Upload
others
View
16
Download
0
Embed Size (px)
Citation preview
weighing the importance of soft controls in information technology auditing and control
810: Alex de Leeuw & Clyve Lo-A-Njoe
VRIJE
UNIVERSITEIT
AMSTERDAM SOFT CONTROLS IN IT AUDITING
2
Postgraduate IT Audit education VU Amsterdam
Team number: 810
Students:
Drs. C. Lo-A-Njoe
Drs. A.P. de Leeuw
Coach:
Drs. R.F. van Rijsewijk EMIA CIA [Deloitte]
Counsellor:
Drs. B. van Staveren RE [UWV]
Deloitte Accountants B.V.
Enterprise Risk Services
Laan van Kronenburg 2
P.O. Box 300
1180 AH Amstelveen
The Netherlands
Contact information:
Clyve Lo-A-Njoe
m: +31 6 20 789 655
Alex de Leeuw
m: +31 6 20 789 803
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
3
Ethics is knowing the
difference between
what you have a right
to do and what is
right to do.
Potter Stewart
92nd Associate Justice of the United States Supreme
Court
4
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
5
Executive summary 7
Introduction 9
1. A Closer Look at Organisations 11
1.1 Classification of Organisations 11
1.2 Other Indicators 14
1.3 Risk Management, Control and the Role of the Control Environment 15
2. Hard Controls and Soft Controls in IT Auditing 21
2.1 COBIT at a Glance 21
2.2 Soft Controls Explained 23
2.3 Soft Controls in IT Auditing: the IT Control Environment 24
3. Case Study: Applying the Balanced Approach 25
3.1 XS4ALL Internet B.V. 25
3.2 Using an Alternative Approach 26
3.3 Organisational Perspectives: The Business Controller 27
3.4 Assessment of Soft Controls 28
4. Conclusion 30
4.1 Conclusion 30
4.2 Further Research 30
Appendix 31
Acknowledgements 31
Bibliography 32
Tables and Figures 33
Endnotes 33
6
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
7
EXECUTIVE SUMMARY In the last two decades organisations experienced the full impact of the information society.
Companies around the globe are faced with the fact that their business processes cannot exist
without the support of information systems en technology. This has also affected the way in which
management controls their organisation. Similarly, the increase in relevance and growth of the IT
auditing profession has been profound.
To control its organisation, management had to implement controls for the IT organisation as well. A
control framework, COBIT, was developed and broadly applied. This framework, which is also used
by accounting firms in their IT audits, prescribes strict IT policies and procedures (‘hard controls’) for
companies to comply with. We experienced that this method lends itself to be implemented best at
traditional organisations that are often large, mature, and predominantly focused on production
rather than their employees.
We argue that the straight-forward COBIT approach should significantly be adapted for
organisations that do not fit with the characteristics noted above. Organisations that are young,
small, creative and flexible may find that simply implementing COBIT is actually counter-productive.
We argue that before auditing or advising an organisation to follow a specific approach, auditors and
consultants should take into account the specifics of an organisation. Organisations should be
carefully evaluated with regards to their organisation type, and their management or leadership
style. Also, typical indicators such as size, maturity, innovativeness and culture are critical in
assessing the IT control framework that’s suited best for an organisation. COBIT hardly takes into
account these characteristics.
Alternatives to COBIT, like COSO, CoCo, and especially Simons’ Levers of Control do weigh these
organisational factors. These frameworks combine soft controls with hard controls and in doing so
they create a balance between control and empowerment. This combined approach is key in small,
young and innovative organisations.
In a case study at the Dutch internet service provider XS4ALL, we noted that it was inefficient to
implement the unmodified COBIT framework, as these hard controls clashed with the culture of the
organisation and was even experienced as counter-productive. XS4ALL aimed to improve their
internal controls, but this required a tailored approach to fit with its organisation.
The solution was found in applying an IT-specific Control Environment (ITCE) that takes into account
the specific strengths of the organisation: its soft controls. The ITCE is derived from the COSO
Internal Environment model and contains elements that allow companies to factor in the specific
aspects and culture of an organisation. The ITCE was used to test the existence of soft controls, that
when combined with hard controls, allowed the organisation to be in control over their IT processes.
The authors recommend further testing of the concept of soft controls in IT, to assess the validity of
the IT Control Environment with different types of organisations.
8
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
9
INTRODUCTION The digital revolution has had unimaginable effects on our society. New industries have emerged,
business models that seemed ludicrous not so long ago have proven to be sustainable, and entire
communities interact in ways no-one could have predicted. Our society has evolved into an
information society, in which individuals can cooperate and compete globally. Thomas Friedman
(Friedman, 2006) therefore argues that the world is flat. Traditional boundaries such as distance and
time simply do not apply anymore.
One of the key accelerators of this ‘flattening’ is of course technology. The marginal cost of
bandwidth is nearly zero, and a vast proportion of the world’s population now has access to
personal computers and the internet. For most businesses, IT has become a mission-critical enabler.
Consequently, the importance of, and reliance on IT auditing has increased tremendously since its
early beginnings in 1960’s. IT control frameworks have been developed and some have matured into
globally used benchmarks, such as COBITi. IT auditing has also evolved into a integral part of most
financial statement audits, as for most companies, transactions are recorded digitally.
In this paper, we argue that IT auditors should take into account the specifics of the organisation in
order for them to efficiently and effectively perform audits. Using a single one-size-fits-all approach
does not meet the needs in today’s wired world. It is time for IT auditors to take the next step in the
development of their profession, look outside the server room, and factor in the organisational
environment of IT auditing. The same applies for IT control consultants that advise management on
the ways in which they should control their IT environment.
Different organisations require different approaches. Using a shotgun-approach (by simply opening
up the COBIT floodgates) will lead to false-negatives and frustration at the audited organisation, and
confusion with auditors. Instead, just as IT has changed the world in which we live, the way in which
we communicate, and the way in which we do business, so too should IT auditing change – by
adapting to the organisational culture, structure, and management style.
To be able to use a pragmatic approach to IT auditing, IT auditors must first understand how
companies differ, and what role the organisational culture has. The organisational variables
determine the approach the auditor should use. Only if the IT auditor understands the organisation
can he or she perform true value-added audits.
To understand the differences in organisations, we will look at the various ways in which
organisations can be classified. Next, we will discuss a model in which these classifications serve as
variables; the analogy of a scale is used to argue how some factors correlate and push the scale in
one direction or the other, thereby determining what approach the auditor should use.
