreement with GRC Consultancy Pte Ltd. (ICI Singapore, Malaysia, Indonesia and Taiwan) as its representative for Products, Services and Internal Control Certifications (CICS/CICP) in those territories. 

Individuals or companies interested in internal control training or Certification should contact:
General enquiries for all 4 markets - bobseetoh@theglobalgrc.com
Singapore - Mr. Bob Seetoh - bobseetoh@theglobalgrc.com
MalaysiaMr. Melvin Behmelvinbeh@theglobalgrc.com
IndonesiaMr. Melvin Beh - melvinbeh@theglobalgrc.com
Taiwan China - Mr. Bob Seetoh - bobseetoh@theglobalgrc.com


Tunisia

ICI has entered into an agreement with Business and Financial Consulting company in the Republic of Tunisia (hereinafter referred to as "ICI BFC" as its representative for Products, Services and Internal Control Certifications (CICS/CICP) in the Republic of TunisiaICI BFC will be responsible for all development activities in this area, including professional training and Certification.  Individuals or companies interested in internal control training or Certification should contact:
Contact: Nadia Yaich

Turkey:

For more information on activities being planned please contact:



Ms. Ilknur Tunc,  VP - ilknur.tunc@iciturkey.org
Dr. Bertan Kaya - bertan.kaya@iciturkey.org
GOP Mahallesi, İran Caddesi, Karum İs Merkezi
No:21, D Blok, 4. Kat, D:398-399
06700
Kavaklıdere/Çankaya/Ankara
+90 (312) 4425015 T
+90 (533) 4474444 D
 
Vietnam:
Training Plan:
Course name
start day
duration
CICS®
preparation

4 days
On Saturday and Sunday
08:30
am - 12:00 am
13:30
pm - 17:00 pm
10/10/2020
 
For more information on upcoming activities in Vietnam please contact: NGUYEN THANH TUNG (MBA. M.Eng, PhD.) Director, FMIT Institute of Financial Management & Information Technology,  Level 5, 126 Nguyen Thi Minh Khai Street, Ward 6, District 3, HCMC, Viet Nam
Office: 848 3803 5020 - 848 3512 9371 - 848 3512 7652
Email: info@fmit.vn 

Zimbabwe:
The Internal Control Institute Of Zimbabwe will be running CICS Classes on the following dates:    
          27-30 October 2020
          8-11   December 2020

