top banner

Control Chatter                                                   June 2019
News that Control Professionals Need to Know

 Quick Links
In This Issue
Congratulations on your achievement!
All New Internal Control online courses
Internal Control Planning
ICI Announcements
Walmart-Bharti JV obtained licences by making improper payments
Which KPMG Scandal Is Worse
Compliance Staffing Trouble a Key Risk for Banks
OFAC unveils framework for sanctions compliance
What Is Corporate Governance?
Automating SOX Controls Testing
Kraft Heinz files annual report, closes internal investigation into wrongdoing
Why waste our time with a 'Fraud Response Plan?'
Congratulations on your achievement!
CICS Training Class Hangzhou China June 2019

The Institutes' internal control certifications (Certified Internal Control Specialist (CICS) and Certified Internal Control Professional (CICP) are the oldest and most recognized certifications in internal control worldwide.

Full details on how to attain Certification are available on our website, but if you have any specific questions our team would be happy to answer them. We would love to welcome you as the newest members of this fast-growing profession.
Best Wishes for your continued success
 Internal Control online courses
ici logo
Start becoming an Internal Control professional today!
The ICI "Certification Series" has been completely updated and is available online to everyone around the world!  Course content prepares individuals to design and/or assess internal control and to assist management in installing internal control processes. In addition, the series prepares candidates for the Certified Internal Control Specialist (CICS) Examination.
To review the course catalog click here: ICI Course Catalog
To register for one or all of the online training programs click here:  
Online course pricing has been reduced by over 70% 
Test your Knowledge of Internal Control
The Internal Control Institute has developed a CICS Common Body of Knowledge Mini-Assessment that helps an individual determine their knowledge as it relates to governance and control practices. Results point out areas of knowledge that may require additional training and experience. The assessment also provides a measurement to the individual's readiness for CICS certification. The assessment measures core knowledge in eight critical areas including: Internal Control - Principles, Terms and Concepts, Internal Control Environment, Risk Management, Assessing Application Controls, Business System Control Assessment, Risk Assessment, Internal Control Measurement and Reporting, and Governance Practices
Internal Control Planning
By Michael Pregmon, Jr., Ph.D., CICP
COO and Managing Director
Dr. Michael Pregmon, Jr.
COO and Managing Director 
In our last publication we reported that internal control managers, or any activity manager, need only do four things very well for success. These are: planning, organizing, leading and controlling. In this edition, we will briefly cover one of the more important planning activities of the internal control manager.
Interestingly, of the four key management activities, "planning" tends to get the least emphasis, when in fact it deserves the most. Typically, surveys report managers spend about 15% of their time in planning, when it should be about twice that figure. There are other key activities included in the planning function for the internal control manager such as budgeting, policy, process determination, etc.
We are limited in space to cover all areas. So, for this brief article we will focus on perhaps the most important element. That is: risk assessment. The Internal Control Common Body of Knowledge (CBOK) presents a comprehensive section on risk assessment in Section 3.11.
Companies usually do not have enough resources to placate all risks and threats. Because of this, the assessment of risks and determination of a risk's vulnerability becomes a key task for internal control management.
One of the key elements in risk assessment is the determination of the severity of a risk. R isk assessment includes at least two important factors:
  1. Identification of the threats and the related risks that impact us
  2. Quantification of the likelihood of the risks occurring and estimate of severity which is usually in cost / downtime consideration.
Having this information puts us in a good position to make informed decisions as to what threats need to be addressed. And, one of the primary tools used in this analysis is a Threat Point Matrix. This technique helps us to identify the threats that must be avoided as much as possible. Here is an example:

This tool helps us to quantify which threat/risk affects the most control objectives of the organization by classifying each threat as either minimal (1), medium (2), Maximum (3). From here, we can focus on the risk "pressure" points.
Please remember that it is not the responsibility of the internal control manager to develop the processes to minimize threat vulnerabilities for each activity of the business. This is the responsibility of the applicable operating departments. However, it is the responsibility of the internal control manager to ensure that effective processes are in place to reduce threat occurrence.
Section 3.0 of the Internal Control CBOK contains a thorough presentation of risk management. It is an excellent resource for the internal control professional to have available.
The Internal Control Institute™ (ICI) improves organizational Internal Control worldwide by providing training, products and services and individual Professional Certifications recognized internationally. The Institute's Board of Advisors has determined it would like to further expand into areas where it is not directly represented. ICI provides world-class programs and its intellectual property to affiliates free of charge and shares all program revenue with them. If your organization is interested in partnering with ICI to earn revenue while you contribute to the development of the internal control profession worldwide please contact Dr. Michael Pregmon, Jr., Chief Operations Officer, by email at: or by phone at 727-538-4113   in the USA. 