Then, two distinct control methods are discussed: hard controls (such as COBIT), and soft controls
(such as the organisation’s control environment). We will argue that all IT audits should weigh the
identified factors to decide on the balance of hard- and soft controls. Some large and mature
organisations will have implemented COBIT controls, and will effectively rely on these controls to
10
manage their IT environment. Other companies (such as small and nimble start-ups) will have some
basic COBIT controls in place, but will probably rely much more on soft controls to manage their IT.
After the theoretical discussion, we will discuss a case study in which this balanced approach is used,
followed by conclusions and recommendations for further research.
Amsterdam
April 2008
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
11
1. A CLOSER LOOK AT ORGANISATIONS Although all organisations have some common characteristics, no two organisations are identical.
Organisations have different structures, goals, constituencies, leadership styles, tasks and
surrounding environments (Laudon & Laudon, 1998). This chapter describes distinctive features,
such as organisational structure and leadership style and argues how these characteristics can
influence management control. We argue that the way in which management controls its
organisation should be a key factor in an auditor’s approach. The ramifications of this approach for
IT auditing and control is discussed in chapter 2.
1.1 CLASSIFICATION OF ORGANISATIONS
MINTZBERG Throughout the centuries, scholars have studied the many organisational types that have originated
since the earliest forms of cooperation. In many cases, the research focused on differences and
similarities between organisations, which helped with classifying organisations into a set of
organisational types. One of the best known and widely used examples is that of Henry Mintzberg
(Mintzberg, 1979). Mintzberg classified organizations into a set of five clearly distinguishable
variants. The type of organisation, as Mintzberg classifies, influences management of control by its
coordination of people, power and dynamics. The table below shows the Mintzberg classification.
Organisational Type Characteristics
Entrepreneurial Structure Young, small firm in a fast changing environment dominated by a
single entrepreneur and managed by a single chief executive
officer. Employees are under direct supervision.
Machine Bureaucracy Large bureaucracy organised into functional divisions that
centralizes decision making, produces standard products and exists
in a slow changing environment.
Professional Bureaucracy Knowledge-based organisation such as a law firm or hospital that is
dominated by department heads with weak centralized authority;
operates in a slowly changing environment.
Divisionalized Bureaucracy Combination of many machine bureaucracies, each producing a
different product or service, under one central headquarter.
Adhocracy Task force organisation, such as an ad firm, designed to respond to
a rapidly changing environment and characterised by groups of
specialists organised into short lived multidisciplinary task forces.
TABLE 1: FIVE ORGANISATIONAL STRUCTURES BY MINTZBERG
Besides Mintzberg, many more scholars published studies on why organisations take on many
different forms. Different in the sense that they cater to different markets and that they produce
different goods or sell different services, but also about the way in which they are organised and
12
structured. As most employees with some experience will attest to, different leadership styles can
also have an impact on management control.
BLAKE & MOUTON Blake & Mouton published a well known model on the different management styles in organisations
(Blake & Mouton, 1964). The model, which debuted in the beginning of the Contingency Viewpointii
of management, noted that different management styles can be useful for certain situations. Blake
& Mouton’s model has five leadership styles that can be plotted in a grid along two variables, being
the concern for people, and the concern for production. Figure 1 shows the Blake & Mouton
Managerial Grid.
FIGURE 1: BLAKE AND MOUTON MANAGERIAL GRID
MCGREGOR A third significant model is the behavioural model by Douglas McGregor (McGregor, 1960), in which
two distinctly different leadership styles are discussed. The leadership styles are based on the beliefs
of managers about their subordinates. The first of these leadership styles is labelled Theory X; it
holds that leaders tell subordinates exactly what’s expected of them, as employees require direction
as much as possible. Furthermore, Theory X states that employees dislike work, and will avoid it if
possible. Managers should coerce employees to get them to work.
In contrast, the leadership style dubbed ‘Theory Y’ assumes that people like to work, and that
employees who are committed to the company’s objectives will exercise self-direction and self-
control. Additionally, employees accept and even seek responsibility in the workplace, which allows
leaders to consult with their subordinates; allowing them to take part in the planning and decision
making process. With Theory Y, leaders believe people will work hard, cooperate and have positive
attitudes towards the organisation.
Authoritarian High Production / Low People
Efficiency in operations results from arranging conditions of work in such a way that human elements interfere to a minimum degree.
Team Leader High Production / High People
Work accomplishment is from committed people; interdependence through a ‘common stake’ in organisation purpose leads to relationships of trust and respect.
Country Club High People / Low Production
Thoughtful attention to needs of people for satisfying relationship leads to a comfortable friendly organisation atmosphere and work tempo.
Impoverished Low Production / Low People
Exertion of minimum effort to get required work done is appropriate to sustain organisation membership.
Middle-of-the-Road Medium Production / Medium People
Adequate organisation performance is possible through balancing the necessity to get out work with maintaining morale of people at satisfactory level.
Authoritarian
Impoverished
Country Club
Team Leader
Middle
of the
road
Co
nce
rn f
or
Pro
du
ctio
n
Concern for People
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
13
Theory X and Y impact the effectiveness of management of control in an organisation. Depending on
the goals of an organisation, either Theory X or Y will be best suited to achieve these goals. On the
other hand, when taken this theory too literally, X and Y seem to represent unrealistic extremes.
Theory X emphasizes strict procedures to achieve business goals in a controlled manner. In contrast,
Theory Y stimulates to manage people by empowerment. Most organisations require a leadership
style that falls somewhere in between these extremes.
The table below summarizes McGregor’s Theory X-Y.
Theory X Theory Y
The average human being has an inherent dislike
of work and will avoid it if he can.
The expenditure of physical and mental effort in
work is as natural as play or rest.
Because of their dislike for work, most people
must be controlled and threatened before they
will work hard enough.
Control and punishment are not the only ways to
make people work, man will direct himself if he is
committed to the aims of the organization.
The average human prefers to be directed,
dislikes responsibility, is unambiguous, and
desires security above everything else.
If a job is satisfying, then the result will be
commitment to the organization.
The average man learns, under proper conditions,
not only to accept but to seek responsibility.
Imagination, creativity, and ingenuity can be used
to solve work problems by a large number of
employees.
