top banner

Control Chatter                                                   November 2018
News that Control Professionals Need to Know

 Quick Links
 *All New* Internal Control online courses
ici logo
The ICI "Certification Series" has been completely updated and is available online to everyone around the world!  Course content prepares individuals to design and/or assess internal control and to assist management in installing internal control processes. In addition, the series prepares candidates for the Certified Internal Control Specialist (CICS) Examination.
To review the course catalog click here: ICI Course Catalog
To register for one or all of the online training programs click here:  
Online course pricing has been reduced by over 70%, so get started today! 
****Limited Time Only****
Test your Knowledge of Internal Control
*** Take the  Internal Control Knowledge Mini-Assessment ***
The Internal Control Institute has developed a CICS Common Body of Knowledge Mini-Assessment that helps an individual determine their knowledge as it relates to governance and control practices. Results point out areas of knowledge that may require additional training and experience. The assessment also provides a measurement to the individual's readiness for CICS certification. The assessment measures core knowledge in eight critical areas including: Internal Control - Principles, Terms and Concepts, Internal Control Environment, Risk Management, Assessing Application Controls, Business System Control Assessment, Risk Assessment, Internal Control Measurement and Reporting, and Governance Practices
In This Issue
All New Internal Control online courses
Risk Appetite - What is your Threshold?
ICI Announcements
Your boss is now more likely to train you
SEC Whistleblower Office Sees Jump in Tips in 2018
Internal Controls Violations in Cyber-Fraud Cases?
Four Tips For Achieving Clean Internal Control Audits
How Your Company Should Embrace Environmental, Social And Governance Issues
Former Venezuelan National Treasurer Sentenced to 10 Years in Prison for Money Laundering Conspiracy
Metric of the Month: Automated Primary Controls
Corporate governance will take centre-stage in 2019
Why cyberdefenses are worth the cost
The Importance of High-Quality Financial Information
Risk Appetite - What is your Threshold?
By Michael Pregmon, Jr., Ph.D., CICP
COO and Managing Director
Dr. Michael Pregmon, Jr.
COO and Managing Director 
Internal control involves a game of chance in many respects. Install too many controls and the operation stalls, or even breaks down. Installing too few controls invites chaos. This can even lead to the demise of the business. So, finding that equilibrium is essential.  How can this be accomplished? Oftentimes, it is not an easy task. This is primarily due to the organization's tradition. Foremost, the internal control professional must consider two major challenges:

Maintaining Integrity Within the Business
This can be significantly accomplished by ensuring the proper checks and balances are installed in the organization. It is often difficult to change a process when it has been in existence for some time - especially in a smaller firm where personal relationships are tantamount.  The segregation of duties is paramount. The Internal Control Common Body of Knowledge (CBOK) covers this aspect quite effectively in section 2.4.3. It explains:
"Segregation of employee tasks and duties is an arrangement of responsibilities such that the work of an employee is checked; it is a system of inherent checks and balances that separates custody from initiation and accountability and has the following characteristics:
  • Competence and trustworthiness of the employee performing the duties.
  • Adequacy of recordkeeping policies.
  • Physical control and access controls over the records and over the assets the records are intended to control."
Protecting the Business from External Threats
The CBOK devotes extensive coverage of this process. Section 6.0 entitled Risk Assessment covers the risk analysis process. The introduction of this topic is placed into a superb context in the CBOK as follows:
"Hand in hand with the increase in awareness of the need for control has come the requirement for a method of quantifying the impact of potential threats on organizations and their business systems.  Risk analysis provides such a method.  It looks at an organization's ability to perform its missions and tasks correctly and in a timely manner under conditions which can affect physical environment, personnel, equipment, content of files and processing capability, in conjunction with the likelihood of such conditions taking place.
There are numerous techniques for performing such analysis, but three key elements must always be considered:
  • The exposure or damage that can result from an unfavorable event.
  • The likelihood of such an event occurring.
  • The magnitude of the risk.
The aim of a risk analysis is to help management strike an economic balance between the impact of risks and the cost of protective measures. 
Managing risk involves these three activities.  You must first identify the risk, second, determine the magnitude of the risk, and third, determine the probability that the risk will occur. These three activities define the steps necessary for effective risk management.
In risk terminology, this is the concept for determining your "Risk Appetite."  This means how much risk an individual or business is willing to accept.  As an example, for an individual on their insurance policy, risk appetite can be defined as the deductible amount on the insurance policy.  In business, the risk appetite will help determine the type of business we're in, the introduction of new products, how aggressively we market, and so forth."