ICI Affiliate News:

The Internal Control Institute is conducting certification training in a classroom format for the internationally recognized CICS (Certified Internal Control Specialist) certification in internal control. Information on these programs regarding dates and schedules can be found on the Events tab on our Website or directed to the affiliate named below:

ICI has entered into an agreement with Internal Control Institute of Botswana (ICI Botswana":) as its representative for Products, Services and Internal Control Certifications (CICS/CICP) in this territory. ICI Botswana will be responsible for all development activities in this area, including professional training and Certification.  Individuals or companies interested in internal control training or Certification should contact:
Contact: Humphrey Chawafambira

Training Plans :

Belém  - June 24 to 28, 2019
Porto Alegre  - July 1 to 5, 2019
Curitiba - July 15 to 19, 2019
Sao Paulo - August 8 to 14, 2019
Recife - September 2 to 7, 2019
Belo Horizonte - October 14 to 18, 2019

For more details on planned training please on the website below, or send a message to Mr. Eduardo Person PardiniEmail:


CICS training classes were completed in Beijing and Hangzhou China in June 2019.

Training Schedule: Beijing, 18 - 21 September 2019

Individuals or companies interested in inter nal control training and Certification should contact:  
Mr. Qiu Jianting
Room 1039, Block A, Jinmao Building, No. 18, 
Xizhimenwai Street,
Xicheng District, Beijing, China
Zip Code: 100044
Mobile phone: 13810588109


Training Plans :

CICS Training in Dutch in Brussels, Belgium will take place in seven sessions over the period 4 October 2019 to 10 January 2020.  

For more information on scheduled training and exams please contact Mr.Yves Dupont of ICI Belgium at: 
For more information on upcoming activities in this area please contact Mr. Summit Goyal of  ICI India at :
Phone: +91 9810575613

Myanmar and Cambodia:
Better Business Governance - APAC PTE LTD (BBG) has become a representative for Products, Services and Internal Control Certifications (CICS/CICP) in Myanmar and Cambodia.  Better Business Governance will be responsible for all development activities, including professional training and Certification.  For more information on upcoming activities in this area please contact:
Better Business Governance
Mr. Sanjeev Gathani
1 Claymore Drive
#08-14, Orchard Towers (Rear Block)
Singapore 229594
For more information on upcoming activities in this area please contact the following:
Antonio Salas Hernandez CICP,  Email: 
Joaquin Prendes Herrera, Email: 

Middle East:
The CICS exam is now being  provided in Arabic.  Osool Training and Consulting has courses and testing available in Jordan, Libya, Muscat, Sudan, Qatar, the United Arab Emirates, Kuwait and Palestine. 

Training Plan 2019
Certified Internal Control Specialist (CICS) Certification Preparation Programs are scheduled as follows:

Cairo, Egypt - June 30 - 4 July, 2019
Cairo, Egypt - July 21 - 25, 2019
Amman, Jordan - August 25 - 2 September 2019
Muscat, Oman - September 29 to 3 October 2019

Interested applicants in the region should contact Osool for scheduling for future programs.  For additional information on scheduled ICI Certification and program sessions, please contact:
Lina Salameh
Assistant General Manager
O SOOL for Training & Consulting
Mob Oman:  +968 95 98 98 20
Mob Jordan: +962 7 99589666
Tel:   +962 6 5927171 Ext. 107
Fax:  +962 6 5927172

Leadway Consulting conducts CICS training sessions and examinations in Nigeria. For more information on upcoming activities in Nigeria  please contact:
Mr.  Joel Aluko


For more information on activities in Pakistan individuals or companies should contact : Muhammad Farooq Hammodi


CICS Examination to be held in Bucharest on 6 December 2019
CICS Training Course to be held in Bucharest from 28 to 30 October 2019

For more information on activities in Romania contact : Cosmin Serbanescu at the National Institute for Internal Control in Romania.
Tel:  + 40 752 525 525


Singapore, Malaysia, Indonesia and Taiwan:
ICI has entered into an agreement with GRC Consultancy Pte Ltd. (ICI Singapore, Malaysia, Indonesia and Taiwan) as its representative for Products, Services and Internal Control Certifications (CICS/CICP) in those territories.  