TABLE 2: MCGREGOR’S THEORY X-Y
FIEDLER
A synthetic model for leadership styles was proposed by Fred Fiedler (Fiedler, 1967). In the Fiedler
Contingency Model, it was argued that successful leadership depends on matching a leader’s style to
a situation’s demands. According to Fiedler, a manager has to understand his or her leadership style,
diagnose the particular situation, and then match style and situation. Fiedler also distinguishes
between task-oriented leaders (that just want to get the job done), and relationship-oriented
leaders (that place greater value on people than tasks).
Most leadership and organisational models discuss two ends of a spectrum. Leaders believe in
Theory X or Y, they are either more task-oriented or people-oriented, and organisations are loosely
organised in the form of an Adhocracy, or much more strictly organised in the form of Machine
Bureaucracies. We can relate to these extremes, as we are able to name numerous examples of
companies that appear to fit well with either end of the spectrum – whether it be the Theory X
Machine Bureaucracy in the form of a car manufacturer, or if it’s the Theory Y Adhocracy in the form
of an ad-agency. Similarly, most of us will be able to pinpoint where the organisation that we are
part of is located.
14
Simply put, some organisational aspects (such as leadership style or organisational structure) seem
to intuitively match well with one another. Figure 2 graphically displays these aspects.
FIGURE 2: ORGANISATIONAL THEORIES IN A TASK-PEOPLE MINDED SPECTRUM
1.2 OTHER INDICATORS
Given the organisational spectrum discussed above, we are able to add even more indicators to this
spectrum that affects management of control.
INNOVATION AND CREATIVITY Some organisations stimulate their employees to be creative, flexible and innovative. Organisations
that do so appear to fit well with the right-hand side of the spectrum. These types of organisations
are often thriving when their employees are given a ‘carte blanche’ to be successful. Using a
restrictive ‘tough boss’ leadership style and strict management control would be counter-productive
in such an environment. Similarly, a ‘Theory X manager’ will most likely clash with employees soon
after his or her arrival.
SIZE AND MATURITY Small and young organisations will find themselves on the right side of the spectrum as well.
Employees at these organisations will most likely be empowered to do whatever it takes to grow and
survive in the earliest stages of organisational maturity. Managers at start-ups will most likely
encourage entrepreneurship and employee empowerment. Large diversified organisations are
harder to control and manage from the outset, simply due to their size and complexity. Therefore,
smaller organisations have an edge when it comes to management control – their structure is often
simple, and lines of communication are short and informal.
Philip Wickham argues that entrepreneurship can also be seen as a management style in which
there is a strong focus on change and opportunity (Wickham, 1998). This supports the notion that
we expect to see organisations that experience less change, and may be in a less dynamic market, on
the left side of the spectrum.
COMPETITION Strong competition can also be a significant indicator for a specific organisational structure or
leadership style. In the highly competitive Technology, Media, and Telecommunications (TMT)
industry, even the former incumbents and ex-monopolists are facing tough battles for survival. This
Theory Y (McGregor)
Adhocracy (Mintzberg)
Concern for People (Blake and Mouton)
Entrepreneurial
Structure (Mintzberg)
Professional
Bureaucracy (Mintzberg)
Theory X (McGregor)
Concern for Production (Blake and Mouton)
Divisionalised
Bureaucracy (Mintzberg)
Machine
Bureaucracy (Mintzberg)
Task minded People minded
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
15
shift in market conditions forces them to increase flexibility, foster entrepreneurship, and to strive
for innovation. In other words, these companies are required to move to the right of the spectrum
to gain competitive advance against young and agile organisations.
When put together, all of these aspects can be plotted schematically, as shown in figure 3.
FIGURE 3: SCALE MODEL - THEORY AND ORGANISATIONAL FACTORS COMBINED
As discussed above, organisations can be managed in many different ways, with equally different
leadership styles. But how do these different organisational structures and management styles
influence the ways in which management can control its organization, and manage its risks? The
next paragraph looks at how risk management should be tailored to each individual organisation.
1.3 RISK MANAGEMENT, CONTROL AND THE ROLE OF THE CONTROL
ENVIRONMENT
One of the aspects of management that has received much attention during the last decade has
been risk management and control. Besides the basic need for risk management by a company’s
stakeholders, regulatory pressures have led to a surge in attention for compliance-driven risk
management efforts. Regardless of the type of organisation, it needs to manage risks from the shop
floor to the C-suite level. But, there is no ‘one-size-fits-all’ method for managing risks.
Methodologies for the banking industry differ tremendously from those in other sectors, for
example, due to specific compliance requirements such as BASEL IIiii and other sector-specific
requirements.
The reality, however, is that some compliance requirements such as Sarbanes-Oxleyiv
do not
distinguish small and nimble media companies from large multinational car manufacturers. Every
company that meets certain criteria (in the case of Sarbanes-Oxley, the criteria is having an SEC
registrationv
), the regulations apply, and therefore the company must meet certain risk
management and control demands.
16
Similarly, in the financial statement auditing approach of ‘Big-Four’ accounting firms, there is hardly
any room for tailored approaches. Every company must meet certain pre-set general risk
management and control criteria, regardless of its size or organisational structure. In practice,
auditors will encounter firms that pass these general criteria with flying colours, and these tend to
be the companies that are mature, and that have strict and well documented management control
frameworks.
But, auditors also encounter companies that fail to meet most of these pre-set criteria. This does not
mean that these companies are out-of-control, by any means. It does mean, however, that these
companies have other methods to ensure that their organisational objectives are met. These
methods often include short communication and reporting lines, frequent but unstructured
interaction between management and employees, and more principle-based control frameworks.
These companies require a different approach for risk management, compliance, and governance
auditing. The auditor should ideally take into account the various organisational structures and
leadership style and amend his or her auditing approach accordingly. Unfortunately, only few tools
and theories exist that enable auditors to tailor their audit approach to these ‘misfit’ companies.
COSO – INTERNAL CONTROL OVER FINANCIAL REPORTING GUIDANCE FOR SMALLER PUBLIC
COMPANIES One of the leads financial auditors use in Sarbanes-Oxley audits is the organisation’s Control
Environment. The Control Environment, also known as the Internal Environment, is the basis of
COSO’svi Enterprise Risk Management framework. COSO defines the Internal Environment as:
The internal environment encompasses the tone of an organization, influencing the risk
consciousness of its people, and is the basis for all other components of enterprise risk
management, providing discipline and structure. (COSO ERM, 2004)
COSO has also developed an internal control framework specifically designed for smaller
organisationsvii
. In this framework, COSO acknowledges that smaller entities may be less formally
organised along well established guidelines, and may have less formal procedures and processes.
