top banner

Control Chatter                                                   November 2020
News that Control Professionals Need to Know

 Quick Links
In This Issue
Internal Control and Staffing Challenges.
Affiliate News..
How Did This Employee Steal $10 Million From Microsoft?.
The FCPA unfairly punishes foreign companies. Or does it?
Why IT General Controls Are Important for Compliance and Cybersecurity.
SEC: Compliance Officers Need More Authority.
Top 10 International Anti-Corruption Developments For October 2020
As Risks Continue to Abound, Many Plan to Strengthen Internal Controls
How to apply COSO's ERM framework to compliance risk management.
A Study on the Evolution of Internal Controls Impact on operational efficiencies.
Test your Knowledge of Internal Control
The Internal Control Institute has developed a CICS Common Body of Knowledge Mini-Assessment that helps an individual determine their knowledge as it relates to governance and control practices. Results point out areas of knowledge that may require additional training and experience. The assessment also provides a measurement to the individual's readiness for CICS certification. The assessment measures core knowledge in eight critical areas including: Internal Control - Principles, Terms and Concepts, Internal Control Environment, Risk Management, Assessing Application Controls, Business System Control Assessment, Risk Assessment, Internal Control Measurement and Reporting, and Governance Practices
 Internal Control online courses
ici logo
Start becoming an Internal Control professional today!
The ICI "Certification Series" has been completely updated and is available online to everyone around the world! Course content prepares individuals to design and/or assess internal control and to assist management in installing internal control processes. In addition, the series prepares candidates for the Certified Internal Control Specialist (CICS) Examination.
To review the course catalog click here: ICI Course Catalog
To register for one or all of the online training programs click here:  
Online course pricing has been reduced by over 70% 

Facebook Join My List Logo
The Internal Control Institute™ (ICI) improves organizational Internal Control worldwide by providing training, products and services and individual Professional Certifications recognized internationally. The Institute's Board of Advisors has determined it would like to further expand into areas where it is not directly represented. ICI provides world-class programs and its intellectual property to affiliates free of charge and shares all program revenue with them. If your organization is interested in partnering with ICI to earn revenue while you contribute to the development of the internal control profession worldwide please contact Dr. Michael Pregmon, Jr., Chief Operations Officer, by email at: or by phone at 727-538-4113 in the USA. 
Internal Control and Staffing Challenges
By Michael Pregmon, Jr., Ph.D., CICP
COO and Managing Director
Dr. Michael Pregmon, Jr.
COO and Managing Director 
In previous editions of this newsletter, we began a series of articles addressing the issue that poor internal control perpetuates inconsistent customer service. Inconsistent customer service causes customer dissatisfaction. This persuades customers to leave. We further concluded that one or all three of the following flaws are often present causing this. These are:
            1. Organization structure weakness
            2. Process control failures
            3. Staffing challenges
In this edition, we will address the third item above.
Staffing Challenges
Unquestionably, the issue of determining adequate staffing needs is one of the most demanding in business. This is particularly so if the operation is involved in a service business. Service demands can be highly erratic. And, industries such as health care are acutely affected because of the ever-present concern for health and safety. Yet, people costs are the most impactive on the bottom line. This is typically the cost item addressed to improve profitability by reducing people costs. Unfortunately in health care, reducing staff levels to conserve cost can be dangerous and disastrous.
What is the proper staffing level for your business? This is a difficult question. It is particularly so because of the erratic patterns of demand noted above experienced by many businesses. However, resources and techniques are available that can be invaluable.
Most industries have professional organizations that provide such guidance for companies in a specific operational group or industry. Although individual companies can have unique needs, such information is tremendously helpful.
When it simply involves managing "people," it is uncanny how the Pareto Principle applies! In this case, the so called "80/20 rule" amazingly often surfaces. Here the manager/supervisor can expect if 10 people are scheduled for duty, quite often two associates will not report for duty. This may be due to a sickness (or child illness), vacation, family emergency, important appointment, interview, or simply just want the day off. It truly is remarkable how consistent this principle applies.
Many industries, professional groups, government agencies (states), etc. publish suggest staffing levels for organizations. With activities such as those involved in health care where personal welfare is involved, these may be regulated by a governmental agency. Yet, these too can be misleading.
Here is an Example
The state of Florida, USA "suggests" assisted living facilities (ALF's), provide a staffing level based upon facility size - number of people in residence in a facility. ALFs are included in the health care industry, Residents upon entering an ALF are each assessed a service care level. This is the expectation of the level of service an individual will require. There are five levels (1 thru 5) of care typically assessed. Level 1 provides the least amount of care needed whereas a level 5 would require the highest level of care necessary. From this, it follows that the staffing level demand is affected not only by the occupancy rate but also by the care level required for those in residence.
Residential fees are calculated upon a base occupancy rate plus an incremental cost for each level of care assessed for a resident. As a result, the revenue generation for a facility can be significantly affected by the number of residents and corresponding care levels of their occupants. Residents assessed at the higher care levels pay a higher total monthly fee.
Regarding the staffing level suggested by a state (Florida as an example), a staffing level in addition to the number of residents is further recommended based on a normal (bell shaped curve) distribution of residents among the five care levels. It does not differentiate staffing needs by care level. So, it assumes all ALFs have a normal distribution of care levels. This is utopian! But at the higher care levels, a greater employee service involvement and more staffing hours would be necessary. So, if an ALF has a larger number of residents assessed in the higher care levels (i.e. Levels 4 or 5), the facility would be undermanned. This would occur if its staffing level is based on a normal distribution in care levels in the residents as suggested by the state. A company can significantly affect its bottom line by staffing at the suggested level (normal distribution of care levels) and have a resident population of higher revenue care residents. This is precisely when customer/resident service becomes inconsistent and in the health care industry potentially dangerous. In this case, it's also the "bottom line" that's controlling the level of customer service.
Determining the ideal staffing level is not "a piece of cake!"
Ask yourself: is your organization's internal control and customer service inconsistent?
ICI Affiliate News:



ICI has entered into an agreement with Ternate A & Associate Limited a company duly organized under the laws of the Bangladesh. Ternate A & Associate Limited will represent ICI for all Products, Services and Internal Control Certifications (CICS/CICP) in this territory. Ternate A & Associate Limited will be responsible for all development activities in the People's Republic of Bangladesh, including professional training and Certification.  Individuals or companies interested in internal control training or Certification should contact:
Contact: Aminur Rahman

The Internal Control Institute is conducting certification training in a classroom and online formats for the internationally recognized CICS (Certified Internal Control Specialist) certification in internal control. Information on these programs regarding dates and schedules can be found on the Events tab on our Website (Events) or directed to the affiliate named below:

  Individuals or companies interested in internal control training or Certification should       contact:
Humphrey Chawafambira

For more details on planned training please visit the website below, or send a message to Mr. Eduardo Person Pardini. 


Individuals or companies interested in internal control training or Certification should contact:Contact: Eric Kamegne

Online CICS training and exams are being conducted due to COVID-19.  

Individuals or companies interested in internal control training and Certification should contact: 
Mr. Qiu Jianting of CCSIT
Room 1039, Block A, Jinmao Building, No. 18, 
Xizhimenwai Street,
Xicheng District, Beijing, China
Zip Code: 100044
Mobile phone: 13810588109


Training Plans :

ICI Belgium has started the CICS session in French with 22 participants.
Next sessions are planned in Brussels:
  • Dutch: October 2nd 2020
  • French : January 2021
For more information on scheduled training and exams please contact Mr.Yves Dupont of ICI Belgium at: 
For more information on upcoming activities in this area please contact Mr. Summit Goyal of ICI India at :
Phone: +91 9810575613

Myanmar and Cambodia:
Better Business Governance - APAC PTE LTD (BBG) has become a representative for Products, Services and Internal Control Certifications (CICS/CICP) in Myanmar and Cambodia. Better Business Governance will be responsible for all development activities, including professional training and Certification.  For more information on upcoming activities in this area please contact:
Better Business Governance
Mr. Sanjeev Gathani
1 Claymore Drive
#08-14, Orchard Towers (Rear Block)
Singapore 229594
For more information on upcoming activities in this area please contact the following:
Antonio Salas Hernandez CICP, Email: 
Joaquin Prendes Herrera, Email: 

Middle East:
The CICS exam is now being provided in Arabic. Osool Training and Consulting has courses and testing available in Egypt, Jordan, Libya, Muscat, Sudan, Qatar, the United Arab Emirates, Kuwait and Palestine. 