Individuals or companies interested in internal control training or Certification should contact:
General enquiries for all 4 markets -
Singapore - Mr. Bob Seetoh -
MalaysiaMr. Melvin
IndonesiaMr. Barry Dingga -
Taiwan - Ms. Mickey Tai -


        CICS Training course to be held in Istanbul 28 and 29 September 2019.

For detailed information on scheduled ICI Certification and program sessions, please contact ICI Turkey  below:

Ms. Ilknur Tunc,  VP -
Dr. Bertan Kaya -
GOP Mahallesi, İran Caddesi, Karum İs Merkezi
No:21, D Blok, 4. Kat, D:398-399

+90 (312) 4425015 T
+90 (533) 4474444 D
CICS examinations to be held in Vietnam: 

12 September 2019
19 December 2019

For more information on upcoming activities in Vietnam please contact: NGUYEN THANH TUNG (MBA. M.Eng, PhD.) Director, FMIT Institute of Financial Management & Information Technology,  Level 5 , 126 Nguyen Thi Minh Khai Street, Ward 6, District 3, HCMC, Viet Nam
Office: 848 3803 5020 - 848 3512 9371 - 848 3512 7652

For more information on activities being planned please contact:
Mr. Proctor Nyemba at:

Internal Control Chatter  
Each month the staff of The Internal Control Institute reviews hundreds of articles related to Internal Control and Corporate Governance. Here are brief summaries of some of the top articles (along with links to the original article) that may be of interest to you.
Walmart-Bharti JV obtained licences by making improper payments
June 21, 2019
The United States Securities and Exchange Commission has observed that Walmart's earlier joint venture retail operations in India, with Bharti Enterprises, routed improper payments to government officials through third-party intermediaries to obtain store operating permits and licences between 2009 and 2011. These improper payments were then recorded in the India joint venture's books as "misc fees", "miscellaneous", "professional fees", "incidental", and "government fee".  The SEC disclosed this while entering into an agreement with Walmart to settle allegations of bribery in India and other countries, including China, Brazil and Mexico, for $282 million. 
Which KPMG Scandal Is Worse: PCAOB 'Steal the Exam' or CPE Training Exam Cheating?
June 24, 2019
Since Monday when the SEC announced it had fined KPMG $50 million for not one but two scandals involving auditor misconduct at the firm, I've been thinking about which scandal is worse. Is it KPMG audit partners stealing confidential information from rogue PCAOB employees in order to better the firm's audit inspection scores OR is it auditors at all levels cheating on internal online training exams by illegally sharing answers with colleagues and manipulating test results? Both are equal parts ridiculously stupid and disturbing. On one hand, five KPMG officials and one PCAOB inspector were indicted in early 2018 in the inspection list leak scandal: two were convicted by a jury, three have admitted guilt, and one is scheduled to go to trial later this year-and all of whom could be facing jail time. On the other hand ... well, we don't know what the outcome is going to be in that whole training exam cheating mess. But from an ethics standpoint, which of the two is more damaging to the firm and to the profession?
Compliance Staffing Trouble a Key Risk for Banks
L ike companies in many industries, banks are having a difficult time finding and retaining qualified compliance staffers. In fact, recruiting good compliance professionals has gotten so hard that the U.S. Office of the Comptroller of Currency (OCC) says that it has become a top risk for financial firms, especially regional banks and small lenders.  In its semi-annual report,  Risk Perspectives, Spring 2019 , banking regulator OCC says new technologies and compliance laws have increased complexity in banking and financial compliance and that banks have found it difficult to staff up to address the added needs. "Attracting and retaining competent staff to manage compliance operations and risks remain a challenge, particularly at smaller regional and community banks," the OCC said in the report.
OFAC unveils framework for sanctions compliance
May 14, 2019
On May 2, 2019, the US Treasury Department's Office of Foreign Assets Control (OFAC) published guidance on the core elements of what OFAC considers to be an effective sanctions compliance program. According to OFAC, its document-A Framework for OFAC Compliance Commitments (the "Framework") - is aimed at both US organizations and foreign (i.e., non-US) entities that conduct business in or with the US, US Persons, or using US-origin goods or services.  The Framework outlines five essential components of a compliance program - management commitment, risk assessment, internal controls, testing and auditing, and training -  and lists several root causes of apparent violations of US sanctions resulting from program deficiencies and breakdowns.  OFAC "strongly encourages" 1  US organizations and foreign entities that conduct business in or with the US, with US Persons, or using US-origin goods or services to implement and maintain a "risk-based" sanctions compliance program that incorporates these five essential components
What Is Corporate Governance? (+Why It's Vital to Your Business)
June 11, 2019