This means that implementing the regular COSO ERM framework may lead to false negatives and
significant costs, and may therefore be counter-productive. As COSO states:
The focus is on businesses that have many of the following characteristics:
Fewer lines of business and fewer products within lines
Concentration of marketing focus, by channel or geography
Leadership by management with significant ownership interest or rights
Fewer levels of management, with wider spans of control
Less complex transaction processing systems and protocols
Fewer personnel, many having a wider range of duties
Limited ability to maintain deep resources in line as well as support staff positions
such as legal, human resources, accounting and internal auditing.
COSO recognises that smaller companies face specific difficulties from a control point of view.
Specifically, it lists the following challenges for smaller organisations:
Obtaining sufficient resources to achieve adequate segregation of duties
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
17
Management’s ability to dominate activities, with significant opportunities for
management override of control
Recruiting individuals with requisite financial reporting and other expertise to serve
effectively on the board of directors and audit committee
Recruiting and retaining personnel with sufficient experience and skill in accounting and
financial reporting
Taking management attention from running the business in order to provide sufficient
focus on accounting and financial reporting
Maintaining appropriate control over computer information systems with limited
technical resources.
To overcome these challenges, COSO does not suggest going ahead with a full scale COSO ERM
implementation. Instead, COSO recognises the specific characteristics of smaller organisations. One
of the key differences between COSO ERM and COSO for Smaller Public Companies, is the emphasis
placed on the organisation’s Internal Environment. As COSO puts it:
A smaller company can have unique advantages in establishing a strong control
environment. Employees in many smaller businesses interact more closely with top
management and are directly influenced by management actions. Through day-to-day
practices and actions, management can effectively reinforce the company’s fundamental
values and directives. The close working relationship also enables senior management to
recognize quickly where employees’ actions need modification. (COSO for Smaller Public
Companies, 2006)
It is obvious that COSO for Smaller Public Companies relates to our indicators. On the one hand the
characteristics of these companies, according to COSO, correspond to organisational structures
“Entrepreneurial Structure” and “Adhocracies” from Mintzberg. Similarly, a high concern for people
and the characteristics of Theory Y can be relevant contributing factors to overcome the challenges
that COSO defines.
Others have pointed out the possibility of other means of control, besides the straightforward
transactional control methods. Robert Simons (Simons, 1994) argued that management could
leverage specific characteristics of their organisations, and control the organisation without
hampering the empowerment and entrepreneurial spirit of organisations at the right hand side of
our spectrum.
SIMONS’ LEVERS OF CONTROL More specifically, Simons shows how managers use innovative control systems to drive continuous
strategic renewal. It describes controls (‘the levers’) that enable business leaders to retain control of
their organisations and capitalize on the autonomy and drive present at lower levels while
simultaneously responding to emerging opportunities. The model takes on the challenge of finding a
way to allow empowerment to flourish while encouraging accountability. It establishes a critical
bridge between the disciplines of strategy and accounting and control; essentially combining top-
down direction and bottom-up creativity. Simons’ model is shown in figure 4.
18
FIGURE 4: SIMONS’ LEVERS OF CONTROL
The first of Simons’ Levers of Control systems is an organisation’s Belief System. In an empowered
environment people need to understand and be committed to the mission, objectives and strategy
of the organization. Belief systems explain how the organization creates value, the level of
performance the organization strives for and how individuals are expected to manage both internal
and external relationships.
“The fastest cars need the best brakesviii
”, and much like a fast car, every organisation needs its
Boundary Systems. The term Boundary Systems would imply that there are strict rules to comply
with. However, the boundaries only define what is not allowed. Telling people what to do in
procedures and rule books hampers the initiative and creativity unleashed by empowered and
entrepreneurial employees. Within these boundaries everything is possible, which in turn promotes
creativity and innovation, and empowers employees to do what is right.
To effectively and efficiently control their organisation, management needs Interactive Control
Systems. Interactive Control Systems are communication structures that managers use to involve
themselves regularly and personally in the decisions of subordinates. Through them senior managers
focus organisational attention and learning on key strategic issues. Interactive control systems track
the uncertainties that keep senior managers awake at night (Rijsewijk, 2007).
Finally, Simons points to the use of Diagnostic Control Systems. Diagnostic Control Systems act as a
dashboard for management, instantly showing signs of abnormal behaviour of the organisation.
Diagnostic Controls Systems can be in the form of KPI’s, which are tracked on a day-to-day basis. The
monitoring of Diagnostic Control Systems can help an organisation to keep critical performance
variables within limits.
The levers of control allow, or even oblige, an organisation to implement traditional internal
controls, but it also encourages management to deploy other means of controlling their
organisation, such as monitoring or diagnostic controls.
Core Values
Critical
Performance
Variables
Strategic
Uncertainties
Risks to be
Avoided
Business
Strategy
Diagnostic Control System
Boundary System Belief System
Interactive Control System
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
19
COCO An alternative to COSO is the CoCo control model from the Canadian Institute of Chartered
Accountants, which was issued in 1995. It acknowledges, as does COSO, that the control
environment is the foundation of internal control, but CoCo takes it one step further. The intent with
CoCo is to address what is being felt as an imbalance with COSO (which adopts a mechanistic
approach to governance and control) – the contribution is to emphasize the people and cultural
aspects of control.
CoCo states that effective internal control is not only enforced by segregation of duties and policies
and procedures, but the model focuses on intangible things as leadership, shared values, and mutual
trust, e.g. entity-level controls. It acknowledges the fact that is obvious to management: that an
organization consists not only of processes and systems, but also of people, and that people are
most often the key to success or reason for failure. CoCo therefore focuses on the commitment,
capability and learning of people in the organisation. Figure 5 shows the CoCo Risk Management
model.
FIGURE 5: COCO: CRITERIA OF CONTROL RISK MANAGEMENT MODEL
CONCLUDING REMARKS For some organisations it can be challenging to implement a full scale COSO ERM framework. For
these organisations it is necessary to find other frameworks in order to be in control. We have seen
that these frameworks emphasize the control environment, which is strongly influenced by the
structure of the organisation and the leadership style of management. From our point of view the
Levers of Control model by Simons is a very strong framework to build upon. It is a balanced
approach of empowerment and control without overlooking traditional controls.