Training Plans: 

27 - 31 December 2020 - Dubai, United Arab Emirates

Interested applicants in the region should contact Osool for scheduling for future programs. For additional information on scheduled ICI Certification and program sessions, please contact:
Belal Abdul Jabbar
General Manager
Osool for Training and Consulting
Ali Saied Alkurdi Street
Shabab Al-Urdon Complex
Building No. 4, Floor No. 3
Amman, Jordan 11193

Leadway Consulting conducts CICS training sessions and examinations in Nigeria. For more information on upcoming activities in Nigeria  please contact:
Mr. Joel Aluko


For more information on activities in Pakistan individuals or companies should contact : Muhammad Farooq Hammodi


 For more information on activities in Romania contact : 
 Cosmin Serbanescu at the National Institute for Internal Control in Romania.
 Tel: + 40 752 525 525


Singapore, Malaysia, Indonesia and Taiwan China:

Individuals or companies interested in internal control training or Certification should contact:
General enquiries for all 4 markets -
Singapore - Mr. Bob Seetoh -
MalaysiaMr. Melvin
IndonesiaMr. Melvin Beh -
Taiwan China - Mr. Bob Seetoh -

South Africa
ICI has entered into an agreement with the Chartered Institute of Audit Governance Oversight and Leadership a company duly organized under the laws of the Republic of South Africa (CIAGOL-SA ("CIAGOL-SA") will represent ICI for all Products, Services and Internal Control Certifications (CICS/CICP) in this territory. CIAGOL-SA will be responsible for all development activities in this area, including professional training and Certification.  Individuals or companies interested in internal control training or Certification should contact:
Contact: Sedie Jane Masite
E-Mail: or


Individuals or companies interested in internal control training or Certification should contact:
Contact: Nadia Yaich


For more information on activities being planned please contact:

Ms. Ilknur Tunc,  VP -
Dr. Bertan Kaya -
GOP Mahallesi, İran Caddesi, Karum İs Merkezi
No:21, D Blok, 4. Kat, D:398-399
+90 (312) 4425015 T
+90 (533) 4474444 D
For more information on upcoming activities in Vietnam please contact: NGUYEN THANH TUNG (MBA. M.Eng, PhD.) Director, FMIT Institute of Financial Management & Information Technology,  Level 5, 126 Nguyen Thi Minh Khai Street, Ward 6, District 3, HCMC, Viet Nam
Office: 848 3803 5020 - 848 3512 9371 - 848 3512 7652

The Internal Control Institute Of Zimbabwe will be running CICS Classes on the following dates:    
          8-11   December 2020

For more information on activities being planned please contact:
Dr. Proctor Nyemba at:
Internal Control Chatter  
Each month the staff of The Internal Control Institute reviews hundreds of articles related to Internal Control and Corporate Governance. Here are brief summaries of some of the top articles (along with links to the original article) that may be of interest to you.
How Did This Employee Steal $10 Million From Microsoft?
It was easier than you think, and it could happen to you too.
By Gene Marks