For more information on activities being planned please contact:
Dr. Proctor Nyemba at: admin@internalcontrolinstitute.co.zw
Internal Control Chatter  
Each month the staff of The Internal Control Institute reviews hundreds of articles related to Internal Control and Corporate Governance. Here are brief summaries of some of the top articles (along with links to the original article) that may be of interest to you.
2020 Study of Enterprise Risk and Governance
September 28, 2020
According to James Bone, President of Global Compliance Associates, LLC, an ERM risk research firm, "This study is the first of its kind to examine advancements in risk performance of corporate board's risk & audit committees and the risk function. The study includes an exhaustive lit review of corporate boards and enterprise-wide risk management and a global risk survey of risk leadership, advancements in ERM practice and performance measures for risk programs. The findings are provocative and explain the structural, legal and conceptual limitations that have hindered good risk management at the board and ERM level and provides insight into how to enhance risk management at the board and chief risk office level."
Read The Article
Assessing Compliance Internal Controls Under the COSO 2013 Internal Controls Framework
In the age of Coronavirus, it could well be time to assess your internal controls beyond a gap analysis. Consider what COSO says about assessing compliance internal controls. In its Illustrative Guide, COSO laid out its views on "how to assess the effectiveness of its internal controls." It went on to note, "An effective system of internal controls provides reasonable assurance of achievement of the entity's objectives, relating to operations, reporting and compliance." Moreover, there are two over-arching requirements that can only be met through such a structured post. First, each of the five components are present and functioning. Second, are the five components "operating together in an integrated approach." One of the most critical components of the COSO 2013 Internal Controls Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls.
Defining and Building Your In-House Compliance Committee
People say that effective corporate compliance is a team effort-and every overworked, overwhelmed CISO knows that statement is true. 
Then comes the next logical question: How do you assemble that team? 
For just about every organization, you'll need to create an in-house compliance committee. This is the group of executives from across the whole enterprise who somehow play a role in risk management, and who therefore should also play a role in shaping the compliance program to govern the risks your business faces. OK, the concept is clear enough. Next come the practical questions: Exactly who should serve on the compliance committee? What issues should it address, or not address? And what role does the compliance officer play as leader of this committee? 
Whistleblowing and your business
by Kirkland Wilcox and Brian McAllister
September 25, 2020
Question: It has been almost 20 years since the accounting failures at Enron and other high-profile companies and the Sarbanes-Oxley Act (SOX) was passed. Whistleblowers played a key role in the discovery of these failures. How can organizations implement effective whistleblowing programs?  According to Brink's Modern Internal Auditing, a reference book on the subject, a whistleblowing program is an arrangement where "an employee or any stakeholder who sees some form of wrongdoing can independently and anonymously report it to an enterprise or to regulatory authorities with no fear of retribution." The first federal laws on whistleblowing derive from the False Claims Act of 1863. The act was created to address fraud by defense contractors during the Civil War. More notable in recent years, publicly traded companies have been required to establish whistleblower programs since the adoption of the Sarbanes-Oxley Act of 2002 (SOX). 
Will 'compliance officer' become a regulated profession?
September 24, 2020
Until now, compliance officers have stayed mostly under the government radar. They aren't regulated or licensed, tested or monitored. Will that change? And if so, what might the next stage of life look like for the compliance profession?
I'm going to talk mainly from a U.S. perspective because right now, that's where I'm sitting. That doesn't mean I think the United States is the only country that's important to the discussion, or that another country won't take the lead in regulating compliance officers. The next big change might come from the UK, or somewhere in Europe, Latin America, Africa, or Asia. That's part of the excitement. What is a regulated profession? I like the EU definition: A profession is said to be regulated when access and exercise is subject to the possession of a specific professional qualification.With that in mind, let's look at reasons why "compliance officer" might become a regulated profession.
Cybersecurity Risk Management Process
securityboulevard.com
In the modern landscape of cybersecurity, one uncomfortable truth is clear-managing cyber risk across the enterprise is harder than ever. Keeping architectures and systems secure and compliant can seem overwhelming even for today's most skilled teams. 
Dave Hatter, a cybersecurity consultant at Intrust IT and 30 year veteran of the industry, explains, "As more of our physical world is connected to and controlled by the virtual world, and more of our business and personal information goes digital, the risks become increasingly daunting. While it has never been more important to manage cyber risk, it also has never been more difficult." Why is managing cyber risk so much harder today than ever before? 
SEC to rate entities on risks vs laundering, terror finance
By Denise A. Valdez
Philippines...The Securities and Exchange Commission (SEC) wants to be more proactive in tracking money laundering and terrorist financing by rating the effectiveness of firms in preventing such activities. On Sept. 24, the regulator issued Memorandum Circular No. 26, which calls for the implementation of an anti-money laundering risk rating system.The SEC will be rating persons and firms using four tiers (weak, needs improvement, satisfactory and strong) to gauge their risk management system in combating money laundering. It will be based on the efficient oversight of a firm's board of directors and senior management, its anti-money laundering policies and internal control and audit, and the effective implementation of these policies.
Three Steps To Manage Third-party Risk In Times Of Disruption

From suppliers and outsourcers, to service providers and distributors, a third-party breach can occur at any point along your supply chain. As attackers continue to look for ways to infiltrate companies through their partners and the third-party ecosystem continues to grow, so does this risk - last year, 59% of companies experienced a third-party data breach. And it's not just small businesses that are at risk either, even high-profile, international businesses can fall victim of a third-party breach. In 2019, for example, both a US intelligence agency and a large social media company suffered breaches in which confidential information was exposed on publicly-accessible sites run by partners. The problem is, as companies work with a growing number of third parties, they do not always have the resources and processes in place to fully understand and mitigate the risks partners introduce.
Control Quotes
"I cannot always control what goes on outside. But I can always control what goes on inside."
 Wayne Dyer

Help Keep Everyone Informed...
If you see a news story concerning internal control or corporate governance that you feel is important for other professionals to know please send it to us .
ABOUT ICI
 
ici logoThe Internal Control Institute™ (ICI) is a worldwide organization  devoted exclusively to internal control and corporate governance. The Institute is dedicated to the development of world-class educational programs and best practice guidelines on internal control and corporate governance, based on the Sarbanes-Oxley Act and the COSO internal control framework.  Visit us on the web at the Internal Control Institute
Control Chatter is a monthly news summary of the top stories concerning internal control and corporate governance.  Control Chatter is prepared by the staff of Internal Control Institute for the benefit of their members and associates. Please consider it for your personal use or pass it on to associates who may have an interest in one or more of the topics by clicking on the Forward email button below.