Focus Processes
(knowing what needs
to be done)
Capability
Processes
(having the resources
to do it)
Commitment
Processes
(wanting to do it)
Learning
Processes
(making adjustments
for change)
Monitor results
Monitor environment
Apply systems thinking
Perform self assessment
Establish shared values
Provide responsibility and authority
Establish reward systems to create
cohesion
Equip with necessary skills
Information
Physical equipment
People
Finances
Evaluate and set objectives
Evaluate risks and reliability
decisions
Action
20
Even though financial and operational auditors are used to dealing with the control environment (or
internal environment) in their audits, the role of the control environment is practically non-existent
in IT auditing. In chapter two we discuss COBIT, a framework for IT organisations. We noticed that
COBIT does briefly touch upon the concept of soft controls, but given the abundance of technical
details to feast on, IT auditors usually focus on the easier-to-audit hard controls. Management,
however, usually follows the path of least resistance and will implement the type of controls that are
both effective and efficient for their organisation.
The next chapter discusses soft controls and hard controls, and suggests the use of an organisational
model to evaluate to what extent both types of controls should be used by management, and where
IT auditors should look for assurance in their audits. Similarly, IT auditors or consultants that are
advising management with regards to the implementation of IT control measures can use the model
to determine which type of controls will function best at the organisation.
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
21
2. HARD CONTROLS AND SOFT CONTROLS IN IT AUDITING This chapter discusses the de-facto standard IT control framework COBIT and some alternative
thoughts on IT management and control. We argue that a combination of hard controls (e.g. COBIT)
and soft controls (the control environment, for example) should be used in IT auditing. An
application of this balanced approach is discussed in chapter 3.
2.1 COBIT AT A GLANCE
The COBIT framework is owned and maintained by ITGI, the IT Governance Institute. ITGI aims to
advance the development of IT governance for organisations. Its defining work is the COBIT
framework, which has been in development since 1996. The current version (4.1) has been released
in 2007. COBIT is now the de-facto standard in IT governance guidance, and is used in countless
enterprises globally.
One of the key drivers for its success is the basic premise of the link between organisation goals and
IT goals. IT governance serves only one purpose, and that is to help attain the business goals a
company has. From there on, COBIT breaks the IT goals into manageable key activities, performance
metrics, and control objectives. This approach allows organisations to align business goals with IT
governance goals. Figure 6 shows the basic COBIT principle.
FIGURE 6: BASIC COBIT PRINCIPLE
COBIT focuses heavily on controls to manage IT processes. These controls include the ubiquitous
change management and security management controls, and are grouped in IT processes that follow
the recognisable responsibility domains, as shown in the table below.
that are
used by
which responds
to
to deliver
drives the
investments in
Business Requirements
Enterprise Information
IT Resources
IT Processes
COBIT
22
Domain Description
Plan and Organise (PO) Provides direction to solution delivery (AI) and
service delivery (DS)
Acquire and Implement (AI) Provides the solutions and passes them on to be
turned into services
Deliver and Support (DS) Receives the solutions and makes them usable
for end users
Monitor and Evaluate (ME) Monitors all processes to ensure that the
direction provided is followed
TABLE 3: COBIT DOMAINS
Unlike COSO, COBIT does not discuss the internal environment of an entity. COBIT controls are
transactional in nature, and the framework does not accommodate meta-process controls such as
Simons’ interactive or monitoring controls. The closest COBIT gets to capturing the relevance of the
organisation the controls should be embedded in, is in section PO4 (Plan and Organise), in which the
control objective is to define the IT Processes, Organisation, and Relationships. However, true to its
goal, the COBIT framework focuses on the governance of the IT organisation. In other words, PO4
discusses who is responsible for various tasks.
We can plot COBIT on our scale model, along with COSO, CoCo, and Simons discussed in chapter
one. The figure below shows the combination of all of the above models, leadership styles, and
organisational structures. The figure also shows when organisations can benefit most from soft
controls (shown on the right hand side of the scale).
FIGURE 7: COMPLETE SCALE MODEL
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
23
As discussed, the COBIT framework does not link culture, organisation, or other ‘soft building blocks’
of an entity to IT control. In financial and operational auditing, however, the starting point of most
audits is just that: the culture, the organisation, and the control environment. Why, then, does the
leading IT governance framework pay so little attention to these sometimes intangible, but
profoundly important aspects?
In the next paragraphs we will expand on how these ‘soft building blocks’ play an important part in
any organisation, and on how IT auditors and managers can use these soft controls to better
understand organisational IT control.
2.2 SOFT CONTROLS EXPLAINED
Management can use a variety of controls to manage their organisations and to meet business goals.
Most controls in the post-SOx era are transactional and procedural in nature. These controls can be
tested in a straightforward manner, and often allow for automation; consider for example the
username – password combination that a financial reporting application requires when logging in.
Soft controls, however, aim to direct human behaviour in organisations. Soft controls are mostly
intangible, and relate to communication and human interaction. The prime example of a soft control
is the ‘tone at the top’, the core of the internal environment. The tone at the top refers to the
message top management sends; not just through official communications, but also in the form of
‘leading by example’. Does management strongly believe in ethical business practices? Or, does
management want to meet their goals by any means necessary?
Soft controls follow from an organisation’s culture, its management style, and its structure.
Empowered employees in a small scale media company are trusted by management to make the
right decisions that are in the best interest of the company. Instead of limiting an employee’s
freedom, management encourages them to do what’s right for the company. Management may use
a combination of interactive controls (such as frequent verbal updates), and monitoring controls
(focusing on key performance indicators such as ROI) to manage and control the organisation.
COSO recognises the importance of soft controls, and it uses the internal environment as a base for
all other controls. In this sense, soft controls have a pervasive effect on all other control measures. A
flawed control environment is considered a significant deficiency or even a material weakness in an
organisation’s internal control framework in Sarbanes-Oxley audits. The reasoning is simple. In the
widely known Barings scandal, for example, management knew about significant control deficiencies
in their Singapore branch, but decided to do nothing (James Roth, 1998). At Enron, management
knew about rogue traders in their New York office, but decided to do nothing since the traders were
making money (by breaking the rules). In these examples, management wanted to make the
numbers, even if it meant unethical, irresponsible, or illegal behaviour. The best control framework
in the world will not yield the desired results if the control environment is flawed. This principle can
be translated to IT auditing and control. The next paragraph will discuss the use of soft controls in IT
auditing and control.