Determining your risk appetite and completing a risk assessment is paramount in today's business environment. Don't overlook it.
The Internal Control Institute™ (ICI) improves organizational Internal Control worldwide by providing training, products and services and individual Professional Certifications recognized internationally. The Institute's Board of Advisors has determined it would like to further expand into areas where it is not directly represented. ICI provides world-class programs and its intellectual property to affiliates free of charge and shares all program revenue with them. If your organization is interested in partnering with ICI to earn revenue while you contribute to the development of the internal control profession worldwide please contact Dr. Michael Pregmon, Jr., Chief Operations Officer, by email at: or by phone at 727-538-4113   in the USA. 

ICI Affiliate News:

The Internal Control Institute is conducting certification training in a classroom format for the internationally recognized CICS (Certified Internal Control Specialist) certification in internal control. Information on these programs regarding dates and schedules can be found on the Events tab on our Website or directed to the affiliate named below.

Training Plans :

Brasília - Nov ember 26 to 30, 2018
São Paulo - January 28 to February 1, 2019
Rio de Janeiro - February 11 to 15, 2019
Brasília - March 11 to 15, 2019
Fortaleza - April 1 to 5, 2019

We had the first class of professionals of internal controls of Bradesco Seguros participating in the course Control module II, ICI Brazil
Congratulations to all the participants

For more details on planned training please check on the website below, or send a message to Mr. Eduardo Person Pardini


Training Plans:

Shanghai - November 29- December 2, 2018
Hangzhou - January 10 - 13, 2019
Beijing - March 20 -23, 2019

Individuals or companies interested in internal control training and Certification should contact:  
Mr. Qiu Jianting
Room 1039, Block A, Jinmao Building, No. 18, Xizhimenwai Street,
Xicheng District, Beijing, China
Zip Code: 100044
Mobile phone: 13810588109


Training Plans :

Brussels - January 22, 2019 (in French)

For more information on scheduled training and exams please contact Mr.Yves Dupont of ICI Belgium at: 
For more information on upcoming activities in this area please contact Mr. Summit Goyal of  ICI India at :
Phone: +91 9810575613

Myanmar and Cambodia:
ICI is proud to announce it has entered into an agreement with Better Business Governance - APAC PTE LTD (BBG) as its representative for Products, Services and Internal Control Certifications (CICS/CICP) in Myanmar and Cambodia. 
Better Business Governance will be responsible for all development activities, including professional training and Certification.  For more information on upcoming activities in this area please contact:
Better Business Governance
Mr. Sanjeev Gathani
1 Claymore Drive
#08-14, Orchard Towers (Rear Block)
Singapore 229594
For more information on upcoming activities in this area please contact the following:
Antonio Salas Hernandez CICP,  Email: 
Joaquin Prendes Herrera, Email: 

Middle East:

The CICS exam is now being  provided in Arabic.  Osool Training and Consulting has courses and testing available in Jordan, Libya, Muscat, Sudan, Qatar, the United Arab Emirates, Kuwait and Palestine. 
Osool Training Class Tunis October 2018
Training Plan 2018
Certification Preparation Programs are scheduled as follows:
Certified Internal Control Specialist (CICS)  Riyadh- KSA  November  18-22
Certified Internal Control Specialist (CICS)  Kuwait-Kuwait  November  25-29
Certified Internal Control Specialist (CICS)  Doha-Qatar December 2-6
Certified Internal Control Specialist (CICS)  Dubai-UAE    December  23-27

Interested applicants in that region should contact Osool for scheduling for future programs.  For additional information on scheduled ICI Certification and program sessions, please contact:
Lina Salameh
Assistant General Manager
O SOOL for Training & Consulting
Mob Oman:  +968 95 98 98 20
Mob Jordan: +962 7 99589666
Tel:   +962 6 5927171 Ext. 107
Fax:  +962 6 5927172

Leadway Consulting conducts CICS training sessions and examinations in Nigeria. For more information on upcoming activities in Nigeria  please contact:
Mr.  Joel Aluko


For more information on activities in Pakistan individuals or companies should contact : Muhammad Farooq Hammodi

Singapore, Malaysia, Indonesia and Taiwan:
ICI has entered into an agreement with GRC Consultancy Pte Ltd. (ICI Singapore, Malaysia, Indonesia and Taiwan) as its representative for Products, Services and Internal Control Certifications (CICS/CICP) in those territories.  

