This is a second in a series of blogs on Internal Control and this one specifically asks, is there a list of internal controls and why would you want such a list?
Continue readingA List of Internal Controls
2
Category Archives: MCEF
Internal Control and COSO
Accountants are trained to think about and implement controls. The classic examples are segregation of duties, reconciliations or budgets. Generally though, these controls are to manage at the transactional level where an error or a small fraud might occur. The big frauds of course are in the C-Suites and include such classics as off-balance sheet liabilities, rogue traders or manipulation of inventories.
Continue readingPractical Risk Management Model
Is traditional risk management practical? If so, why do so many organizations struggle to do it well? As a quick refresher here are the three steps of virtually all risk management methods:
- Establish business objectives.
- Identify and quantify some or all of the risks that may prevent the organization from achieving these objectives.
- Figure out what you are going to do with the resulting risks (e.g. ignore, manage, transfer, assign owners, etc.).
An Practical Risk Management Method (PRMM)
What makes risk management impractical is that it is often a bolt on and/or a parallel activity. In addition, risk management often gets bogged down in too many risks and not enough value add (see my blog “Guns, Telephone Books and Risk?” for more on this). PRMM recommends the following steps:
- Planning = Risk Management. Incorporate risk management into existing operational, tactical and strategic planning; don’t separate the two. Why? Because planning is how organizations manage uncertainty which is a fancy name for Risk.
- Are You Any Good at Change? Evaluate how well your organization responds to change (e.g. when uncertainty becomes certain). When the unexpected happens, was your response chaotic and uncoordinated or did it go more or less to plan?
- How Strong is your ARM? ARM or Antifragile Risk Management is a system that focuses on building robust and resilient organizations. While step 2 above measures the organization in action, this step anticipates your organization’s uncertainty resiliency.
- A Certain Test of Uncertainty. The organization’s risk/opportunity log is used to stress test the work done above. Testing measures the robustness of the organization and the scope and reasonableness of the collected risks. This is the traditional risk management step in PRMM.
- Don’t Stop. Modify/improve your plans and keep going. All of the above activities are meant to be both periodic (e.g. the annual planning process) or continuous.
My next blog are some thoughts on step 1 above, integrating risk management into the planning processes of the organization.
Anti-Fragile Risk Management (ARM)
This is part two of my thoughts on Risk Management. Part I, “Guns, Telephone Books and Risk” focused on the problem of creating long lists of things that will (may) never happen.
Continue readingAudit Question Log
An idea that I have been kicking around for a few years is why organizations don’t maintain a list of audit questions they have been asked in an Auditor Question Log? Such a log contains the questions, responses and the organization’s supporting policies or documentation.
Continue readingBudgeting 2×2
There are two inherent tensions when it comes to budgeting: compliance versus cooperation and people versus technology.
Phrankism: Documentation is a Waste of Time
In World War Two, the British counted the bullet holes in airplanes that returned from missions. Based on where the holes were, they now knew where not to bother putting armour on their airplanes (see this Mother Jones Article).
Continue reading
Organizational Biology 