Internal Audit
Knowledge Elements
HOCK international books are licensed only for individual use and may not be
lent, copied, sold, or otherwise distributed without permission directly from
HOCK international.
If you did not download this book directly from HOCK international, it is not a
genuine HOCK book. Using genuine HOCK books assures that you have complete,
accurate and up-to-date materials. Books from unauthorized sources are likely outdated
and will not include access to our online study materials or access to HOCK teachers.
Part 3
Volume 1: Sections A-F
Internal Audit
Knowledge Elements
www.hockinternational.com
cia@hockinternational.com
Acknowledgements
The authors would also like to thank the Institute of Certified Management Accountants
for permission to use questions and problems from past CMA Exams. The questions and
unofficial answers are copyrighted by the Certified Institute of Management Accountants
and have been used here with their permission.
The authors also wish to thank the IT Governance Institute for permission to make use
of concepts from the publication Control Objectives for Information and related
Technology (COBIT) 3rd Edition, © 2000, IT Governance Institute, www.itgi.org.
Reproduction without permission is not permitted.
No part of this work may be used, transmitted, reproduced or sold in any form or by any
means without prior written permission from HOCK international, LLC.
ISBN: 978-1-934494-87-5
Thanks
The authors would like to thank the following people for their assistance in the
production of this material:
Editorial Notes
Table of Contents
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. i
Table of Contents CIA Part 3
ii © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
CIA Part 3 Table of Contents
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. iii
Table of Contents CIA Part 3
iv © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
CIA Part 3 Table of Contents
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. v
Table of Contents CIA Part 3
vi © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
CIA Part 3 Introduction
Exam Introduction
The CIA Part 3 exam, Internal Audit Knowledge Elements, is 120 minutes (2 hours) long and consists of
100 multiple-choice questions. For more information about the exams, visit the IIA’s website
(www.theiia.org).
• Proficiency: Candidates must exhibit thorough understanding and ability to apply concepts.
In preparing for the exam, you need to read the textbook and use the ExamSuccess software with questions
from past exams. Many of the exam topics are very large and by studying past exam questions you can get a
feeling for the manner and depth to which a topic has been tested.
Note: All information in Part 3 is tested at the awareness level unless otherwise indicated.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 1
Introduction CIA Part 3
2 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A Section A – Governance and Business Ethics
This section begins with a look at the principles behind good corporate governance and then discusses
what it means for corporations to be socially responsible.
Corporate Governance
The purpose of corporate governance is to facilitate effective, entrepreneurial, and prudent manage-
ment that can deliver long-term success to the company. “Long-term success” suggests that the company is
able to achieve its objectives in a manner that is acceptable to the cultural environment in which it operates.
In this respect, companies need to be responsible corporate entities.
This topic is tested at a proficiency level, which means students must know the basic principles of corporate
governance and be able to identify the situations where good corporate governance is not being practiced.
Furthermore, CRS means that, in addition to being responsible to its shareholders, corporations are also
responsible to the general public and other stakeholder groups.
This section makes up only 5–15% of the exam, so it should not be a primary focus of study. Many questions
can be answered through common sense and from your own experience as an internal auditor. It is
recommended that you read through the material, understand the general concepts, and use ExamSuccess to
become familiar with what has been asked in the past.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 3
Corporate Governance Principles CIA Part 3
The internal audit activity must assess and make appropriate recommendations for improving the
governance process in its accomplishment of the following objectives:
Communicating risk and control information to appropriate areas of the organization, and
Coordinating the activities of and communicating information among the board, external and internal
auditors and management.
Corporate governance has always been an important topic for shareholders, management, and the board. But
why is good governance necessary? It is not just necessary; it is an absolute necessity. If the spectacular
corporate failures of the past decades are any indication, the lack of appropriate, robust, ethical corporate
governance can have considerable, long-lasting, negative consequences. Indeed, governance decisions create
a ripple effect that begins in the boardroom and extend outwardly to management, employees, shareholders,
customers, and, in some dramatic instances, to the general health and well-being of a country’s economy.
Some governance decisions can even have global economic implications. It is important to remember that
governance does not exist merely as a set of distinct and separate processes and structures. Rather, it is
interconnected with the company’s internal control and risk management.
Defining Governance
The International Standards for the Professional Practice of Internal Auditing defines governance as “the
combination of processes and structures implemented by the board to inform, direct, manage, and monitor
the activities of the organization toward the achievement of its objectives.” Because governance is such an
important global issue, there have been many governance models published by legal and regulatory bodies.
For example, the Organization for Economic Cooperation and Development (OECD) defines governance as:
a set of relationships between a company’s management, its board, its shareholders, and other
stakeholders. Corporate governance provides the structure through which the objectives of the
company are set and the means of attaining those objectives and monitoring performance are
determined.
The UK Corporate Governance Code (formerly the Combined Code) has its own definition: “corporate
governance is the system by which companies are directed and controlled.” The Code goes on to say:
The boards of directors are responsible for the governance of their companies. The shareholders’ role
in governance is to appoint the directors and the auditors and to satisfy themselves that an appropri-
ate governance structure is in place. The responsibilities of the board include setting the company’s
strategic aims, providing the leadership to put them into effect, supervising the management of the
business and reporting to shareholders on their stewardship. The board’s actions are subject to laws,
regulations and the shareholders in general meeting.
4 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A Corporate Governance Principles
1) Interaction. Sound governance requires effective interaction among the board, management, the
external auditor, and the internal auditor.
2) Board Purpose. The board of directors should understand that its purpose is to protect the interests
of the corporation’s stockholders, while considering the interests of other stakeholders (such as cred-
itors and employees).
3) Board Responsibilities. The board’s major areas of responsibility should be monitoring the CEO,
overseeing the corporation’s strategy, and monitoring risks and the corporation’s control system. Di-
rectors should employ a healthy skepticism in meeting these responsibilities.
4) Independence. The major stock exchanges define an “independent” director as one who has no
professional or personal ties (either current or former) to the corporation or its management other
than service as a director. The majority of directors should be independent in both fact and appear-
ance to promote arms-length oversight.
5) Expertise. Directors should possess relevant industry, company, functional area, and governance
expertise. The directors should reflect a mix of backgrounds and perspectives. All directors should
receive detailed orientation and continuing education to assure that they achieve and maintain the
necessary level of expertise.
6) Meetings and Information. The board should meet frequently, for extended periods of time, and
they should have access to the information and personnel it needs to perform its duties.
8) Disclosure. Proxy statements and other board communications should reflect board activities and
transactions (such as insider trades) in a transparent and timely manner.
9) Committees. The nominating, compensation, and audit committees of the board should be com-
posed only of independent directors.
10) Internal Audit. All public companies should maintain an effective, full-time internal audit function
that reports directly to the audit committee.
Because every organization is different, the amount of necessary governance oversight depends on:
• The type of organization. For example, is the organization a for-profit or non-profit? Is it publicly
traded or private? Is it an association, government, or quasi-government entity? Is it an academic
institution, private institution, a stock exchange (such as New York Stock exchange or London stock
exchange)?
• The size and complexity of the organization. For example, smaller companies may judge that
some of the provisions mentioned above are disproportionate and less relevant to their situation.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 5
Corporate Governance Principles CIA Part 3
BOARD
EXTERNAL AUDIT
INTERNAL AUDIT
Effective
Governance
MANAGEMENT
In addition to these basic principles, companies have to make sure that inappropriate and unethical behavior
is not tolerated. Successful companies foster a culture of integrity, which is dependent on the so-called “tone
of at the top,” and this environment is put in place by the board, top management, and the audit committee.
Based on this interconnectedness, internal auditing plays an important role in assessing and improving an
organization’s governance processes.
Based on the principles outlined in PA 2110-2, the chief audit executive (CAE) should consider these
relationships when planning an assessment of an organization’s governance processes. The following should
be considered:
• An audit should address those controls in governance processes that are designed to prevent or
detect events that could have a negative impact on the achievement of organizational strategies,
goals, and objectives; operational efficiency and effectiveness; financial reporting; or compliance
with applicable laws and regulations.
• Controls within governance processes are often significant in managing multiple risks across the
organization. For example, controls around the code of conduct may be relied upon to manage com-
pliance risks, fraud risks, and other related topics. This aggregation effect should be considered
when developing the scope of an audit of governance processes.
• If other audits assess controls in governance processes (such as audits of control over financial
reporting, risk management processes, or compliance), the auditor should consider relying on the
results of those audits.
6 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A Corporate Social Responsibility
Furthermore, CRS means that, in addition to being responsible to its shareholders, corporations are also
responsible to the general public and other stakeholder groups.
Note: Stakeholders are any group or persons that can affect or be affected by the achievement of an
organization’s objectives. It is a bi-directional relationship. Each stakeholder group has different expecta-
tions about what it wants and different claims upon the organization.
5) A company should do what it can to sustain the environment for future generations. This could take
the form of:
• Developing a sustainable business whereby all the resources used by the company are replen-
ished.
• Reducing reliance on non-renewable, polluting energy (such as fossil fuels) and increasing the
use of renewable energy (such as water or wind).
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 7
Corporate Social Responsibility CIA Part 3
Archie B. Carroll writes that there are four ascending levels of social responsibility, diagramed below 1:
PHILANTROPIC
Responsibilities
Be a good corporate
citizen.
Contribute resources to
the community; improve
quality of life.
ETHICAL
Responsibilities
Be ethical.
Obligation to do what is right, just,
and fair. Avoid harm.
LEGAL
Responsibilities
Obey the law.
Law is society’s codification of right and wrong.
Play by the rules of the game.
ECONOMIC
Responsibilities
Be profitable.
The foundation upon which all others rest.
• Ethical responsibilities: Apart from compliance with legal requirements, companies should act in a
fair and just way, even if the law does not compel them to do so.
• Legal responsibilities: Companies have an obligation to respect prevailing moral views as ex-
pressed in legislative codes. Obeying these laws must be the foundation of an organization’s
compliance with social responsibilities.
Carroll clarifies that the lower levels should be generally addressed first, although true responsibility can only
be demonstrated with reference to all four.
1
Corporate Social Responsibility: Evolution of Definitional Construct (1999).
8 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A Corporate Social Responsibility
Corporate Citizenship
A term often connected with corporate social responsibility is corporate citizenship. As defined by the
Boston Center for Corporate Citizenship, corporate citizenship is:
a business strategy that shapes the values underpinning a company’s mission and the choices made
each day by its executives, managers and employees as they engage with society. Three core
principles define the essence of corporate citizenship, and every company should apply them in a
manner appropriate to its distinct needs: minimizing harm, maximizing benefit, and being accounta-
ble and responsive to stakeholders.