Individuals or companies interested in internal control training or Certification should contact:
General enquiries for all 4 markets -
Singapore - Mr. Bob Seetoh -
MalaysiaMr. Melvin
IndonesiaMr. Barry Dingga -
Taiwan - Ms. Mickey Tai -


For information on scheduled ICI Certification and program sessions, please contact ICI Turkey  below:

Ms. Ilknur Tunc,  VP -
Dr. Bertan Kaya -
GOP Mahallesi, İran Caddesi, Karum İs Merkezi
No:21, D Blok, 4. Kat, D:398-399

+90 (312) 4425015 T
+90 (533) 4474444 D
CICS examinations to be held in Vietnam: 

20 December  2018
04 April 2019

For more information on upcoming activities in Vietnam please contact: NGUYEN THANH TUNG (MBA. M.Eng, PhD.) Director, FMIT Institute of Financial Management & Information Technology,  Level 5 , 126 Nguyen Thi Minh Khai Street, Ward 6, District 3, HCMC, Viet Nam
Office: 848 3803 5020 - 848 3512 9371 - 848 3512 7652

For more information on activities being planned please contact:
Mr. Proctor Nyemba at:

Internal Control Chatter  
Each month the staff of The Internal Control Institute reviews hundreds of articles related to Internal Control and Corporate Governance. Here are brief summaries of some of the top articles (along with links to the original article) that may be of interest to you.
Your boss is now more likely to train you up, thanks to a dwindling talent pool
In a tight labor market, employers are investing in their existing workforce.
November 7, 2018
W ith US unemployment at its  lowest level in decades  and skills gaps persisting in tech  fields like cybersecurity , it's slim pickings out there for employers in the labor market. No wonder that retraining your existing workers is suddenly the all the rage. And that's good news for employees.  The threat of automation looming over middle- and low-skill workers seems to have employees and employers on the same page: both favor upskilling and reskilling. Employers want to keep their workers around and use them to fill talent gaps-which are partly their fault in the first place (see " The myth of the skills gap "). Employees want to keep their skills up to date and robot proof.  "If they aren't willing to help them to develop, they won't stick around."
Editors note: Good time for those responsible for internal control systems to consider Professional Certification.
SEC Whistleblower Office Sees Jump in Tips in 2018
November 15, 2018 
The Securities and Exchange Commission's Office of the Whistleblower told Congress on Thursday that it received 5,282 tips in 2018, an 18% jump from tips received in FY 2017, and the highest increase - nearly 76% percent - since the program started in FY 2012.  In its  40-page  annual report to Congress, the agency's whistleblower office said that it paid awards totaling $168 million to 13 individuals in FY 2018, which compares to awards of nearly $50 million to 12 whistleblowers in 2017.  The awards in 2018 included the largest SEC whistleblower awards so far: $50 million to two whistleblowers who filed a whistleblower complaint jointly, and individual awards of $39 million and $33 million.  "The increasing number of whistleblowers and awards shows that the SEC whistleblower program continues to be very strong," said Sean McKessy, the former head of the whistleblower office who's now a partner at Phillips & Cohen, in a statement. "Many, if not most, of the SEC's investigations in recent years have been launched as a result of detailed information provided by whistleblowers."
Internal Controls Violations in Cyber-Fraud Cases?
Companies are now on notice that they must consider cyber threats when devising and maintaining a system of internal accounting controls.
A turning point came in mid-October, when the SEC  issued a report  on an investigation relating to nine public companies that collectively lost nearly $100 million in cyber-fraud incidents.  In each case, company personnel received spoofed or compromised electronic communications from external sources, causing disbursements to be made to cyber-fraudsters.  One company made 14 wire payments over the course of several weeks after finance personnel received fake emails appearing to be from executives. Another company paid eight invoices over several months after receiving manipulated banking information for a vendor.  The damage was significant: two of the companies lost more than $30 million and each lost at least $1 million.  Ultimately, the report concluded the SEC would not pursue enforcement actions in these instances and would not in the future find every company victimized by a cyber-scam to be in violation.  But the commission made it clear that public companies subject to Section 13(b)(2)(B) of the Securities Exchange Act - the federal securities law provision covering internal controls - have an obligation to assess and calibrate internal accounting controls for the risk of cyber frauds and adjust policies and procedures accordingly.
Four Tips For Achieving Clean Internal Control Audits
By Brad Noe
Oct 31, 2018