While corporate governance might seem straightforward, it's actually more complicated than you might think. There are several moving parts within a corporate governance framework that are all required to work together as part of a larger GRC Program. a Corporate governance is the framework of rules, regulations, and practices by which a company operates. The primary focus is to ensure compliance with the law, accountability, fairness, and transparency in a company's relationship with all major stakeholders. In broad terms, corporate governance refers to how a company makes its decisions. The direction, administration, and decision-making of any company is decided with the help of corporate governance. There's a lot that goes into corporate governance. Corporate governance can cover a variety of businesses decisions and topics, but nearly all their functions can be placed in one of the following five categories. A person's involvement in the roles listed above is linked to what role they hold in the corporate governance structure. 
Automating SOX Controls Testing
Every year, KPMG surveys teams in charge of the Internal Controls over Financial Reporting (ICFR) and/or Sarbanes-Oxley (SOX) at 100 organizations from different industries and sizes, specifically to the teams in charge of the Internal Controls over Financial Reporting (ICFR) and/or Sarbanes-Oxley (SOX). The results were recently published in the  KPMG 2018 Internal Controls SurveyWith ERP systems, such as SAP and the Oracle E-Business Suite (EBS) at the core of your business, these systems also must be a focus of your SOX audit. Business-critical applications including your financials are supported by your ERP systems and issues can easily become material weakness. As a result, it is necessary to stay up-to-date regarding what different industries are doing to protect the integrity of financial statements while reducing the costs of implementing and testing the internal controls.
Kraft Heinz files annual report, closes internal investigation into wrongdoing
It's been mostly bad new for Kraft Heinz in 2019, but the company did have some good news on Friday: it had finished its internal investigation into its procurement practices and controls, and it had finally filed its 10-K report for 2018.  The company was rewarded for the news on Monday, when Kraft Heinz's stock jumped from $28.74 to $30.40 a share. Earlier this year, Kraft Heinz disclosed that it was being investigated by the Securities and Exchange Commission over its accounting policies and internal controls. Kraft Heinz found that the cost of products sold had been understated by $208 million, and had previously said that it would restate financial reports for 2016, 2017 and part of 2018 to fix the mistakes.
"As a result of the internal investigation and material weaknesses identified, the Company is taking actions to improve internal policies and procedures and to strengthen internal control over financial reporting," the company said in a press release.
Why waste our time with a 'Fraud Response Plan?'
If you have worked in finance for any amount of time, it is almost certain that you have read or heard about the laundry list of reasons for having strong internal controls. You learned about the "Fraud Triangle" and the case studies about people who pilfered government coffers whose boldness eventually got them caught. As a result, your fear likely moved you to put in place simple and easy controls that assuaged your concerns in the moment. You know about the importance of writing procedures that can be handed to your independent auditors in hopes of keeping them from asking uncomfortable questions about weaknesses in the system. You agree with the benefits of controls, but the pushback over change and the urgency of your daily "to do" list prevents follow-through. You are conflicted because you are naturally detail-oriented and risk averse.  This article takes a different approach to this problem. Specifically, I want to address the internal elements that may be preventing you from completing the one formalized plan that responds to embezzlement and larceny if it should happen - a Fraud Response Plan.
Control Quotes
Learn from the past, set vivid, detailed goals for the future, and live in the only moment of time over which you have any control: now. 
Denis Waitley
Help Keep Everyone Informed...
If you see a news story concerning internal control or corporate governance that you feel is important for other professionals to know please send it to us .
ici logo The Internal Control Institute™ (ICI) is a worldwide organization  devoted exclusively to internal control and corporate governance. The Institute is dedicated to the development of world-class educational programs and best practice guidelines on internal control and corporate governance, based on the Sarbanes-Oxley Act and the COSO internal control framework.  Visit us on the web at the Internal Control Institute
Control Chatter is a monthly news summary of the top stories concerning internal control and corporate governance.  Control Chatter is prepared by the staff of Internal Control Institute for the benefit of their members and associates. Please consider it for your personal use or pass it on to associates who may have an interest in one or more of the topics by clicking on the Forward email button below.