On the other hand, supporters of corporate citizenship and corporate social responsibility highlight inequalities
of resource distribution in society and the limitations of traditional accounting methods as the reasons for
needing such altruistic behaviors. For example, advocates for corporate citizenship and CSR believe that
making organizations more transparent to shareholders and stakeholders (for example, through reporting) is
a pathway to maximum economic growth and maximum social welfare.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 9
Section B – Risk Management CIA Part 3
There are two primary topics covered in this section: risk management techniques and organizational
use of risk frameworks.
Note: The topic of risk management has been gaining importance in the past couple of decades as a result
of both individual company failings and larger market-wide failings in the economy. To some extent, recent
corporate failings were the result of organizations not properly managing their risks. As a result,
organizations ended up taking on more risk than they had thought they were, and when the financial
markets started to move against them the value of their assets plummeted.
This section makes up 10–20% of the exam, so it is an important topic to study thoroughly. However, as with
Section A, many questions can be answered through common sense and from your own experience as an
internal auditor. It is recommended that you read through the material, understand the general concepts, and
use ExamSuccess to become familiar with what has been asked in the past.
10 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B Risk Management Techniques
• Risk is the probability that some future event or action could adversely impact the organization. Risk
is measured in terms of both the impact (in dollars) and the likelihood (probability) of the event oc-
curring.
• Risk Assessment is the systematic process of assessing and integrating professional judgment
about probable adverse conditions and/or events. The risk assessment process should provide a
means of organizing and integrating professional judgments in order to develop the audit work-
schedule. The CAE should generally assign higher audit priorities to activities with higher risks. 3
Every entity faces a variety of risks from external and internal sources that must be as-
sessed. A pre-condition to risk assessment is establishment of objectives, linked at different
levels and internally consistent. Risk Assessment is the identification and analysis of rele-
vant risks to achievement of objectives, forming a basis for determining how the risks
should be managed. Because economic, industry, regulatory and operating conditions will
continue to change, mechanisms are needed to identify and deal with the special risks as-
sociated with change. 4
The benefit an organization receives from implementing a risk management process will, to some extent,
depend on the industry the organization operates in. However, organizations can derive the following benefits
as a result of prudent risk management:
• Increased shareholder value (because risk management minimizes losses and maximizes opportuni-
ties)
• Fewer disruptions, shocks, and unwelcomed surprises to the operations of the business
• Employees, stakeholders, and governing and regulatory bodies have increased confidence in the
organization
• More effective strategic planning
• Better cost control
• Quick assessment and grasp of new opportunities
• More complete contingency planning
• Improved ability to meet objectives and achieve opportunities
• Quicker response to opportunities
In order for an organization to implement a risk management process, it first has to determine the amount of
risk it is willing and able to take on. The level of willingness and ability to take on risk is referred to as risk
appetite.
2
IIA’s Standards Glossary, pg. 21.
3
SIAS No. 9 – Risk Assessment 520.04.10.
4
COSO, Internal Control-Integrated Framework, Executive Summary, pg. 3.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 11
Risk Management Techniques CIA Part 3
Risk Appetite
Risk appetite reflects the level of risk a company can optimally handle, given its capabilities and the
expectation of its various stakeholders (such as vendors and creditors).
Searching the Internet for the term “risk appetite” reveals a number of relevant definitions.
Term Definition
COSO’s ERM framework “The amount of risk an entity is willing to accept in pursuit of value.”
The Institute of Internal Auditors “The level of risk that an organization is willing to accept.”
(from January 2009)
ISO 31000:2009/ISO Guide “Amount of risk that an organization is will to pursue or retain or
73:2009 take.”
ISO 31000: 2009 does not actually use the word “risk appetite”
but instead focuses on “risk attitude’” and “risk criteria.”
Society of Actuaries ERM “The level of risk that company management deems to be
Symposium (from April 2010) acceptable in pursuit of overall financial and solvency goals.”
HM Treasury’s Orange Book “The amount of risk which is judged to be tolerable and justifiable.”
A company’s risk appetite reveals a great deal about its culture because the level of risk a company is willing
to take on is a corporate-level decision. The degree of risk that a company, department, or division should
take on is very much a matter of perspective. For example, equity investors seek a return on their equity
investment, so they would be willing to take on greater levels of risk than a rating agency scrutinizing a
company’s default risk.
Management must consider and balance the many different views and risk factors, with the final decisions
being made at the corporate-level (that is, incorporating a top-down approach). Balancing risk appetite and
control is not easy, but it is a process that companies need to perfect if they are to succeed. For example, if a
financial institution is actively involved with complex financial instruments (such as forward contracts, futures,
options, or swaps), all relevant stakeholders need to know whether or not the company’s directors understand
the function of these instruments and the reasons why the company is involved in them. Understanding a
company’s risk appetite is useful for ascertaining the goal congruence between the wishes of the board and
the actions of management.
12 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B Risk Management Techniques
Risk
Risk Capacity: The limit of risk that can be
capacity
taken by the organization.
Business Credit Market Operational Liquidity Other Risk Categories: These categories
are tailored for each business unit.
As this diagram indicates, a company must first determine its risk capacity in order to decide its risk appetite.
Simply put, risk capacity is the absolute limit a company is willing to lose without bankrupting itself. Once a
company gauges its risk capacity, it can ascertain how much it is willing and able to lose (that is, its risk
appetite). As the diagram indicates, risk appetite must be set within the limits of risk capacity. Once risk
capacity and appetite are established, risk tolerance represents the actual level of risk a company is able to
bear, given certain specific risk factor (see risk categories). For example, if a company extends credit to its
customers, then the company exposes itself to credit risk (that is, the risk that the customer will default).
Given such possibilities, the company has to be completely clear about the amount of debt it can tolerate.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 13
Risk Management Techniques CIA Part 3
The range of attitudes that businesses have towards risk can be shown in the Risk Continuum diagram
(shown below). The left-hand side indicates businesses that are averse to taking on risk and whose strategies
are therefore designed to avoid risk. On the right-hand side are businesses that actively seek out and accept
risks. The ends of the diagram represent two extreme conditions, and most companies situate their place on
the continuum somewhere in between these polar opposites.
Risk Continuum
Risk averse Risk seeking
No matter where a business situates itself on this continuum, it should be concerned about reducing risk
without eliminating it completely. The function of risk appetite in this regard is to show the business where it
is on this continuum: either on the left (risk averse) or to the right (risk seeker). It is important to consider
risk appetite when business strategies are being formulated and developed 5; in fact, business strategy and
risk appetite are so intertwined that both must be considered together.
To illustrate the considerations relevant to the adoption of a high-risk-seeking strategy, consider the example
of a defense contractor dealing in computer software protection. This contractor decides to direct all corporate
resources to a single product: a new software program to protect highly classified defense information from
viruses and hackers. Through appropriate due diligence, it is determined that a successful bid will result in an
extremely profitable windfall for the company. In addition, however, the tremendous investment of time and
resources means that failure to secure the government contract will unavoidably result in bankruptcy. Clearly,
this strategy represents a high level of risk appetite. Therefore, before moving forward on this decision the
board must meet, consider all pertinent angles, and sign off on the plan, thus indicating their acknowledge-
ment and acceptance of the risk-seeking strategy. It is also possible that investors may approve this
approach by increasing the value of the company’s stock; conversely, they may punish the company by
selling off shares. Either way, the direction of investor activity greatly depends on their own assessment of
the company’s position on the risk continuum. From this example, it is clear that the choice of risk appetite
influences all levels of the company’s structure.
• The company’s position in the business-development life cycle. A company’s position in its life
cycle should exert a strong influence on its risk appetite. A company in the start-up phase will often
require a high risk-appetite (indeed, 50% of US companies fail within their first five years). If a com-
pany survives the start-up phase and moves into the growth stage, it will need tighter controls to
manage risk. Companies in this stage might establish an internal control function to oversee control
and risk processes. Once companies enter the maturity stage, sales generally level off, which
means that the focus switches to controlling cost, which can be done by taking advantage of in-
creased productivity gains (perhaps through expanding overseas or developing other types of
products).
• The viewpoints of the major stakeholders, including the company’s major shareholders, bond-
holders, lenders, analysts, and many others. Each one of these stakeholders might have a different
opinion as to how much risk the company should be willing to take on. For example, shareholders
who are looking for higher returns might press a company to take greater risks; however, the bank
that lent the company money would probably prefer that the company limit its risk-taking.
5
COSO, Enterprise Risk Management – Integrated Framework, Understanding and Communicating Risk Appetite, pg. 4.
14 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B Risk Management Techniques
Whether a particular stakeholder’s viewpoint is taken into account will depend on how much influ-
ence or power the stakeholder has over the company. For example, if a bank lends a company a
substantial amount of money, then the bank will have a strong interest in the company’s continued
existence. If the bank feels that the company is taking unnecessary risks, then it could be in a posi-
tion to voice its concerns to management and to the board; the level of concern the bank expresses
would be directly proportional to the amount it has invested (that is, more investment, more level of
concern). In addition, the likelihood that the bank’s concerns will influence company policy also rises
in proportion to the bank’s level of investment (that is, more investment means more influence).
• Accounting factors, such as the volume of transactions, the complexity of the accounting system,
changing rules and regulations, and so forth.
• External factors, such as changing economic considerations, changes in the industry, changes in
technology, and so forth. For example, if an economy in which a company operates is going through
a recession, the company may decide that a larger bad-debt provision would be appropriate to take
into account the possibility of more consumer bad debt. Or if an industry comes under more scrutiny
because of environmental issues, the company might also decide that it needs a provision for envi-
ronmental contamination.
• Governmental restrictions. Depending on the industry, governments can dictate the level of risk a
company is able to take on. Industries such as insurance and banking are generally more regulated
and more restricted then other companies because they are responsible for and have a liability to
the public’s money.
• Entity-level factors, such as the quantity and quality of hired personnel, quantity and quality of
training courses, disruptions in the information system processing system, changes in the organiza-
tion’s structure, and changes in key personnel.
Risk-taking, particularly in the business environment, is a subject that is closely connected to cultural
practices and beliefs, and therefore management should carefully study and understand the regional attitudes
about risk-taking before implementing a particular set of objectives and the methods for achieving these
objectives. By gaining an understanding of risk-taking attitudes in the overseas culture, a company has much
to gain. Foremost, a company can cultivate strong ties with employees and business associates. Second,
potential pitfalls (such as unintentional offense or misunderstandings) can be avoided. Third, a culture-
sensitive company can derive an advantage over their less-aware competitors by demonstrating a willingness
to take the local culture into account.