24
2.3 SOFT CONTROLS IN IT AUDITING: THE IT CONTROL ENVIRONMENT
As discussed in the previous paragraphs, we argue that organisations should combine soft controls
and conventional IT controls in order to improve management control over IT. This combined or
balanced approach should be tailored to each organisation. For this purpose, we use the scale (refer
to figure 7), with which the expected effectiveness and applicability of soft controls can be
established. The scale will aid management and IT auditors in their assessment of expected
applicability (in other words, which organisations will benefit most by using this approach). The next
step is implementing soft controls at IT departments. To do so, management and IT auditors should
focus on the IT Control Environment.
We define the IT Control Environment (ITCE) as the internal environment of an IT organisation,
influencing security and privacy awareness in its people. The ITCE provides discipline, structure,
ethical values and competence for all aspects of the IT organisation. The ITCE determines
management’s philosophy, operating style and the way in which management assigns authority and
responsibility.
Similar to how the COSO internal environment is the basis for all process controls, the ITCE is the
basis for all IT controls at the organisation. As with the COSO internal environment, due to its
pervasive effect, regular controls are either weaker or stronger as a result of the IT Control
Environment. The ITCE’s effect and applicability is dependent on where the organisation is located
on the spectrum, given the scale model discussed in chapter one. Furthermore, the ITCE is directly
related to the organisations’ overall control environment, and much of the organisation’s overall
control environment will be applicable for the ITCE. However, the ITCE is specifically suited to IT
departments – an area that as yet has had little to do with soft controls in general, and with the
organisations’ control environment in specific. We illustrate the use of ITCE in a case study in
chapter 3.
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
25
3. CASE STUDY: APPLYING THE BALANCED APPROACH In some companies, applying the COBIT framework by management or IT auditors will yield
tremendous results. In other companies, simply using the COBIT framework without taking into
account human factors will lead to unexpected disappointment. The balanced approach discussed in
chapter 2 is put to the test in a case study, which is
outlined in this chapter.
3.1 XS4ALL INTERNET B.V.
The authors of this thesis were asked to assess the IT
control framework as part of a Sarbanes-Oxley readiness
project. The project was initiated in February of 2007 and
finished during Q1, 2008. The organisation at which the
project was executed is one of the premier internet
service providers (ISP’s) in the Dutch marketplace:
XS4ALL. Even though the installed base is relatively small
compared to its competitors, its brand value and image is
excellent. The engagement was straightforward:
Determine to what extent the organisation met with the
corporate IT control framework, which was simply a
number of COBIT controls.
Early on in the Sarbanes-Oxley readiness assessments, it
was clear that the organisation would not meet some of
the key COBIT control objectives. The organisation had quickly developed from grass-roots origins
into a 300 FTE innovator. In doing so, little attention was paid to formal job descriptions, reporting
lines, documented control measures, and so on – and this was especially true at its IT department,
the engine room of the company. Instead, all effort was focussed on delivering high-quality service
for its customers. Even though the organisation succeeded in doing so, it faced some significant
challenges as a result of the Sarbanes-Oxley compliance demands.
This raised the question, ‘are we then out-of-control?’ The answer was clearly no. In its 15 years of
existence, only a handful of security incidents occurred. The IT department as a whole, and the
security and privacy officers in particular, were (and still are) admired and respected throughout the
company, and even among the IT security community outside of the company. The company’s
reputation is unparalleled, as the company is still viewed as one of the leaders in information
technology security.
So how, then, did XS4ALL ensure that it maintained its leading position in information security and IT
management, if the standard COBIT controls were few and far between?
The answer lies in the organisation itself. There, in its DNA, lies the cause for this ‘anomaly’; its
people and its culture made sure that operations remained stable and robust, that security issues
were dealt with swiftly, and that customer satisfaction remains the highest among its peers for
several years in a rowix. The developers and administrators are driven by a shared belief that they
must do the right thing, always. This belief is not forced onto them, but rather it is an intrinsic,
bottom-up motivation for operational excellence.
If you think
technology can solve
your security
problems, then you
don't understand the
problems and you
don't understand the
technology. Bruce Schneier
Cryptographer and computer security expert
26
One of the major findings during the SOx-readiness effort was the lack of segregation of duties
within the IT department. This finding did not faze management or the IT department; they still
knew they were in control. Ultimately, the track record, and the small number of security and
operational issues experienced during its existence did not fit well with the standard COBIT controls.
A different approach was needed.
3.2 USING AN ALTERNATIVE APPROACH
The different approach was found after numerous discussions with IT administrators, management,
and the corporate audit department. It was obvious that the standard approach would not yield the
desired results, as it led to false negatives.
The break came after taking another look at COSO’s control environment. This was the starting point
for the overall SOx risk assessment, but it did not extend to the IT department. In order to explain
the apparent control over IT in light of lacking formally documented controls, auditors turned to a
specific IT Control Environment. The ITCE has five different areas of control objectives, being
Integrity and Ethical Values, Commitment to Competence, Human Resources, Authority and
Responsibility, and Management Philosophy and Operating Style. These control objectives were
subsequently detailed into organisation-specific control activities, as discussed in paragraph 3.4.
These control activities were presented to the IT department and to the management team. For
most control activities, both the administrators, developers and management recognised the
controls, and determined that they were indeed part of the control environment at the organisation.
Management and IT staff also suggested additional or revised control activities. The final list of
control activities was then assessed to determine if all controls were in place. For some, this was not
the case and remediation followed.
The new approach mimicked the approach operational and financial auditors use in their audits, in
that it looked at the organisational aspects besides regular hard controls. This is something that is
still not commonplace in IT auditing, and there were no studies, nor was there any experience with
this approach.
It is important to note that the ITCE served as a base for all other IT controls. The ITCE controls are in
place alongside numerous other IT controls, such as a range of security-, change-, and IT operations
management controls. However, the ITCE allowed the organisation to implement an IT control
framework that actually suited the organisation, and that was recognised and supported by the
administrators and developers themselves. The finished product, the XS4ALL IT control framework,
actually added value; without weighing the organisation down with the burden of a standard COBIT-
only framework. Hard controls were kept lean and efficient, thus allowing the organisation to
maintain its flexibility.
Looking at our scale model (figure 7), it is obvious that XS4ALL is located at the right hand side of the
model.
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
27
FIGURE 8: SCALE MODEL APPLIED TO XS4ALL
The company is relatively young, loosely organised, in a competitive and innovative market, and its
people are empowered to do the right thing. Given this information, in hindsight it makes sense to
focus on the right side of the scale, and utilise soft controls, instead of hard controls (i.e. COBIT).