Effectively managing internal controls for business systems is a top priority in order to prevent risks, stop fraud, keep a company secure - and experience clean, cost-effective audits.  As the CTO of a security and compliance solutions company, I know companies fear audits - or more aptly, they fear failing them. They also tend to dread auditors, wrongly seeing the audit process as a breath-holding point in time when security controls have to be vetted and proved and risk levels assessed rather than understanding that the activities that lead to a sound audit should be happening all year long.  Given the business liabilities that accompany failed audits - or worse, a case of fraud or an internal breach of sensitive information - responsible professionals should do everything possible to be continuously compliant. Audits reveal weaknesses and ensure that a business has all the bases covered. Think of them as an added layer of protection.  What, then, are some of the leading causes of failed audits for technology companies, and how do you avoid these costly mistakes?
How Your Company Should Embrace Environmental, Social And Governance Issues
By Betsy Atkins
Nov 21, 2018
Environmental, Social and Governance issues should be a priority for Boards and management. The advantages of proactively tackling ESG issues are significant. A robust ESG program can open up access to large pools of capital, build a stronger corporate brand and promote sustainable long-term growth benefitting companies and investors. There was a time when a public stance on ESG issues was a public relations tactic. That's no longer the case.
ESG Investors are in for the long haul. ESG investors are values-based investors who are more interested in what happens during the next decade than the next quarter. Investors incorporating ESG into their mandate often work alongside a company to strengthen it, as they are more interested in building long-term value over a multi-year period than in flipping the stock. In today's rapidly changing business climate, attention to ESG issues is becoming critical to long-term competitive success. 
Former Venezuelan National Treasurer Sentenced to 10 Years in Prison for Money Laundering Conspiracy Involving Over $1 Billion in Bribes
Department of Justice Office of Public Affairs
November 27, 2018
A former Venezuelan national treasurer was sentenced today for his role in a billion-dollar currency exchange and money laundering scheme.  Alejandro Andrade Cedeno (Andrade), 54, a Venezuelan citizen residing in Wellington, Florida and a former Venezuelan national treasurer, was sentenced today to 10 years in prison by U.S. District Judge Robin L. Rosenberg of the Southern District of Florida. Andrade pleaded guilty under seal on Dec. 22, 2017 to one count of conspiracy to commit money laundering.  As part of his guilty plea, Andrade admitted that he received over $1 billion in bribes from co-conspirator Raul Gorrin Belisario, 50, and other co-conspirators in exchange for using his position as Venezuelan national treasurer to select them to conduct currency exchange transactions at favorable rates for the Venezuelan government.  Andrade received cash as well as private jets, yachts, cars, homes, champion horses, and high-end watches from his co-conspirators.  As part of his plea agreement, Andrade agreed to a forfeiture money judgment of $1 billion and forfeiture of all assets involved in the corrupt scheme, including real estate, vehicles, horses, watches, aircraft and bank accounts. 
Metric of the Month: Automated Primary Controls
Automation can process more internal controls data in less time, with greater accuracy, pinpointing suspicious activity that manual auditing might miss.
If you're not already automating your internal controls, you should be.
The cost of the technology has come way down, while its capabilities have increased. Advanced controls automation is now accessible even to smaller organizations, and the return on investment is high. Automation not only effectively pinpoints risk, it can free your team to focus on high-value work while providing detailed information and analysis to help you better understand many aspects of your business.Organizations with a higher percentage of automated internal controls have better safeguards in place to protect their corporate assets and lower the risk of fraud. For this month's metric, we focus on the percent of primary controls that are automated, as reported in APQC's  Internal Controls survey in June 2018. The survey collected input from 89 business entities.The calculation used for this metric is the number of automated primary controls in each organization, divided by the total number of identified primary controls.
Corporate governance will take centre-stage in 2019
by Editor
November 19, 2018
"A leader's job is to look into the future and see the organization not as it is but as it should be"  -  Jack Welch