That said, it is not necessary for a company to remove all ties to the “home” culture, since doing so might
very well jeopardize the identity that makes a company distinct among its competitors (and risk-taking
strategies are certainly an important component of a company’s identity). Striking the right balance between
the organization’s “home” culture and other nations’ culture is a delicate but rewarding process. Toward this
goal, cross-cultural training (such as through consultants or retreats) is an effective means of creating
inter-cultural dialogue, communicating company goals, and addressing and bridging cultural differences.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 15
Risk Management Techniques CIA Part 3
Formulizing risk appetite means putting it in writing so that there is little confusion about the board and
management’s attitude toward risk. Indeed, formulizing risk appetite improves communication between all
those who oversee risk management. Generally speaking, the larger and more complex an organization is,
the more formulized its policies and procedures should be regarding risk appetite. For example, large financial
services companies (such as Citibank, Bank of America, BNP Paribas, ING, HSBC and others) can be expected
to have highly detailed risk-appetite statements, whereas a small or mid-sized company might have a risk-
appetite statement no more than a sentence or two. For example, a short risk-appetite statement may be “no
project investment should be greater than 20% of company’s net assets” or “IFRS earnings should not be
negatively affected by more than 50% of its forecasted earnings.”
Risk appetite can be expressed either quantitatively (numerically) or qualitatively. The following are
examples of quantitatively expressing risk appetite:
• Solvency. A company does not want to lose more than a defined amount of its capital so that it can
remain a going concern following an extreme-loss event or combination of extreme-loss events.
• Capital coverage. A company requires that its capital is sufficient to cover a multiple of the amount
of capital needed to absorb a loss of a certain magnitude (for example, a 1-in-100-year event).
• Earnings. A company does not want to lose more than a defined percent or multiple of annual net
income.
• Company value. A company wants to assume the amount and kinds of risks that maximizes com-
pany value (that is, the risk adjusted present value of future cash flows).
There may be aspects of risk that just cannot be measured quantitatively, but regardless of the measurement
limitations, risk still has to be identified. In such cases, “risk preferences” can be used to determine and
establish risk appetite. Risk preferences define certain risk that the company does not want to accept, such
as avoiding investment in subprime mortgages or taking out variable-annuity loans.
Once a company understands its risk appetite, it can start developing its risk management process.
16 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B Organizational Use of Risk Frameworks
One of the main ways of managing operational risk is through properly developed and implemented internal
controls. Additionally, monitoring business processes and a continuous review of both the processes and the
personnel in the company are a part of the process of managing operational risks.
The following is a list of ways that a company can manage its financial risk:
• Forward contracts and options hedge the risk of foreign currency value fluctuations or fair value
fluctuations
• Specific investment policies can be used to invest in short-term and long-term investments
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 17
Organizational Use of Risk Frameworks CIA Part 3
A risk map is a visual depiction of the relative risks. For the different events, the likelihood of the event
happening is on the horizontal or x-axis and the level of impact is on the vertical or y-axis. This visualization
identifies the risks that are more likely to occur and that have a greater monetary amount at risk should the
event occur.
Likelihood (%)
Remote Likely
ACCEPT REDUCE
Risk are considered not be This is an area where manage-
significant. ment should take immediate
action to reduce frequency of
The cost of dealing with the risks losses.
Minor
TRANSFER AVOID
Risks in this area should be Need to take immediate action to
transferred or minimized reduce the impact or
Critical
Analyzing Results
The nearer the risk is towards the bottom right-hand corner (dark red zone), the more important the risk
is to the company. Thus, the company should spend most of its energy on analyzing, evaluating, and dealing
with these risks. On the other hand, the nearer the risk is towards upper left-hand corner (yellow zone),
the less significant the risk is, and thus the company does not have to nor should take actions to lessen the
risk. In such cases, the company is willing to take on the risk that an undesirable event could occur.
18 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B Organizational Use of Risk Frameworks
Responses to Risks
The above diagram identifies four different ways that companies can respond to risks:
1) Transfer the risk. To transfer risk, a company might purchase insurance against the possibly of a
natural disaster or theft. Another example of transferring risk is the use of derivatives to hedge
against possible changes in commodity prices, changes in interest rates, or changes in currency ex-
change rates. Transferring risk may also be done without insurance, as it may be included in the
contract between the involved parties.
Note: Risk retention is connected to risk transfer. It is the portion of risk not covered by insur-
ance or by the hedge, such as a deductible amount that must be paid before any losses are
reimbursed.
2) Accepting the risk. If a company believes that the cost of dealing with risk does not outweigh its
benefits, then it might decide to accept the risk. However, when accepting risk, a company still
needs to keep the risk under review in case the risk becomes more significant.
3) Reduce the risk. In this situation, the company believes that it can put in the necessary controls to
lessen or mitigate risk. Experience has shown that, though careful oversight, many risks can be re-
duced. For example, if a company has a petty cash account and believes that the most at stake is
$200, it could lessen the risk of theft by having an independent verifier doing an occasional inspec-
tion of the balance.
4) Avoid the risk. To avoid the risk is to eliminate it if it is judged to be too great for the company to
bear. For example, if the company produces a product that is highly controversial, it could decide to
avoid risks by ceasing to produce the product.
Note: Use the acronym TARA (Transfer, Accept, Reduce, or Avoid) to remember the responses
to risks.
Question 1: When the likelihood of loss is high and the amount of risk is high, the most appropriate risk
response would probably be
b) Reducing the risk by trying to minimize the loss that might occur.
d) Accepting the risk, since the cost of reducing the risk is greater than the potential benefits.
(HOCK)
Value at Risk
Value at Risk (VaR) measures the potential loss in value of a risky asset or event over a defined period for a
given confidence interval. VaR is based on the assumption that the possible outcome of the event is
represented by a normal distribution.
With normal distribution, 95% of the results will lie within 1.96 standard deviations of the mean and 99% of
the results will lie within 2.57 standard deviations of the mean. However, VaR focuses on down-side risk,
meaning that, with respect to a 95% confidence level, the main concern is the 5% risk that the loss will
exceed a given amount. For example, if the VaR on an asset is $100 million at a one-week, 95% confidence
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 19
Organizational Use of Risk Frameworks CIA Part 3
level, there is only a 5% chance that the value of the asset will drop more than $100 million over any given
week.
VaR = kσ√N
Where k is the probability level, σ is the standard deviation, and N is the periods over which the VaR is
calculated.
Example: The annual cash flows from a project are expected to follow the normal distribution with a mean
of $50,000 and standard deviation of $10,000. The project has a ten-year life. What is the project VaR (or
PVar)?
The PVaR that takes into account the entire project life is:
Therefore, the project should fall no further than $52,019 over the ten-year period, given a confidence
level of 95%.
Earnings at Risk
This measures the confidence interval for the fall in earnings during a specific period.
Earnings Distributions
This is a graphical representation of the probability of a level of return and the level of return itself.
Question 2: The measure that provides a quantitative measure of the accuracy of the potential financial
loss is
a) Residual risk
b) Inherent risk
c) Risk ranking
d) Value at Risk
(HOCK)
20 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Section C – Organizational Structure/Business Processes and Risk
• Business process analysis. Business process analysis is a system of analyzing a company’s opera-
tional plans and business strategies so that improvements can be achieved. The important analysis
techniques included in this section are workflow analysis, theory of constraints, variance anal-
ysis, and value chain analysis.
• E-commerce. E-commerce has had a significant impact on the way companies do business. Two
programs associated with e-commerce are electronic data interchange (EDI) and electronic
funds transfers (EFT).
• International Organization for Standardization (ISO) framework. The ISO is a set of stand-
ards that provides a set of rules for evaluating the quality of a company’s operations. The primary
aim of the ISO framework is to provide an assurance to customers and suppliers that a company’s
products are made or its services are delivered in a way that meets ISO’s standards for quality.
• Outsourcing business processes. Businesses should concentrate their efforts on those activities
that are crucial for its competitive advantage. Activities that are not critical can be outsourced. It is
possible that through outsourcing the business can save money and thus be more competitive.
It is recommended that you read through the material, understand the general concepts, and use Exam-
Success to become familiar with what has been asked in the past.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 21
Control Implications of Different Organizational Structures CIA Part 3
Besides the unity of objectives, the relationships between the individuals, groups, and departments need to
be considered as well. These relationships are to varying degrees based upon authority, responsibility, and
accountability.
• Authority is the right to direct the performance of others. This includes the right to describe the
means and methods by which the work will be performed.
• Responsibility is the obligation a person has to perform. Under the classical approach this comes
from the superior and is part of every job.
Note: Even when responsibility is delegated downward, the person who did the delegating is still
ultimately responsible for the task that has been delegated. This final responsibility cannot be delegated.
Listed below are some of the different types of organizations and different elements of the relationships within
an organization.
• Complexity
• Formalization
• Centralization
Complexity
The type of differentiation that exists within the organization determines complexity:
• Vertical differentiation – the more levels there are within an organization the more complex it is
and also the slower and less effective it will be in adapting to changing conditions. These are tall or-
ganizations.
• Horizontal differentiation – this relates to the extent that special skills and knowledge are re-
quired to complete the tasks. An organization is more complex when a greater diversity and depth of
skills are required. These are flat organizations because there are many different skills within the
organization, but there is not a lot of hierarchical differentiation between them.
• Spatial differentiation – this relates to the geographic separation of the organization's activities.
Formalization
This is the extent to which jobs are standardized and the clarity of the procedures and tasks that need to be
performed. The lower the level of formalization within a company, the more room there is for employee
decisions. A strong corporate culture reduces the need for the formal expression of all corporate standards
because these are disseminated and monitored naturally as part of the corporate culture.
22 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Control Implications of Different Organizational Structures
Centralization
This is a larger concept in that within centralization is the debate of centralization or decentralization. We
will look at the differences between these two approaches here. Centralization is the extent to which a
company’s authority and freedom of decision-making is concentrated in one location or dispersed over many
locations, departments or individuals.
Classical theorists do not like decentralization because they view it as dissolution (weakening) of the authority
of management. However, behavioralists see decentralization as a positive development because it is a good
way to motivate employees and keep morale as high as possible. The modern view is that neither form of
structure (centralization or decentralization) is necessarily good or bad in itself. Rather, the company needs to
select the method that best serves its needs.
Under this modern view, the amount of decentralization that takes place will depend upon a few factors
specific to that company.
• There must be necessary and proper information available to the people making the decisions.
This means that if the information is available only in the head office, there should not be any decen-
tralization.
• Decisions can only be decentralized if there are people in outside locations who have the necessary
skills and are able to make decisions.
• Decisions must be made in a timely manner. An outside location is often in a better position to
make a timely decision.
• If a company has large, interconnected operations, decentralization should not take place at a level
below which any coordination between locations needs to be maintained.
• Decisions that are critical to the company as a whole are generally made at the central location
and should not be decentralized.
In summary, there will be more decentralization when: lower levels of management make many of the
decisions, most functions and tasks are influenced by decisions made at lower levels of management, and the
review or approval of a decision is required before implementation.
Decentralization is most often and easily implemented in organizations that have departments that are based
upon clearly divisible units, functions or products.
Advantages of Decentralization
Among the many advantages that result from decentralization are:
• Identifies and trains good decision-making at lower levels; this builds a pool of managers.