3.3 ORGANISATIONAL PERSPECTIVES: THE BUSINESS CONTROLLER
The balanced approach was discussed with many stakeholders throughout the company, among
which the Control department. To evaluate the balanced approach, we spoke at length with René
Maatkamp, head of the Control department. One of René’s responsibilities is to ensure that all
financial reporting and forecasting is timely and accurate. Since most applications that provide this
information are managed by the internal IT department, gaining assurance on effective IT
management is vital. In one of the interviews held, René noted the following:
“We need insight into business processes as well as IT processes, to understand what drives
our business, and to know how information is gathered and processed. To make sure that
the data in the systems is correct we need some form of control over the management of IT
processes. Given our history and culture, combining hard controls and soft controls makes
sense. We have to balance flexibility and structure, and use whatever works best. For some
aspects of management control, hard controls work best. For others, relying on the culture
and control environment works better.”
Weighing flexibility and structure means that the best of both worlds is used. To understand which
soft controls are likely to operate effectively, René points towards the strategy of the organisation.
“You have to find the soft controls that are embedded within the organisation, using those
aspects that are understood and second nature to the firm. For us, this is straightforward:
both Security and Privacy are key strategic values for our company. Therefore, everything
we do is checked against these values. This is especially true for our IT department, which is
really the basis for the rest of the company. If anyone goes against these values, they will be
corrected by their peers.”
The IT control environment should therefore match with the company’s strategic values. As noted by
Simons (Simons, 1994) the levers of control all stem from the company’s business strategy: a
28
company’s belief systems and core values should be in line with its business strategy, as should its
risks to be avoided, and its key performance variables.
3.4 ASSESSMENT OF SOFT CONTROLS
To actually assess the soft controls in place at the IT department, the auditors used a custom built
questionnaire. The use of (self-assessment) questionnaires has been argued to provide the best
result in control environment auditing (James Roth, 2004). The proposed ITCE is defined using a
specifically designed questionnaire, mimicking the COSO internal environment questionnaires. The
ITCE questionnaire is grouped into five focus areas. These areas are:
FIGURE 9: ITCE QUESTIONNAIRE FOCUS AREAS
The areas are subsequently detailed into multiple control objectives to assess to what extent the
organisation can rely on its ITCE, alongside its regular internal controls. For auditors, the
questionnaire can be used to assess to what extent he or she can to include soft controls in the audit
approach. The control objectives for each area draw heavily upon existing COSO internal
environment questionnaires, but have been tailored to suit IT departments. The questionnaire is
shown in the table below.
Focus Area Control Objective
1.1 Integrity & Ethical values
Policies exists regarding acceptable IT practices, conflicts of interest or expected standards of ethical behaviour
1.2 IT employees understand what behaviour is acceptable or unacceptable, and know what to do when they encounter improper behaviour
1.3 IT Management takes appropriate disciplinary action in response to departures from approved policies and procedures or violations of the code of conduct
1.4 IT Management avoids intervening or overriding established controls 1.5 Situations involving pressure to meet unrealistic targets do not exist
or are properly controlled, particularly for short terms results 1.6 Processes are in place to monitor the IT department's integrity and
ethical values 2.1 Commitment to
Competence IT employees have the competence and training necessary for their assigned duties
2.2 IT managers have adequate knowledge and experience to fulfil their responsibilities
Integrity and Ethical Values
Commitment to Competence
Human Resources
Authority and Responsibility
Management Philosophy and Operating Style
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
29
3.1 Management Philosophy and Operating Style
Turnover of IT department staff is low
3.2 Management provides personnel the opportunity to attend conferences and training programs on relevant topics
3.3 IT managers move carefully, proceeding only after analyzing the risks and potential benefits of ventures
3.4 Key systems and data are assessed, their owners identified and areas of competences are developed
3.5 IT managers do not ignore signs of inappropriate practices 3.6 IT employees understand and accept their responsibility regarding IT
security 4.1 Authority and
Responsibility IT employees are empowered, when appropriate, to correct problems or implement improvements
4.2 IT management implemented a division of roles and responsibilities that reasonably prevents a single individual from subverting a critical process
4.3 Roles and responsibilities of the IT organization are defined, documented and understood
5.1 Human Resources
IT Management establishes and enforces standards for hiring the most qualified individuals, with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behaviour
5.2 Screening procedures, including background checks, are employed for IT job applicants
5.3 The IT organization adopted and promoted the company's culture of integrity management, including ethics, business practices and human resources evaluations
5.4 Job performance is periodically evaluated and reviewed with each IT employee
TABLE 4: IT CONTROL ENVIRONMENT QUESTIONNAIRE
The ITCE draws attention to an area that has been long overlooked in traditional IT control. Whereas
the control environment and ethical behaviour has received widespread attention in operational and
financial auditing (Hubbard, 2002), it has yet to make an impression on IT auditing. Perhaps because
of this lack of interest of IT auditors, management has not focused their attention on applying
internal environment controls down to the boiler room level of their organisations. Authors have
pointed out the relevance of internal control evaluations and control self-assessments (CSA’s) (Adil
Buhariwalla, 2006), and there is no reason to assume that the control environment stops at the door
of the IT department. Only few have argued that culture can have a significant effect on IT change
management (Melançon, 2006) or information security (Chang & Lin, 2007).
The areas and control objectives in the ITCE Questionnaire can help management control their IT
departments just as they would with all other departments in their organisations. IT auditors can use
the ITCE in their audit approach as a starting point for their audits. To do so, the ITCE Questionnaire
needs to be tailored to each organisation. The control objectives must be translated into control
activities that can be independently verified.
30
4. CONCLUSION
4.1 CONCLUSION
Companies can benefit by using a combination of hard controls and soft controls in their IT
departments, just as they would do for the rest of their organisations. While management chooses
to lead their organisations in ways that work best with the particulars for their specific organisation,
IT auditors and consultants are often stuck to a ‘best practice’ framework.
The use of soft controls, evaluating the control environment, and assessing the organisation prior to
commencing an IT audit is as yet not part of the IT auditor’s standard approach. The case study at
XS4ALL provides strong indicators that IT auditors and control consultants should re-evaluate our
approach. By factoring in the organisational aspects we can provide actual value added audit and
advisory services.