A Microsoft employee was charged this week for stealing $10 million over the course of two years from the company.  How did he do it?  Believe it or not, it wasn't that hard.
According to court documents, the employee, a 26-year-old Ukrainian named Volodymyr Kvashuk, worked as an engineer for the technology giant. His main job was to test Microsoft products, specifically by placing mock online orders to make sure the system was running as designed. Of course, Kvashuk was unable to receive any of the fake orders he placed for testing purposes. But he noticed a flaw: He could place a real order for a virtual gift card and that gift card would then be sent to his test account. Ka-ching! He could then use the gift card as real money to purchase Microsoft products. And purchase he did. He used his store credit to buy software subscriptions and other Microsoft items, including hardware. But that's kind of boring, right? So naturally, the intrepid Kvashuk grew bolder. He figured out how to cash out his store credit into Bitcoin - which Microsoft's online store accepts - and then convert the digital currency into hard cash using online exchange service Coinbase. This is not rocket science. Oh, then he bought a Tesla and waterfront property, and that's no so boring at all!
The FCPA unfairly punishes foreign companies. Or does it?
By Harry Cassin
Non-U.S. companies have long dominated the FCPA Blog Top Ten list, and currently occupy nine of ten places. That means the DOJ and SEC (no matter who's in the White House) apply the FCPA unfairly, using it to "punish" mainly big, well-known foreign businesses, right? Well, actual enforcement numbers tell a different story.
Since the FCPA's enactment in December 1977, there have been 251 corporate enforcement actions. Of those 251 FCPA cases, 168 involved companies headquartered in the United States. That means 67 percent of all FCPA corporate enforcement actions have been against U.S. companies.
Why IT General Controls Are Important for Compliance and Cybersecurity
by Matt Kelly on
November 23, 2020
IT general controls are among the most important elements of effective compliance and IT security. So it's a bit strange that many businesses - and compliance professionals, for that matter - struggle to understand exactly how "ITGCs" support compliance and the many ways they can fail. So today let's take a deep dive into IT general controls, and how organizations should govern their ITGCs to prevent those failures.
What Are IT General Controls? In the simplest definition, ITGCs are controls that govern how technology is designed, implemented, and used in your organization. ITGCs shape everything from configuration management to password policy, application development to user account creation. They govern issues such as how technology is acquired and developed, or how security protocols are rolled out across the enterprise. Without ITGCs, employees can't rely on the data and reports that IT systems provide.
SEC: Compliance Officers Need More Authority
November 19, 2020 
A new Risk Alert flags numerous areas where advisors are falling short on the Compliance Rule.The Securities and Exchange Commission's exam division flagged Thursday numerous deficiencies in advisors' compliance programs - namely lack of resources, as well as failing to give the chief compliance officer sufficient authority.
In a Thursday Risk Alert, the agency cites six main categories where advisors are falling short in complying with Rule 206(4)-7, the Compliance Rule, under the Investment Advisers Act of 1940:
Inadequate compliance resources;
Insufficient authority of CCOs;
Annual review deficiencies;
Implementing actions required by written policies and procedures;
Maintaining accurate and complete information in policies and procedures; and
Maintaining or establishing reasonably designed written policies and procedures.
Top 10 International Anti-Corruption Developments For October 2020
by Charles E. Duross , James Koukios Tola Adeseye and Akari Atoyama
November 20, 2020 
As Risks Continue to Abound, Many Plan to Strengthen Internal Controls
Nov 18, 2020
Only 5.8% of respondents report a decrease in the size and frequency of risks that their organizations' internal controls programs faced during the past year, according to a new Deloitte poll. When asked if  their organizations plan to strengthen resilience for internal controls in the year ahead, over three-quarters said "yes" (77.6%).
"Focusing too many resources on 'firefighting' is not a sustainable approach to risk management," said Trina Huelsman, a Deloitte Risk & Financial Advisory accounting and internal controls practice leader and partner, Deloitte & Touche LLP. "Instead, leading organizations are shifting to a more resilient posture that balances monitoring and management of short-term risks with a longer-term, tech-enabled approach to proactively identify emerging risks and get ahead of key strategic business and IT initiatives."
How to apply COSO's ERM framework to compliance risk management
By Ken Tysiac
November 18, 2020
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has published new guidance on how to apply the COSO enterprise risk management framework to effectively manage and mitigate compliance risks. Compliance Risk Management: Applying the COSO ERM Framework describes the characteristics of compliance and ethics programs associated with each of the five components and 20 underlying principles of the COSO ERM Framework. The publication was commissioned by COSO and authored by the Society of Corporate Compliance and Ethics & Health Care Compliance Association. It describes how to integrate the COSO ERM framework with guidance for compliance and ethics programs that is based on U.S. Federal Sentencing Guidelines as well as global
A Study on the Evolution of Internal Controls Impact on operational efficiencies
Press release from: NSKT Global
November 19, 2020
The main objective of the study was to determine the evolution of internal controls and its impact on the operational efficiencies due to the globalization of economy impacted the evolution of internal control systems. We want to evaluate the success/effect of internal control on corporate governance, specifically in small proprietor firms. The enhanced internal controls are focused on operational efficiencies and control implementation. The stronger control policies will spawn solid control application and efficiencies. In addition, the business world is experiencing phenomenal economic adjustments as the COVID19 pandemic escalates throughout Corporate America. The valuation of internal controls measures the effectiveness of preventing fraud has increased since the great recession of 2009. The need for internal controls to work in large multinational organizations due to the globalization of economy also impacted the internal control evolution. 
Control Quotes
E is for Enthusiasm, the charisma that inspires others.
"Success consists of going from failure to failure without loss of enthusiasm."
- Winston Churchill
Help Keep Everyone Informed...
If you see a news story concerning internal control or corporate governance that you feel is important for other professionals to know please send it to us .
ici logoThe Internal Control Institute™ (ICI) is a worldwide organization  devoted exclusively to internal control and corporate governance. The Institute is dedicated to the development of world-class educational programs and best practice guidelines on internal control and corporate governance, based on the Sarbanes-Oxley Act and the COSO internal control framework.  Visit us on the web at the Internal Control Institute
Control Chatter is a monthly news summary of the top stories concerning internal control and corporate governance.  Control Chatter is prepared by the staff of Internal Control Institute for the benefit of their members and associates. Please consider it for your personal use or pass it on to associates who may have an interest in one or more of the topics by clicking on the Forward email button below.