• Frees top management from operations duties and enables them to focus on strategic goals.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 23
Control Implications of Different Organizational Structures CIA Part 3
Disadvantages of Decentralization
Though there are many advantages of decentralization, there are also some drawbacks:
• Tendency to focus on short-term local issues rather than long-term success of the larger organi-
zation.
• More difficulty in coordinating interdependent units – lower levels of management may make con-
flicting decisions.
• Greater danger of satisficing (this is good enough so we will do it) decisions made by lower man-
agement.
Delegation
One of the key parts of the decentralization process is the proper delegation of authority. Though this is
part of decentralization, delegation also occurs within an office or department. Delegation is the process of
passing power downward from one individual to his or her subordinate. Under the classical approach, this
process of delegation should be avoided because it is a reduction of the power of the manager. The behavioral
approach sees this as a useful step because no one has time to make every decision and subordinates like to
be involved in the process.
Delegation helps subordinates develop confidence and initiative in situations where there are some safeguards
and controls in place. This is part of the process of a person becoming a manager.
Note: It is very possible that a manager will hesitate to delegate because of the fear that she or he will be
held accountable for someone else’s performance. This is a counterproductive fear, but if it is a valid the
organization needs to work to eliminate it.
• Follow-up on the process because ultimate authority still remains with the manager
24 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Control Implications of Different Organizational Structures
Question 3: The most effective way to delegate a task to a subordinate would be to:
a) Define the desired outcome and the approach precisely − and in writing.
b) Define the desired outcome precisely, discuss possible approaches with the employee, and reach
agreement on the approach to be taken.
c) Let the employee try to perform the task for a defined period of time and then meet to critique the
approach, clarify the assignment as needed.
d) Give the assignment in very general terms, have the employee develop the desired outcome and
approach, and then review and critique the employee's decisions.
(CIA Adapted)
• A mechanistic structure is a very set and detailed system in which there are tight controls, exten-
sive division of labor and high formalization. This type of structure works well for mass production
and any time there is a strong need for operational efficiency.
• An organic structure, on the other hand, has low complexity, a low amount of formalization and a
highly participative decision-making structure. Organic structures are more flexible and adaptive to
change and are better in more dynamic (changing) and complex environments. An organic structure
is better for product development.
Question 4: A large company uses assembly line techniques to manufacture a single product. Its choice of
relatively mechanistic organizational design was more likely based on its:
(CIA adapted)
Question 5: When an organization depends to a great extent on its environment, which of the following
statements best characterizes the relationship among an organization's environment, the level of
uncertainty it faces, and its structure? The more dynamic and complex the environment, the:
a) More uncertainty the organization will face and the more organic the structure should be.
b) More uncertainty the organization will face and the more mechanistic the structure should be.
c) Less uncertainty the organization will face and the more autocratic the structure should be.
d) Less uncertainty the organization will face and the more organic the structure should be.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 25
Control Implications of Different Organizational Structures CIA Part 3
• If the main strategy is one of innovation and development of new products, an organic structure
will work better.
• If the strategy is to imitate others and move into markets only after they are proven, a combina-
tion of organic and mechanistic will work best.
• Organizational size - Though there is no direct relationship between the size of the company and
the structure that is required, larger companies tend to be more mechanistic because of the
need for formalization.
• Technology - An organic environment would work best with non-routine technology where
formalization is lower.
• Environment - Generally, the more stable the environment, the more mechanistic the company. A
mechanist environment may also be more appropriate when the company has little opportunity for
growth. Organic environments would tend to be more dynamic and complex. These environments
generally require the flexibility and adaptability that is offered by an organic environment.
Question 6: Discount stores and sellers of generic grocery products keep prices low and innovate only
when there are low-risk, high-payback projects. They are pursuing a(n):
a) Innovation-minimization strategy.
b) Imitation strategy.
c) Cost-minimization strategy.
d) Initiation strategy.
(CIA Adapted)
a) Become more ambitious, and they often expand their activities within their industry.
b) Focus on vertical integration, and their structures consequently must become more centralized.
c) Change from a focus on a diverse set of products to a focus on a single product line.
(CIA Adapted)
26 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Control Implications of Different Organizational Structures
Components of an Organization
According to Henry Mintzberg, an organization has five components. Depending upon which of the five
components dominates the organization, there will be one of five organizational structures.
Operating Core The employees who perform the basic production tasks.
Strategic Apex The top managers who ensure that the mission is followed and the needs of
the owners are met. They are in charge of overall strategic, long-term
planning and control.
Middle Line Managers who connect the strategic apex to the operating core.
Technostructure The staff without direct line management responsibilities, but who seek to
standardize the way the organization works. They are the ones who produce
procedures and systems manuals that others are expected to follow.
Support Staff The support staff provide ancillary services, e.g. secretarial staff, cleaning
staff, public relations, legal counsel, cafeteria, IT staff, etc.
Organizational Components:
Ideology
Strategic Apex
Techno Support
structure Middle Staff
Line
Operating Core
According to Mintzberg, surrounding every organization is the organization’s ideology, which some argue is
the sixth component of an organization. Ideology is the traditions and beliefs that make each organization
unique.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 27
Control Implications of Different Organizational Structures CIA Part 3
Mintzberg identified six different types of organizations, each of which configures the five standard
components in a different way. He suggested that the most suitable configuration would depend on the type
and complexity of the work done by the organization. The six types of organizations, based on which
component is dominant are:
Dominant
Component Type of Organization
Operating Core Professional Bureaucracy – This is a complex and formal organization, but
also one that is decentralized in which the specialists of production have
great amounts of independence. Top management gives up a lot of its
control in this process, but there is low creativity and there may be low
performance because of inflexibility and an impersonal environment.
Coordinating mechanism: Standardized skills.
Strategic Apex Simple Structure – There is low complexity and authority is centralized.
This is usually seen in smaller (entrepreneurial) organizations where there is
less formal planning or structure.
Coordinating mechanism: Direct supervision.
Middle Line Divisional Structure – In this structure, each division essentially operates
as its own company. This can lead to the duplication of many functions within
each of the divisions.
Coordinating mechanism: Standardization of output.
Support Staff Adhocracy – This is an organization with low complexity and it is not very
formal. There is low vertical differentiation and high horizontal differentiation.
The emphasis is on flexibility and response (e.g., advertising agencies and
consulting firms).
Coordinating mechanism: Mutual adjustments.
Mission - Mintzberg Missionary Organization – In this type of organization, the members share
identified this as a common set of beliefs and values, which can mean that the organization is
another coordinating usually unwilling to compromise or accept change (e.g., religious organiza-
factor tions).
Question 8: With the shift in some countries' economies toward service industries, a new form of
organization has developed, which is referred to as the professional bureaucracy. While this structure
resembles the machine bureaucracy (which relies on standardized work processes) in several respects, it
is different in one key aspect. This significant difference is that in a professional bureaucracy:
(CIA Adapted)
28 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Control Implications of Different Organizational Structures
(CIA Adapted)
a) Simple structure
b) Divisional structure
c) Machine bureaucracy
d) Professional bureaucracy
(CIA Adapted)
Departmentation
Departmentation is the process of grouping related activities together into significant organizational
subsystems. This should promote the coordination between the different divisions of labor that are created
when a company breaks its operations into separate tasks. There are a number of different ways to establish
the departments of an organization.
• Departmentation by function is the most common form of departmentation. The most common
departments are marketing, production, and finance (or accounting). The advantage of this system
is specialization by those performing the different tasks, simplified training because of the reduced
breadth of job duties, and the representation of the primary functions in the top level of manage-
ment. Disadvantages are the lack of profit centers and a potential lack of coordination between the
different functions.
• Departmentation by territory is when the company is divided along geographic lines. This is
characteristic of multinational and national companies. This gives the companies a quicker reaction
time to local changes, greater familiarity with the local market and issues facing it, and cheaper dis-
tribution costs. On the other hand, there is a greater loss of control through delegation and there is a
duplication of service functions, because each department (geographic territory) will be performing
these tasks.
• Departmentation by customer allows the organization to provide better service to customers, but
there is a need to have a large customer base. Therefore, it may be difficult to coordinate the ser-
vices offered to customers with the departments that will actually be performing the services.
• Departmentation by project may be used for one-time projects (e.g., ship building, military
contracts) and enables easy communication, but this requires reorganization at the end of each pro-
ject, which will lead to transitional difficulties from one project to another.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 29
Control Implications of Different Organizational Structures CIA Part 3
Matrix Organizations
A matrix organization occurs when any two of the above methods are combined in one company. This often
leads to one employee reporting to more than one manager. This potentially large issue needs to be resolved
by having a way of prioritizing between the different supervisors.
The flexibility that occurs in a matrix organization allows the best people to be assigned where they are most
needed, even if that is somewhere outside of their usual departments. This flexibility will enable the company
to eliminate, or at least reduce, the large changes in the number of people that are hired for various projects
and then fired afterward. The matrix system allows the organization to take people from other departments
temporarily for a larger project. The main disadvantage of the matrix system is that the unity of command
is broken because of the fact that a person has more than one boss at certain times.
Question 11: In what form of organization does an employee report to multiple managers?
a) Bureaucracy
b) Matrix
c) Departmental
d) Mechanistic
(CIA Adapted)
Span of Control
The span of control is the maximum number of subordinates that a manager can effectively supervise. The
classical view holds that this number is 5 or 6, while the behavioral school feels that it is better if this number
can be increased because of the benefits received by expanding the span of control.
Under the behavioral school, the more people that a manager supervises means that there is less time
available to supervise each individual subordinate. This will lead to the subordinate working with less close
supervision, thereby increasing their job satisfaction. Also, by having more subordinates for each manager,
there will be fewer levels in the organization, leading to more efficient communication through the
organization.
The modern approach holds that the number of subordinates is based upon factors such as the supervisor’s
training, abilities, time available to supervise and the subordinates’ interest in working with less supervision,
commitment to the job, training and attitudes. Also, the job itself and the environment of the company will
influence the number of subordinates that can be supervised.
Note: The size of the organization does not affect the span of control.
The span of control will affect the number of levels that exist in an organization; one with a narrow span of
control will be a taller organization because each manager is managing a fewer number of people. In a tall
organization, there is more room for advancement because there are more levels; on the other hand, because
of the additional levels, communications takes longer. If a company has a wide span of control, there will
be fewer levels and it will be a flat organization. A wide span of control is more appropriate when the tasks
performed are more standard and require little direct supervision by management. This is because there is a
greater risk that employees will perform complicated tasks incorrectly when there is less supervision, so in a
wide span system the activities should not require a lot of direct supervision.
30 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Business Process Analysis
Question 12: Which of the following is least likely to affect a manager's direct span of control?
(CIA Adapted)
Question 13: The optimal span of control of a manager is contingent upon several situational variables.