4.2 FURTHER RESEARCH
As with any case study, this research has its limitations. As only one implementation was studied, it
is as yet unclear to what extent the model and questionnaire can be used at other organisations. The
single case study, however, does show promising results.
To adequately assess the validity of the balanced approach, the combination of soft and hard
controls in IT environments should be tested at other companies, ideally at both ends of the
spectrum, to test the validity of the scale model. This will yield valuable insight into the usability of
the scale model, and into the robustness of the IT Control Environment Questionnaire.
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
31
APPENDIX
ACKNOWLEDGEMENTS
The authors of this thesis would like to express their gratitude to all those that helped in the
development and implementation of the model. We are also very grateful to those that provided
valuable feedback on the concept of soft controls in IT auditing and control. Special thanks goes to
XS4ALL, who have been bold enough to allow us to try a new form of IT assurance (and then allowed
us to tell everyone else about it).
Antoine Lucassen Ard Niesen
Bart van Staveren Jan Bouwsma
Jan Pieter Cornet Jasper Dietz
Kai Storbeck Marcel Seunnenga
René Maatkamp Roel van Rijsewijk
Scott McIntyre Simon Hania
Zing-Kyn Cheung
32
BIBLIOGRAPHY
Adil Buhariwalla, C. F. (2006). The softer side of controls: a people-focused approach to controls
doesn't mean the organization is going easy on risks. Internal Auditor .
Blake, R. R., & Mouton, J. S. (1964). The Managerial Grid - Key Orientations for Achieving Production
Through People. Gulf.
Chang, S. E., & Lin, C.-S. (2007). Exploring organizational culture for information security
management. Industrial Management & Data Systems .
Edward Blunt, C. (2006). Delegating Root Authority and Auditing Activities on UNIX/Linux Systems.
Information Systems Control Journal .
Fiedler, F. E. (1967). Theory of Leadership Effectiveness. McGraw-Hill.
Friedman, T. L. (2006). The World Is Flat - A Brief History of th Twenty-First Century 2.0. Farrar, Straus
and Giroux.
Hubbard, L. D. (2002). The importance of ethics. Internal Auditor .
Huber, G. P., & Glick, W. H. (1993). Organizational Change and Redesign. Orford University press.
James Roth, P. C. (1998). A hard look at soft controls: Flexible, Dangerous, Essential: An Interview
with Jim Roth. Internal Auditor .
James Roth, P. C. (2004). Getting to the heart of the problem: meaningful evaluation of the control
environment is the real key to preventing financial reporting fraud. Internal Auditor .
Laudon, K. C., & Laudon, J. P. (1998). Management Information Systems. New Jersey: Prentice Hall
International Inc.
McGregor, D. (1960). The Human Side of the Enterprise. McGraw-Hill.
Melançon, D. (2006). Beyond checklists: A socratic approach to building a sustainable change
auditing practice. Information Systems Control Journal .
Mintzberg, H. (1979). The Structuring of Organizations. Prentice Hall.
Rijsewijk, R. F. (2007). Creativity and Corporate Governance - Alternative Control Solutions for the
TMT Industry.
Simons, R. L. (1994). Levers of Control: How Managers Use Innovative Control Systems to Drive
Strategic Renewal . Harvard Business School Press.
Wickham, P. A. (1998). Strategic Entrepreneurship. Pearson Education Ltd.
Vrije Universiteit Amsterdam
Soft Controls in IT Auditing
33
TABLES AND FIGURES
Table 1: FIVE ORGANISATIONAl STRUCTURES BY MINTZBERG ............................................................ 11
Table 2: MCGREGOR’S THEORY X-Y ...................................................................................................... 13
Table 3: COBIT DOMAINS ..................................................................................................................... 22
Table 4: IT CONTROL ENVIRONMENT QUESTIONNAIRE ....................................................................... 29
Figure 1: BLAKE AND MOUTON MANAGERIAL GRID ............................................................................ 12
Figure 2: ORGANISATIONAL THEORIES IN A TASK-PEOPLE MINDED SPECTRUM ................................. 14
Figure 3: SCALE MODEL - THEORY AND ORGANISATIONAL FACTORS COMBINED .............................. 15
Figure 4: SIMONS’ LEVERS OF CONTROL .............................................................................................. 18
Figure 5: COCO: CRITERIA OF CONTROL RISK MANAGEMENT MODEL ................................................ 19
Figure 6: BASIC COBIT PRINCIPLE ......................................................................................................... 21
Figure 7: COMPLETE SCALE MODEL ..................................................................................................... 22
Figure 8: SCALE MODEL APPLIED TO XS4ALL ........................................................................................ 27
Figure 9: ITCE QUESTIONNAIRE FOCUS AREAS .................................................................................... 28
ENDNOTES
i Control Objectives for Information Technology, an IT governance framework developed and maintained by the
Information Technology Governance Institute (ITGI).
ii The Contingency Viewpoint originated in the early 1960’s, and used a diagnostic approach to management
issues. No longer should there be ‘one best way’, but instead managers were encouraged to analyze and
understand situational differences, before choosing the best solution for any given problem. The solution
should be suited to the firm, the process, and the individual in each situation (Huber & Glick, 1993).
iii The BASEL II accord is a recommendation on banking laws, to be used by banking regulators. Basel II uses a
"three pillars" concept – (1) minimum capital requirements (addressing risk), (2) supervisory review and (3)
market discipline – to promote greater stability in the financial system.
iv The Sarbanes-Oxley Act of 2002 established new or enhanced standards for all U.S. public company boards,
management, and public accounting firms, in response to a number of major corporate and accounting
scandals.
v Any company listed on the New York Stock Exchange must comply with the SEC regulations, among which the
Sarbanes-Oxley legislation.
vi The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has issued several internal
control frameworks to help businesses and other entities assess and enhance their internal control systems.
The frameworks have since been incorporated into policy, rule, and regulation, and used by thousands of
enterprises to better control their activities in moving toward achievement of their established objectives.
vii Internal Control over Financial Reporting – Guidance for Smaller Public Companies was released in 2006 to
help smaller organizations improve their internal control systems, while taking into account their limited
possibilities to implement large scale (COSO ERM) internal control systems.
34
viii
Quote adapted from Roel van Rijsewijk.
ix http://www.xs4all.nl/overxs4all/feiten/index.php
Cover art by Capgros, distributed through www.sxc.hu. The image portrays a scale to be used for small weights,
such as the depicted 5 Lire coin.