There is an overwhelming consensus that 2019 promises to be an eventful year for Nigeria. Being an election year, the horse trading, forging of alliances and switching of political affiliation that characterize the onslaught of election season commenced early this year and now appears to have gained considerable momentum with the political gladiators scheming and positioning themselves for 2019. As can be expected, all other sectors of the Nigerian macro-economic spectrum are not left out, with businesses carefully analyzing the environment, engaging in extensive permutations and fine-tuning their positioning strategies for maximum effect to exploit the opportunities that will inevitably emerge from the outcome of the elections, irrespective of the direction that the tide turns.
Why cyberdefenses are worth the cost
These tips can help not-for-profits and other organizations minimize the risk of potentially devastating data breaches.
By Mark Shelhart
November 1, 2018
Yes, all organizations are vulnerable, and yes, you've heard the warnings that it's likely only a matter of time before a data breach happens at your organization. But how do data breaches apply to not-for-profit (NFP) organizations? Why would anyone want to target an NFP? The primary motivation for today's attacks is to acquire information and money. Every new person a hacker can identify can be a new victim or opportunity, and NFPs possess information about donors that may be very useful to hackers. Some in the health care sector, such as hospitals, have electronic health records (EHR) that may be worth more than $1,000 each (i.e., the EHR for one person) on the black market, according to a 2017 Forbes article. NFPs host an array of potentially valuable information, from donor lists and profiles to employee and client files containing Social Security numbers and other sensitive data. Even if your organization is 90% volunteers and consists of little more than a tent-based medical camp, attackers realize that you likely have data and funds they can target. On the other hand, your organization might be a large, well-established NFP. Perhaps you have an IT staff that supports computers for hundreds of other staffers across multiple sites. Regardless of the size or sophistication of the organization, an NFP that falls victim to a ransomware attack might prefer to pay an attacker instead of having operations paralyzed for any amount of time and perhaps damaging its reputation.
The Importance of High-Quality Financial Information: A Conversation With The SEC
November 13,2018
U.S. Securities and Exchange Commission's (SEC) Chairman and Chief Accountant sat down with Intel's VP of Finance, Principal Accounting Officer, Corporate Controller Kevin McBride for a fireside chat on the state of the capital markets, the role of preparers, auditors, and audit committees, implementation of new accounting standards, and more.  "The bedrock of our capital market system - and when I say 'our,' I don't mean just the United States, I mean around the world - is high-quality financial information. And high-quality audit and effective regulation of that process," says Jay Clayton. "Every day I'm in this job that becomes more and more apparent to me."  The Commissioner of the SEC and the Chief Accountant of the SEC, Wes Bricker, spoke to a group of preparers at FEI's Current Financial and Reporting Issues conference, covering issues like cybersecurity and internal controls. The underlying focus, however, was the importance of high-quality financial information.
Clayton shared that a major focus of the SEC has always been, and will continue to be, the information provided to long-term retail investors who are investing their life savings into capital markets. He urged preparers to keep these retail investors in mind as they decide what information to provide in their SEC filings.
Control Quotes
"How would your life be different if...You stopped worrying about things you can't control and started focusing on the things you can? Let today be the day...You free yourself from fruitless worry, seize the day and take effective action on things you can change." 
Steve Maraboli
Help Keep Everyone Informed...
If you see a news story concerning internal control or corporate governance that you feel is important for other professionals to know please send it to us .
ici logo The Internal Control Institute™ (ICI) is a worldwide organization  devoted exclusively to internal control and corporate governance. The Institute is dedicated to the development of world-class educational programs and best practice guidelines on internal control and corporate governance, based on the Sarbanes-Oxley Act and the COSO internal control framework.  Visit us on the web at the Internal Control Institute
Control Chatter is a monthly news summary of the top stories concerning internal control and corporate governance.  Control Chatter is prepared by the staff of Internal Control Institute for the benefit of their members and associates. Please consider it for your personal use or pass it on to associates who may have an interest in one or more of the topics by clicking on the Forward email button below.