For instance, a manager supervising workers within the same work area who are performing identical
tasks that are simple and repetitive would best be able to supervise:
(CIA Adapted)
A system of analyzing the operation plans and business strategies so improvements can be made is called
Business Process Analysis (BPA). The elements of a successful BPA project are:
• Involve individuals most knowledgeable with the business process being analyzed
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 31
Business Process Analysis CIA Part 3
1) Workflow Analysis
Workflow analysis is the process by which organizations are able to identify and evaluate how well their
existing processes are achieving organizational goals. By understanding existing processes, internal auditors
are then in a position to recommend ways of streamlining and optimizing current processes.
Workflow analysis is accomplished by breaking down processes into their component parts. For
example, within the purchasing workflow there will be several components that include making the order,
approving the order, purchasing the actual goods, accepting the bill of goods, and finally receiving the goods.
These processes are mapped and evaluated.
Workflow analysis can be thought of as being similar to PERT/CPM. It can both map out a process and
calculate the cost associated with those processes. The primary difference between the two is that workflow
analysis is used to map current business processes, whereas PERT/CPM is used specifically in the manage-
ment of large projects.
Throughput time, or cycle time, is the time that elapses between the receipt of a customer order and the
shipment of the order. TOC helps reduce cycle times and therefore, operating costs. TOC defines three
measurements:
1) Throughput contribution is equal to revenues minus the (materials) costs of the goods sold.
2) Investments equals the sum of costs in direct materials, work-in-process and finished goods
inventories, R&D, and costs of equipment and buildings.
3) Operating costs are equal to all operating costs other than direct materials incurred to earn
throughput contribution. Operating costs include salaries and wages, rent, utilities and depreciation.
The following are the steps in managing bottleneck operations through the use of TOC analysis:
1) Recognize that the bottleneck operation determines throughput contribution of the system
as a whole, and identify the bottleneck by determining where total hours needed exceed the num-
ber of available hours. To identify where slack (extra, unused) hours of capacity exist and where
they are negative, analysis of the production process is prepared using hours required and hours
available for each procedure.
2) Calculate the best use of the bottleneck to maximize contribution. Determine the most
profitable product mix, given available capacity at the existing constraint. This will be the combina-
tion of products that maximizes total profits. Profitability for each product is determined by using the
throughput margin (product price less variable materials cost) per minute of the constraint. (Note
that the constraint may be something other than time. It could be, for example, a maximum number
of kilograms of an input material that are available. Whatever the constraint is, the throughput per
unit of that constraint must be calculated.) The product with the highest throughput margin per mi-
nute will be the most profitable, even though it may have a lower throughput margin.
3) Maximize the flow through the bottleneck by using the drum-buffer-rope (DBR) system, which
attempts to minimize the buildup of inventory at the bottleneck, but still keep the constraint produc-
ing at all times. Non-bottleneck operations are not permitted to produce more output than can be
processed by the bottleneck, as this would create excess inventory and doesn’t increase throughput
32 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Business Process Analysis
contribution. In DBR, the constrained process is the drum and the sequence of processes prior to
the constraint is the rope. The objective is to balance the flow of production through the rope by
timing and scheduling activity for all processes leading up to the drum. The buffer is a minimum
amount of work-in-process inventory waiting for completion by the constrained process −just enough
to ensure that the constrained process is busy at all times.
4) Increase the production capacity of the bottleneck by adding capacity. This may be a longer-
term project to consider, but the company must look at how to reduce the limitations of the con-
straint.
5) Analyze the system to see if there are improvements to make through redesigning or reordering
the processes. This is the most strategic response to the constraint.
A Theory of Constraints Report conveys throughput margin and selected operating data. It identifies each
product’s throughput margin per hour required for the binding constraint and the most profitable product(s).
It also enables monitoring to achieve maximum profitability given the existing constraints.
Question 14: Urban Blooms is a company that grows flowering plants and sells them in attractively
designed container arrangements to upscale hotels, restaurants and offices throughout the greater New
York City metropolitan area. When first established, the organization produced every aspect of its product
on site and handled all business functions from its facility, in either the greenhouses, production areas or
office. The only exception was importing expensive, large containers from Mexico. After five years in
business, Urban Blooms had become very profitable and increased its staff from 10 to 200 employees,
including horticulturalists, production/design workers, business managers and sales staff. However, the
owners found it increasingly difficult to keep up with the complexities and demands brought about by the
company’s continuing growth. Over time it became apparent that several areas of the business were
causing customer problems (caused by bottlenecks in the system) and were not performing to expecta-
tions. Management noticed over the course of time that the rate of customer dissatisfaction increased
dramatically, and because of this some customers started to go elsewhere.
Which of the following would be the best method to analyze the system?
d) Lean production
(HOCK)
3) Variance Analysis
Variance analysis is the process of comparing the actual expenses and revenues during a certain period to the
budgeted amounts for that same period. Variance analysis allows the company to determine why the actual
results were different from the budgeted amounts.
Variance analysis enables internal auditors to focus their efforts on the areas of the operations that have been
operating less efficiently than planned.
An important concept of variance analysis is standard costs, and the role that standard costs play in the
accounting and costing system. A standard cost is an estimate of the cost the company expects to incur in
the production process. Standard costs are established during the budgeting process. Without a standard
cost, the analysis of actual activities and results is very difficult because there is no standard against which to
measure the performance.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 33
Business Process Analysis CIA Part 3
This standard cost is calculated at the beginning of the year and it is based on the estimated costs and
the expected level of activity or production. The standard cost is determined through the use of accounting
and production estimates. It should not be simply created by management.
The comparison of actual costs to standard costs allows the company to analyze its actual costs and also
enables some forms of controls of the costs to be done. A large variance between the standard cost and the
actual cost is an alert to management that something is possibly wrong and needs attention.
Note: A standard cost system may be used with either a job-order costing system or a process costing
system. Standard costs are best used with a flexible budgeting system in order to provide the most
useful variance analysis. The flexible budget will enable differences between actual and budgeted numbers
that were not the result of an actual level of production being different from expected. Flexible budgets are
covered in more depth in Section C.
Question 15: The process of establishing standard costs can involve different personnel from different
areas. Who of the following would be least likely to be involved in the process of establishing standard
costs?
a) Budgetary accountants
b) Industrial engineers
c) Senior management
(CMA adapted)
Primary Activities
Human
Corporate Technology
Procurement Resource
infrastructure development
Management
Support Activities
The primary activities create most, if not all, of the value within the value chain. The support activities
provide purchased inputs, human resources, technology and infrastructural functions to support the primary
activities. Even though this is an obvious point, you need to make sure not to overlook the importance of the
support activities. For example, the procurement department (support activity) has to purchase inputs of the
right quality, at the right time, and at the right price. If the department is unable to do this, the production
department might not be able to produce the quality of product required by customers, which could lead to
dissatisfied customers, in turning possibly leading to the company as a whole not achieving its profitability
objectives.
34 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Business Process Analysis
The margin is the excess that the customer is willing to pay over the cost to produce the product or service.
It represents the value created by the value activities themselves and by managing the linkages between
them, for example, the linkage between procurement and operations, etc.
Primary activities
• Inbound logistics. These are the activities that have to do with receiving and handling purchased
materials and components, and storing them until needed.
• Operations. These are the activities that are concerned with converting the purchased materials
and components into a product that customers will buy.
• Outbound logistics. These are the activities that are concerned with the storage of finished goods
before sale, and the distribution and delivery of goods (and services) to the customers.
• Marketing and Sales. These are the activities that help a company promote and sell its goods and
services (i.e., advertising, promotions, sales personnel).
• Service. These are the activities that occur after the point of sale (POS), such as installation, war-
ranties, repairs and maintenance, providing training to the employees of customers and after-sales
service.
Support Activities
• Corporate Infrastructure. This relates to the company’s structure and its management systems,
including planning and financial management, quality management and information systems man-
agement.
• Technology development. These are the activities related to any development in the technological
systems of the company, such as product design (research and development) and IT systems. This
is an important activity for innovation.
• Procurement. These are the activities that are concerned with buying the resources for the compa-
ny, including materials, plant, equipment and other assets.
• Human resource management. These are the activities concerned with recruiting, training and
rewarding people in the company.
Value chain analysis can help an organization gain competitive advantage by identifying what does or does
not increase value to the customers. Once those areas are identified, the organization can increase the
related benefits, or reduce (even eliminate) non value-added activities. The increase in value to the customer
and/or the decrease in production costs will make the company more competitive. There are three steps in
value chain analysis:
1) Identify the activities that bring value to the end product. These activities depend upon the
industry and what the company does (manufacturing, resale, etc.).
3) Build competitive advantage by either increasing value to the customer or reducing the costs of
production.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 35
Business Process Analysis CIA Part 3
dramatically change the process itself and the way that it is performed. In order to stay ahead of the
competition, an organization must be dynamic.
In applying the concept of process reengineering, management starts out with a clean sheet of paper and
then radically redesigns the processes used by the organization to accomplish its objectives. Operations that
have become obsolete are eliminated.
1) Fundamental. The redesign of a process should be fundamental and the “old assumptions” about
the process need to be questioned.
2) Dramatic. The improvements that are going to be made are not small. They are dramatic in terms
of lower cost, better quality, better service or improved speed of operations.
• The organization must identify what it does better than the competition. These are the organi-
zation’s distinctive competencies. By clearly identifying its competencies, the organization
understands what activities are vital to its success.
• Management needs to determine what processes it uses to convert materials, capital, information
and labor into products or services that have value. The organization is viewed as a series of pro-
cesses, enabling management to determine to what degree each process adds value. This can
uncover a lot of legacy processes that are no longer needed and are only done because the proce-
dure was put into place long ago for some extinct purpose.
• The organization needs to focus on processes, not on functions. Reorganization should take
place around horizontal processes. This will require cutting out unnecessary middle management
levels, thus flattening the organization, because an excess of managers does not add value. Man-
agement is an indirect cost, and the necessary amount of management should be minimized.
Note: Reengineering is the process of starting over in the design and restructuring of a company’s
processes. This is different from the modification of an existing system in that, with reengineering, we start
again from a blank page.
It is possible that BPR could lead to the elimination of traditional control elements, such as segregation of
duties, accuracy of cross-checks, authorization, and verification. Because of this, internal auditing can assist
management by helping identify and evaluate significant risk exposures as a result of BPR and contribute to
the improvement of risk management and control systems that may have been compromised by the BPR
undertaking. However, the internal auditor must not draft, design, install, or operate the new system
connected with BPR, because this would impair objectivity.
Question 16: Business Process Reengineering (BPR) is the thorough analysis, fundamental rethinking, and
complete redesign of essential business processes. The intended result is a dramatic improvement in
service, quality, speed, and cost. An internal auditor’s involvement in BPR could include all of the
following except:
(CIA adapted)
36 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Business Process Analysis
6) Six Sigma
We mentioned Six Sigma earlier as an approach to quality that strives to virtually eliminate defects. To
achieve Six Sigma, a process must produce no more than 3.4 defects per million opportunities. Although
it was originally applied to manufacturing operations and defects in products, it can also be applied to any
product, process or transaction.
