REVIEW: “Intelligent Internal Control and Risk Management”, Matthew Leitch
“Intelligent Internal Control and Risk Management”, Matthew Leitch, 2008, 978-0-566-08799-8, U$144.95
%A Matthew Leitch
%C Gower House, Croft Rd, Aldershot, Hampshire, GU11 3HR, England
%G 978-0-566-08799-8 0-566-08799-5
%I Gower Publishing Limited
%O U$114.95 www.gowerpub.com
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 253 p.
%T “Intelligent Internal Control and Risk Management”
The introduction indicates that this book is written from the risk management perspective of the financial services industry, with a concentration on Sarbanes-Oxley, COSO, and related frameworks. There is an implication that the emphasis is on designing new controls.
Part one, “The Bigger Picture,” provides a history of risk management and internal controls. Chapter one asks how much improvement is possible through additional controls. The author’s statement that “[w]hen an auditor, especially an external auditor, recommends an improvement control it is usually with little concern for the cost of implementing or operating that control [or improved value]. The auditor wants to feel `covered’ by having recommended something in the face of a risk that exists, at least in theory” is one that is familiar to anyone in the security field. Leitch goes on to note that there is a disparity between providing real value and revenue assurance, and the intent of this work is increasing the value of business risk controls. The benefits of trying quality management techniques, as well as those of quantitative risk management, are promoted in chapter two. Chapter three appears to be a collection of somewhat random thoughts on risk. Psychological factors in assessing risk, and the fact that controls have to be stark enough to make people aware of upcoming dangers, are discussed in chapter four.
Part two turns to a large set of controls, and examines when to use, and not to use, them. Chapter five introduces the list, arrangement, and structure. Controls that generate other controls (frequently management processes) are reviewed in chapter six. For each control there is a title, example, statement of need, opening thesis, discussion, closing recommendation, and summary relating to other controls. Most are one to three pages in length. Audit and monitoring controls are dealt with in chapter seven. Adaptation is the topic of chapter eight. (There is a longer lead-in discussion to these controls, since, inherently, they deal with change, to which people, business, and control processes are highly resistant.) Chapter nine notes issues of protection and reliability. The corrective controls in chapter ten are conceptually related to those in chapter seven.
Part three looks at change for improvement, rather than just for the sake of change. Chapter eleven suggests means of promoting good behaviours. A Risk and Uncertainty Management Assessment (RUMA) tool is presented in chapter twelve, but, frankly, I can’t see that it goes beyond thinking out alternative courses of action. Barriers to improvement are noted in chapter thirteen. Roles in the organization, and their relation to risk management, are outlined in chapter fourteen. Chapter fifteen examines the special needs for innovative projects. Ways to address restrictive ideology are mentioned in chapter sixteen. Seven areas that Leitch advises should be explored conclude the book in chapter seventeen.
A number of interesting ideas are presented for consideration in regard to the choice and design of controls. However, the text is not a guidebook for producing actual control systems.
copyright, Robert M. Slade 2013 BKIICARM.RVW 20121210