"Intelligent Internal Control and Risk Management", Matthew Leitch,
2008, 978-0-566-08799-8, U$144.95
%A Matthew Leitch
%C Gower House, Croft Rd, Aldershot, Hampshire, GU11 3HR, England
%G 978-0-566-08799-8 0-566-08799-5
%I Gower Publishing Limited
%O U$114.95 www.gowerpub.com
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 253 p.
%T "Intelligent Internal Control and Risk Management"
The introduction indicates that this book is written from the risk
management perspective of the financial services industry, with a
concentration on Sarbanes-Oxley, COSO, and related frameworks. There
is an implication that the emphasis is on designing new controls.
Part one, "The Bigger Picture," provides a history of risk management
and internal controls. Chapter one asks how much improvement is
possible through additional controls. The author's statement that
"[w]hen an auditor, especially an external auditor, recommends an
improvement control it is usually with little concern for the cost of
implementing or operating that control [or improved value]. The
auditor wants to feel `covered' by having recommended something in the
face of a risk that exists, at least in theory" is one that is
familiar to anyone in the security field. Leitch goes on to note that
there is a disparity between providing real value and revenue
assurance, and the intent of this work is increasing the value of
business risk controls. The benefits of trying quality management
techniques, as well as those of quantitative risk management, are
promoted in chapter two. Chapter three appears to be a collection of
somewhat random thoughts on risk. Psychological factors in assessing
risk, and the fact that controls have to be stark enough to make
people aware of upcoming dangers, are discussed in chapter four.
Part two turns to a large set of controls, and examines when to use,
and not to use, them. Chapter five introduces the list, arrangement,
and structure. Controls that generate other controls (frequently
management processes) are reviewed in chapter six. For each control
there is a title, example, statement of need, opening thesis,
discussion, closing recommendation, and summary relating to other
controls. Most are one to three pages in length. Audit and
monitoring controls are dealt with in chapter seven. Adaptation is
the topic of chapter eight. (There is a longer lead-in discussion to
these controls, since, inherently, they deal with change, to which
people, business, and control processes are highly resistant.)
Chapter nine notes issues of protection and reliability. The
corrective controls in chapter ten are conceptually related to those
in chapter seven.
Part three looks at change for improvement, rather than just for the
sake of change. Chapter eleven suggests means of promoting good
behaviours. A Risk and Uncertainty Management Assessment (RUMA) tool
is presented in chapter twelve, but, frankly, I can't see that it goes
beyond thinking out alternative courses of action. Barriers to
improvement are noted in chapter thirteen. Roles in the organization,
and their relation to risk management, are outlined in chapter
fourteen. Chapter fifteen examines the special needs for innovative
projects. Ways to address restrictive ideology are mentioned in
chapter sixteen. Seven areas that Leitch advises should be explored
conclude the book in chapter seventeen.
A number of interesting ideas are presented for consideration in
regard to the choice and design of controls. However, the text is not
a guidebook for producing actual control systems.
copyright, Robert M. Slade 2013 BKIICARM.RVW 20121210
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
A computer lets you make more mistakes faster than any other
invention in human history, with the possible exception of
handguns and tequila. - Mitch Radcliffe