Six Sigma was developed at Motorola in the 1980s as a result of an effort to bring about a ten-fold reduction
in product failure levels. The Motorola team concluded that the best way to prevent product breakdowns was
to ensure that the processes used in producing the products prevented defects from occurring. The result
was a goal of splitting each process into smaller and smaller sequences in order to examine each sequence for
its potential for errors and then to change the process to eliminate that potential. Breaking down and studying
processes makes it possible to discover the root cause of defects.
The aim of Six Sigma is to improve customer satisfaction by reducing and eliminating defects, which will
lead to greater profitability. There is a five-step “chain reaction:”
1) When quality is improved, costs decrease because rework decreases, there are fewer mistakes to
correct, fewer delays, and better use of time and materials.
3) Better quality results in higher market share and gives the company the ability to raise its prices.
4) Higher prices coupled with lower costs increases the company’s profitability.
Six Sigma relies on the voice of the customer and objective data to improve business processes and uses a
hierarchy of people within the organization who are trained experts in the methodology. Each Six Sigma
project carried out follows a set of defined steps and has quantifiable financial target such as cost reduction or
profit increase.
In Six Sigma, process improvement and customer satisfaction are based on the following premises:
• Everything is a process;
• Data is used to understand the variability and drive process improvement decisions.
This variability is the source of the name “Six Sigma.” The Greek letter for Sigma is (σ), which is used in
statistics to represent “standard deviation.” In statistics, the “mean” of a set of observations is its average or
its weighted average. The standard deviation of the set of observations is a measurement of how far any
particular measurement in the set is from the mean of the set. It tells us something about how much the
various values are dispersed around the mean. If a group of observations is normally distributed, 68% of the
values are expected to lie within one standard deviation (plus or minus) from the mean, 95% within two
standard deviations of the mean, and 99.7% within three standard deviations of the mean. And
99.9999998% of the values will lie in the interval created by the mean plus or minus six standard deviations.
Therefore, only 0.0000002% of the observations will lie outside the interval of six standard deviations from
the mean. That is the error rate that a Six Sigma program strives for.
If you divide 3.4 by 1,000,000, however, you do not get 0.0000002%. You get 0.00034%, which is a little
higher than 0.0000002%. The reason for this is what Six Sigma calls “shift.” Over the long term, processes do
not generally perform as well as they do in the short term. In manufacturing, shift results from things such as
mechanical wear and tear over time. When short-term results are at the six sigma quality level, long-term
results can be expected to be at the 4.5 sigma quality level, which corresponds to the goal of 3.4 defects per
1,000,000 opportunities.
Six Sigma has two methodologies, one for improving existing business processes and one for creating new
product or process designs. Each one consists of five steps.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 37
Business Process Analysis CIA Part 3
The first one, which is used to improve an existing business process, is known by the mnemonic of
DMAIC — Define, Measure, Analyze, Improve and Control:
• Define process improvement goals: define the process output characteristics that customers see as
being critical to quality and that are consistent with the enterprise strategy; define how the process
output is not meeting requirements; define the project’s goal, based on improving critical-to-quality
requirements; define the process steps, inputs, outputs, customers and suppliers.
• Measure key aspects of the current process and collect relevant data: provide a clear definition of
defects and defect opportunity; collect process performance data and compare it to the project goal;
select, define and measure the factors that have the most influence on process performance.
• Analyze the data to verify cause-and-effect relationships: assemble a detailed process map and
analyze it for steps that can be eliminated, simplified, or standardized; list potential root causes; an-
alyze the process map and data gathered in the Measure phase for clues to confirm or refute the
root causes; narrow the list down to the most important root causes.
• Improve or optimize the process based upon data analysis: list possible solutions; narrow the list
down to the best and most feasible solutions; work out the bugs in a trial implementation.
• Control to ensure that deviations from target are corrected before they result in defects; continu-
ously monitor the process; standardize and document the improvements; develop a system to
monitor key output variables; minimize opportunities for error.
The second methodology, used for creating new product or process designs, has the mnemonic of
DMADV — Define, Measure, Analyze, Design and Verify:
• Define design goals that are consistent with customer demands and the enterprise strategy.
• Measure and identify characteristics that are critical to quality, product capabilities, production
process capability, and risks.
• Analyze to develop and design alternatives, create a high-level design and evaluate design capabil-
ity to select the best design.
• Design details, optimize the design, and plan for design verification. Simulations may be required.
• Verify the design, set up pilot runs, implement the production process and hand it over to the
process owners.
For Six Sigma to be successfully implemented, executive management’s support is an “absolute must.”
Executive leadership is responsible for casting the vision for Six Sigma and empowering other leaders to
explore new ideas for improvements. Management should have the attitude that mistakes, defects and poor
quality are not acceptable and need to be eliminated. Management should also create an environment where
employees are not afraid to report problems or recommend improvements. Achieving better quality requires
commitment from everyone in the company, and management must create that culture.
Martial arts terminology is used to define the key roles in Six Sigma implementation:
• Champions are members of upper management who are responsible for Six Sigma implementation
across the organization. They also act as mentors to Black Belts.
• Master Black Belts are coaches. They are devoted full-time to Six Sigma, assisting Champions and
guiding Black Belts and Green Belts. They ensure that Six Sigma is applied consistently in the vari-
ous functions and departments. Champions and Master Black Belts focus on identifying projects for
Six Sigma.
• Black Belts also serve full-time in their roles. They report to Master Black Belts and apply Six Sigma
methodology to specific projects.
• Green Belts are not full-time in their Six Sigma roles. They work on Six Sigma implementation
along with their other job responsibilities. They report to Black Belts and assist them.
• Yellow Belts are employees who have been trained in Six Sigma but have not yet completed a Six
Sigma project.
38 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Inventory Management Techniques & Concepts
A key part of Six Sigma is determining which process sub-steps contribute to the end result and which do not.
Not every process needs to attain Six Sigma performance in order to achieve the target defect rate in the
final product. The defect rate is going to be more sensitive to some factors than to others. Part of the work of
the measuring and analysis phases is identifying how much improvement is needed in each sub-step in
order to achieve the goal.
Six Sigma is not limited to manufacturing and it can be implemented throughout an organization. Companies
are applying it in areas such as purchasing, shipping/receiving, sales, administration, and finance.
Inventory Costs
In order to maximize profits, a firm should minimize its total inventory costs. There are a number of different
costs associated with inventory and these costs of inventory are divided into the following three main
categories (not including the cost of the raw material).
Ordering Costs
Ordering costs include:
• The costs of placing an order (choosing a vendor, negotiating the contract, decision-making, etc.)
• Setup costs
Carrying Costs
Carrying costs include:
• Inventory taxes
• Opportunity cost of inventory investment. This is the cost of the capital that is invested in the
inventory and represents the amount of interest that is lost by investing cash in inventory instead of
in some other longer-term asset that provides dividends or interest.
In looking at carrying and ordering costs, it is important to remember that carrying costs vary with the
amount of inventory that a company holds, but ordering costs decrease on a per unit basis when there is an
increase in the number of units that are ordered at one time. Thus, as we will see later, the economic size of
an order of inventory requires a balance between carrying costs and ordering costs.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 39
Inventory Management Techniques & Concepts CIA Part 3
Stockout Costs
These are the costs that are incurred through lost sales when a company does not have inventory available
for the customer when the customer wants to buy it. It includes both the cash and profit that is lost from
not being able to make that individual sale and also the cost of customer ill will. The cash cost of the lost
sale is probably a very small amount and not very crucial in the larger picture, but the cost of the customer ill
will is potentially very large. Unfortunately, this ill will is almost impossible to measure as it may cause the
customer not to return for future purchases, and may instigate the spread of negative information about the
company in the market place.
The cost of a stockout needs to be balanced against the cost of holding additional units.
The level of safety stock a company carries is one of its protections against stockouts. The safety stock is
the amount of inventory the company expects to still have on hand when the next shipment of inventory is
due to arrive. A high level of safety stock means that even if the next shipment is delayed, the company
should have sufficient levels of inventory to continue to operate while it waits for the shipment to arrive.
The amount of safety stock that needs to be held by a company is affected by:
The more variable either of these items are, the more safety stock the company will have to hold to guard
against stockouts in the case of an unusually high demand or an unusually long lead time. If these items are
more consistent and predictable, the amount of safety stock that the company holds can be reduced because
there is a smaller chance of needing a large number of units in stock because of unusually long lead time or
unusually high demand.
The reorder point is the level of remaining inventory that indicates when the company needs to place the
order for inventory. It is calculated as follows:
The average inventory that the company holds is calculated as the number of units ordered each time an
order is placed divided by two, plus the safety stock.
Example: If the safety stock is 10 and 50 units are ordered each time that inventory is ordered, the
average level of inventory will be 35 units. This is calculated as (50 / 2) + 10.
Note: Each unit of the company’s safety stock will increase its average inventory by one unit. This is
because both the maximum and minimum number of units that the company holds will both increase by
one unit.
40 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Inventory Management Techniques & Concepts
The figure below demonstrates how the level of inventory moves over time and the role of the reorder point
and the safety stock.
Reorder Point
Safety
Stock Level
Lead Lead
Time Time Time
Question 17: The carrying costs associated with inventory management include:
c) Purchasing costs, shipping costs, set-up costs and quantity discount lost.
(CMA adapted)
Question 18: The ordering costs associated with inventory management include:
c) Purchasing costs, shipping costs, setup costs and quantity discounts lost.
(CMA adapted)
Question 19: The optimal level of inventory is affected by all of the following except the:
(CMA adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 41
Inventory Management Techniques & Concepts CIA Part 3
Question 20: In inventory management, the safety stock will tend to increase if the:
(CMA adapted)
• The cost to carry one unit of inventory for one year (this includes the interest on funds invested in
inventory).
For the EOQ calculation to work, the following assumptions are made:
• The unit carrying costs are assumed to be known and constant throughout the period.
• There are no stockout costs included in the EOQ model because it is assumed that demand can be
determined and planned for.
Obviously these assumptions limit the usefulness of EOQ because we know that they are not always true in
reality. However, the model can provide a useful starting point for a company.
EOQ = 2aD
k
Where: a= Variable cost of placing an order
D= Periodic demand
k= Carrying cost per unit per period
42 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Inventory Management Techniques & Concepts
Example: Assume that Medina Co. makes footballs and is trying to determine the quantity of leather that it
should order every time an order is placed. The relevant information is as follows: over the course of the
year 12,000 sq.m. of leather will be needed, the cost of storing 1 sq.m. of leather is $3 and the cost of
placing an order is $450.
2 * $450 * 12,000
All of this calculates to 1,897.3. This means that every time Medina orders inventory, it should order 1,898
sq.m. in order to minimize the costs of carrying and ordering inventory.
We can further use this number to determine the number of times that Medina will order inventory. Given
a demand of 12,000 units and an EOQ of 1,898, Medina will need to order inventory 7 times in order to
have enough leather for production.
EOQ questions are simply a matter of putting the information that is given in the question into the formula.
One of the main differences between JIT and traditional inventory systems is that JIT is a pull system rather
than a push system. The main idea of JIT is that nothing will be produced until the next process in the
assembly line needs it. This means essentially that nothing will be produced until a customer orders it.
However, we know that this is not actually possible so production is driven by the expected demand for the
product.
By contrast, in a push system, a department produces all that it can and sends those units to the next
department in the production process for further processing. This is repeated as each department produces as
much as it can and sends the units to the next department. Because the company is producing units without
knowing if those units will be sold, the company is taking the risk that it is producing useless units of
inventory that will need to be written off.
To implement JIT and to minimize inventory storage, the factory must be reorganized to permit what is
known as lean production. Under lean production, the plant layout is arranged by manufacturing cells
that each produce a product, or product type. Additionally, each worker is able to operate all machines, and
also perform supporting tasks within that manufacturing cell. This reduces the downtime resulting from
breakdowns or employee absences.
Because inventory levels are kept low in a JIT system, the company must have a very close relationship with
its suppliers to make certain that the supplier makes frequent deliveries of smaller amounts of inventory. It is
also critical that the inventory is of the required quality because there is no extra to use in place of any
defective units that are delivered.
Kanban
Kanban is a Japanese inventory system in which “cards” or “tickets” are used to keep track of inventory and
the movement of the inventory. Kanban is an integral part of a JIT system.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 43
Inventory Management Techniques & Concepts CIA Part 3
• Computer Integrated Manufacturing (CIM). CIM integrates all office and factory functions by a
computer-based information network that permits hour-by-hour manufacturing management.
• Computer-aided design and manufacturing (CAD). CAD is system that utilizes computers in the
product development, analysis and design modifications stages, which leads to improvements in
quality and performance.
• Materials Requirement Planning (MRP). MRP is an approach that uses computer software to help
manage a manufacturing process. Its purpose is to reduce cash needed by the organization, which in
turn improves profitability and ROI. MRP creates the antithesis of the situation often found in old
manufacturing organizations where large amounts of cash gets tied up in inventory before products
can be assembled and sold. Instead, MRP aims to remedy this through careful planning and man-
agement. MRP software helps a sales or marketing group to estimate future product sales by
backdating the approximated time to assemble a product; it then breaks out the product into re-
quired parts, which can be ordered at times back-dated from the assembly dates. The planners then
develop cash flow for the ordering, assembly, shipping and payment process. This enables the sys-
tem to provide information regarding the parts needed to complete and ship an order − and to
request the parts quickly if the order is of high value.
• Manufacturing Resource Planning (MRP-II). MRP-II goes beyond MRP and integrates all facets
of a manufacturing business, including production, sales, inventories, schedules, and cash flows. Like
MRP, MRP-II is a “push through” system (unlike JIT, which is a demand “pull” system).
• Robots, which are primarily used in manufacturing, are programmable and better at manual tasks
than humans because they don’t tire and easily adapt to changing conditions. Furthermore, they are
useful in environments that are unfit for humans, such as radioactive areas. Robots can have visual
perception, touch capability, dexterity, locomotion and navigation.
ABC System
In an ABC system, the inventory is divided into three groups as follows:
• Group A – this group is about 10% of the total inventory, but includes high value items. Items in
this group may account for about 70% of total sales.
• Group B – this group is about 20% of the total inventory, and is made up of medium value items.
Items in this group may account for about 20% of total sales.
• Group C – this group is the remaining 70% of the inventory and is made up of low value items.
Items in this group would make up the remaining sales, or roughly 10% of total sales.
Because of the high value of Group A, Group A is reviewed regularly and more tightly controlled than the
other groups.
44 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Electronic Commerce
Electronic Commerce
Electronic commerce (e-commerce) is more than just buying and selling online. Broadly, it includes the entire
process of developing a product, marketing and selling it, delivering the product, servicing customers, paying
for products and services purchased, and receiving payment for products and services sold. All of this can be
transacted in the global marketplace by using the Internet, intranets, extranets and other technologies.
Business-To-Business (B2B)
Business-to-business (B2B) commerce refers to the connection of vendors, distributors and other businesses
through extranet e-commerce sites, and more recently the Internet. Before Internet B2B commerce, only the
largest companies were able to afford direct B2B commerce due to the high cost of creating the connections
between businesses. The Internet has played a critical role in the evolution of B2B commerce because
business information can be transferred instantly between businesses of almost any size. This means that
smaller businesses can compete more effectively with larger competitors. For example, because purchasing
can be done automatically through B2B Internet connections, purchasing costs can be reduced, regardless of
whether you are a large retailer or a small-town store.
In addition to direct links between businesses, there are e-commerce portals that provide auction, reverse
auction, and virtual marketplaces for multiple businesses. Buyers are able to seek bids on manufacturing
inputs and operating supplies (reverse auction). Likewise, sellers are able to reduce their selling and
advertising costs because the customers are brought together in one location.
Originally, B2B hubs were of two basic types: vertical and horizontal.
• Vertical B2B hubs provided products or services specific for the sellers, buyers and complementary
operations within a single industry or market. Their focus was primarily on the buying and selling of
manufacturing inputs.
• Horizontal B2B hubs provided business processes across different industries. Their focus was more
on the buying and selling of operating supplies.
These B2B hubs originally earned their revenues from transaction fees, subscription fees and advertising.
After the dot-com bubble burst in 2000, many of these e-marketplaces went out of business. Those that
remain have become less oriented toward either the vertical or horizontal models. Some have become service
exchanges, concentrating on helping businesses collaborate with one another. Others have focused on just
one business process. Still others have changed their focus from transactions to solutions, while some provide
value by creating and disseminating information that helps the members improve their businesses processes.
Revenue for these B2B hubs comes not only from transaction fees, subscription fees and advertising, but also
from consulting, product maintenance, software licensing, application hosting and other related services.
Note: E-commerce can bring together groups of vendors and purchasers, enabling purchasers to have
vendors compete by bidding online for their orders.
EDI has increasingly moved to the Internet instead of using dedicated lines. Transmission over the Internet
may be done by means of a secure virtual private network, or through use of a third-party service bureau.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 45
Electronic Commerce CIA Part 3
For a fee, the EDI service bureau can provide smaller suppliers with the translation software capability so that
they do not have to make an investment in software and/or hardware of their own.
A value-added network (VAN) service may also be used by a large company to connect with its suppliers.
A VAN service acts as an EDI message center. Any member can connect to the VAN and leave or pick up
messages from other members. In addition to routing messages, a VAN also provides translation software,
encrypts and authenticates messages, and checks for message completeness and authorization.
• Survival; many smaller organizations have been forced to implement EDI in order to continue doing
business with larger organizations. This is possible for small businesses because of the Internet and
third-party processors.
• Conflicts have been reduced between trading partners and communication has been improved.
Suppliers may be given access to information about what is selling and what is not, which can enable
the supplier to forecast customer demand and thus be more responsive to the needs of its customer.
• Data is timely and accurate and thus forecasting, analysis, and cash management are improved.
• Processes are streamlined, reducing costs of entering data manually and preparing and then faxing
or mailing purchase orders and other documents.
• Accuracy is increased because data does not have to be entered manually.
• Time spent to negotiate contracts between the parties and/or VAN providers.
• Employee training in the use of the system.
• Reengineering the affected applications.
• Hardware and software required for the system to work.
• Added costs for security and control procedures.
• Proper authorization of transactions is required. Since signatures are not utilized for authorization,
there has to be some other way of authenticating that a message is authorized by a person who has
the proper level of authority. Digital signatures may be used.
• Making sure that the message is actually sent to the party that is intended to receive it.
• Controls must be in place to ensure that a clerical error in incoming data is not replicated in the
input to the receiver’s system.
• Program change controls and physical security of the computer system are more important, because
the computer will be initiating and authenticating the messages.
• If a third party or value-added network is used as an intermediary between the two parties, controls
must be in place to ensure correct translating and routing of messages, and security procedures
must prevent compromise of confidential data.
• Data encryption (cryptography) may be required to protect the data during transmission.
• An EDI system eliminates much of the paperwork that used to exist for orders, so there are addi-
tional issues for an auditor in performing an audit. Because the record of transactions may not exist
for a long period of time, the auditor may need to perform auditing procedures more often and need
to seek other sources to confirm the transactions and the validity of the transactions.
• The auditor will need to test the controls that are in place to ensure that only authorized transactions
are performed.
• Continuous auditing may be built into the system through embedded audit modules that trigger
an alert to the auditor whenever suspect data is transmitted or if there is an attempt to access the
system without authorization.
46 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Electronic Commerce
Question 21: E-commerce portals create marketplaces that facilitate all of the following activities except:
a) Data storage.
(CMA Adapted)
Business-To-Consumer (B2C)
The retail sector of e-commerce is growing steadily, and many retailers have expanded into e-commerce in
addition to their traditional marketing methods. Online catalogs feature multimedia, virtual models, online
chat with customer service representatives and secure electronic payment systems. Amazon.com is perhaps
the best example of a large, highly successful online B2C store.
When an order is placed via the Internet, the consumer is provided with entry boxes to complete. As the
consumer fills out the form, the data is captured and transmitted to the seller. Fulfillment of orders placed on
the Internet may be done by means of shipping merchandise, or it may be in electronic format, forwarded
over the Internet to the consumer, or downloaded by the consumer from the seller’s website.
Consumer-To-Consumer (C2C)
Consumers can even sell to one another through online auctions such as eBay. Both B2B and B2C e-
commerce participants may participate in consumer or business auctions online.
Online transaction processing can also refer to a real-time system that performs processing activities at data
entry terminals. An automated teller machine (ATM) or a computerized reservation system is an online
transaction processing system.
• Less paperwork is generated when transactions are performed online and there are fewer errors
made from re-entry of transaction data.
• Timely updating of accounts allows for faster business decisions. For example, inventory levels can
be automatically adjusted with each purchase, eliminating the need to perform an inventory count.
• OLTP systems are generally available 24/7 and can run without direct human interaction. For exam-
ple, most online stores are available any time of the day, without the need for a 24-hour sales staff.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 47
Electronic Commerce CIA Part 3
• Because the OLTP systems is accessible via the Internet, security is a constant concern. Online
stores must maintain careful controls to prevent hackers from stealing customer information.
• Potential for lost revenue due to disruptions in service. When an online store is down, sales stop and
some customers may buy from a competitor. In addition to equipment failure, a Denial of Service
(DOS), which floods servers with bogus requests and slows them down, can also disrupt online sales.
Question 22: Companies now can use electronic transfers to conduct regular business transactions. Which
of the following terms best describes a system in which an agreement is made between two or more
parties to electronically transfer purchase orders, sales orders, invoices and /or other financial docu-
ments?
(CIA adapted)
Question 23: Which of the following are essential elements of the audit trail in an electronic data
interchange (EDI) system?
(CIA adapted)
48 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Business Development Life Cycles
Unfortunately, by the time decline is recognized, the company is probably already in trouble. In these cases,
good leadership is vital to get the business back on course.
The figure below is the different stages of the business development life cycle.
Revenues
Time
1. Start-up Stage
This stage covers the early period of the company and it lasts from when the company’s existence begins
through to the legal registration of the company. In this stage the company starts producing a product or
offering a service. Generally in this stage the company is operating in the red (losing money) because of
heavy costs in advertising and marketing and low revenues as the business is starting.
• Challenge for the company – To survive with what funds it has and to focus on effectively manag-
ing its cash flows.
• Market focus – To get the product or service to market as quickly as possible, without delay. The
company then needs to concentrate on establishing its customer base.
• Control focus – In this phase, controls tend to be very lax. The company is developing a control
framework, but management is more interested in making sales then in controls.
• Internal auditing – In this phase, companies are not likely to have an in-house internal auditing
function. However, it is possible that the function could be outsourced.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 49
Business Development Life Cycles CIA Part 3
2. Growth Stage
During this stage, revenues are rising, the number of customers is growing, and there are many new
opportunities and issues. It is in this stage that the company starts to generate significant profits, but the
profits may not be enough to meet its financing needs that arise from the need to support the growth. In this
case, the company may seek external financing in the form of venture capital, or if the company is
extremely successful, it may be able to issue publicly traded securities. Securities markets generally
provide financing that is lower cost than venture capital. However, companies in this stage do need to be
careful because strong competition may begin putting pressure on the company to control costs.
• Challenge for the company – During the start-up stage it was the entrepreneurs who made the
decisions for the company. During the growth stage, it becomes necessary for the entrepreneurs to
hire professional managers to run and grow the company. This means that the owners (entrepre-
neurs) have to give up a great deal of authority and responsibility. The challenge for management is
to make sure the right people are in the right positions.
• Market focus – Markets are growing rapidly during this stage. The focus of the company is to make
sure that it is able to keep up with customer demand, because if it cannot then it is possible the
company could lose ground to the competition.
• Control focus – Better accounting and management systems have to be set up. New employees will
have to be hired and trained to deal with increased sales. Companies need to make sure they have
the controls in place so that they hire the right personnel. During this phase, internal control sys-
tems become much more formal, as does the planning process. The company starts to develop
comprehensive strategic plans.
• Internal auditing – The primary function of internal auditing is to make sure controls systems have
integrity and work properly.
3. Maturity Stage
By this stage, the company has matured into a thriving company with market position and loyal customers.
However, sales growth starts to slow down. Life within the company has become much more routine. The
majority of companies are in this stage.
• Challenge for the company – To maintain its market position and profit margins through the
introduction of new products or services.
• Market focus – The company needs to be focused on maintaining their market share. It can do this
by expanding into new markets, or expanding its product line in its existing markets. The company
may have to lower prices to retain customers.
• Control focus – The focus is on increasing productivity, profitability and cash flows, which means
that there needs to be tight controls over processes. In order to compete in the market place, man-
agement should be looking at automating its business processes, which could include some
outsourcing of non-vital support services, such as payroll, IT, etc.
• Internal auditing – Internal auditing is concerned with maintaining the integrity of controls. Inter-
nal auditors need to be aware that in order to maintain profit margins, management may try to cut
costs, which could endanger the segregation of duties.
50 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C Business Development Life Cycles
4. Decline Stage
The decline stage is marked by declining sales and an erosion of profit margins. Decline in demand can be the
result of product obsolescence, stiffer competition, economic conditions, or even organizational atrophy.
Atrophy happens in companies that are large in size and where management becomes complacent with the
way things are. This can cause employees to lose trust in leadership. The company slowly ceases to grow or
develop and does not properly respond to the challenges facing the company.
• Challenge for the company – To decide how long it is able to sustain declining sales and profits, or
possibly even negative cash flows. At this point, management may consider substantial layoffs, or
even finding an exit strategy.
• Market focus – Companies could reduce the product line so it can concentrate only on those prod-
ucts that are profitable. The company could also try to rejuvenate surviving products by adding
some new features or changing the outside of the product to make them look new. However, rejuve-
nating products would take additional capital investment.
• Control focus – Management needs to find new ways of streamlining control processes so that they
become more effective and efficient. If layoffs do happen, then management needs to make sure
that there is still proper segregation of duties.
• Internal auditing – By the decline phase, internal auditing should be well entrenched in the com-
pany. At this point, internal auditing should be concentrating on operational efficiency by trying to
eliminate waste. With eroding profitability, internal auditors need to be aware that management
might try to manipulate financial information in order to hide losses.
Question 24: During which stage of the business life cycle is it most likely for there to be a change in
leadership?
a) Start-up stage
b) Growth stage
c) Maturity stage
d) Decline stage
(HOCK)
Question 25: In which stage of an entity’s development is it most likely to seek and obtain external equity
financing in the form of venture capital?
a) Start-up stage
b) Growth stage
c) Maturity stage
d) Decline stage
(CIA adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 51
The International Organization for Standards (ISO) CIA Part 3
These standards are not set to assure the quality of an individual product, but to assure that the
quality is the same throughout the company’s entire product line.
Note: At least 610,000 organizations in 160 countries currently implement ISO 9000.
ISO 9000 comprises five individual but related standards on quality management. In addition, there are two
standards that relate to auditing and measuring (ISO 10000). These standards state only what should be
achieved, but do not state how to achieve quality. They are a target rather than specific instructions. The
seven standards are:
• ISO 9000 describes fundamental quality concepts and provides guidelines as to which standard is
appropriate for a particular company.
• ISO 9001 provides a model for quality assurance in design and development, production, instal-
lation and servicing.
• ISO 9002 provides a model for quality assurance in production and installation. It also addresses the
prevention, detection, and correction of problems in industries in which work is based on
designs and specifications supplied by customers.
• ISO 9003 provides a model for quality assurance in final inspection and testing.
• ISO 9004 helps a company develop and implement an internal quality system or evaluate an
existing system.
• ISO 10012 contains quality assurance requirements for measurement processes and measuring
equipment.
The ISO has also published a set of environmental standards known as ISO 14000. These standards are
similar to the ISO 9000 standards but concern environmental quality systems.
ISO 19011 was issued in 2002 as guidance for auditors of ISO 9000 and ISO 14000 compliance.
An important ISO 9000 compliance requirement is the establishment of an internal audit system. Participating
corporations must hire an external auditor to insure that they are meeting all the ISO 9000 standards.
There is no legal requirement for companies to adopt the ISO standards, but many companies have done so
in order to be able to compete internationally.
A potentially serious problem with outsourcing is that when a company outsources, it loses control of the
function. It is then more difficult to correct problems, or possibly to bring the function back in-house since
management may not have the expertise in the field.
52 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section D Section D – Communication
Section D – Communication
The Importance of Communications
For management to be successful, it must clearly and effectively communicate its objectives and deadlines
clearly. Without effective communication, an organization endangers productivity, compromises its ability to
efficiently implement management decisions, and risks causing confusion. Since every function and activity in
the organization involves some form of communication, whether in planning, organizing, directing or leading,
no management decision can succeed unless it is fully understood by those responsible for implementing
them.
As you study for this section, remember that it makes up only 5–10% of the exam, so it should not be the
main focus of your attention. Many questions can be answered by common sense and from your own
experience working as an internal auditor. We recommend that you read through the material, make sure you
understand the general concepts, and use ExamSuccess to become familiar with what has been asked in the
past.
HOCK international books are licensed only for individual use and may not be lent,
copied, sold, or otherwise distributed without permission directly from HOCK
international.
If you did not download this book directly from HOCK international, it is not a
genuine HOCK book. Using genuine HOCK books assures that you have complete, accurate,
and up-to-date materials. Books from unauthorized sources are likely outdated and will not
include access to our online study materials or access to HOCK teachers.
Hard copy books purchased from HOCK international or from an authorized training
center should have an individually numbered orange hologram with the HOCK globe
logo on a color cover. If your book does not have a color cover or does not have this
hologram, it is not a genuine HOCK book.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 53
Communication CIA Part 3
Communication
The Communication Process
Communication is a process in which two or more people share information and meaning. We know that this
process is not always simple or clear-cut. In some cases, communication is fraught with miscommunication.
We will look at the basic elements of the communication process shown in the diagram below.
Transmitted Receiver
Encoding Message
on Medium decodes
Source Transmitted
Message Encoding
decodes on Medium
Feedback Loop
• The sender can be any entity – an individual, a group, an organization or an individual acting as the
representative of a group or organization – that has something to communicate to another entity.
• Encoding is the process by which the message is put into symbols that can be transmitted. These
symbols can be words, numbers, sounds, body language and facial expression. Emotions may be a
part of the message, affecting the encoding process. Tone of voice can be used to convey urgency,
for example.
• Transmission is the process by which the symbols carrying the message are sent to the entity that
is intended to receive the message.
• The medium is the path that the transmission follows. If two people are talking, the medium is
sound waves. Other media are the telephone, email or voicemail. Mass media includes printed me-
dia, broadcast media and the Internet. The medium can affect the message. For instance, a
telephone call is more personal than a letter and is likely to receive a different response. It is im-
portant that the sender select a medium that is compatible with the message.
• Decoding the message occurs when the receiver interprets the meaning of the message. In the
decoding phase, the receiver is active. The receiver attaches meaning to the symbols transmitted
from the sender. If the meaning the receiver attaches to the message is different from the meaning
the sender attached to it, a communication breakdown has occurred.
• The receiver, like the source, can be any entity: an individual, a group, an organization or an
individual acting as the representative of a group or organization. The receiver decides whether to
make an effort to decode the message and whether to respond. Emotions can affect the receiver’s
receipt of the message. For example, when a manager asks an employee to perform a task, the em-
ployee may not want to understand a manager’s meaning and thus will not receive the message.
54 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section D Communication
• Feedback is the way the receiver responds to the message. Feedback tells the source whether the
message was received and understood. In the example above, the employee could respond verbally
by letting the manager know that he has not understood the message. The employee could also give
nonverbal feedback by simply not complying with the manager’s request.
• Noise is anything that interferes with communication. We are all familiar with radio static and
“snow” and “ghost images” on television. This is channel noise. In personal communication, emo-
tions can be a type of noise, because they can interfere with the encoding or decoding process.
Complete communication must include a response from the receiver. Without a response, the sender cannot
know whether the message has been communicated. An example of no response is a voicemail message left
or an email sent. Without a response back, the sender has no idea whether the message has been received.
This entire process works best when the sender and the receiver share the same points of reference and
background. When they have different backgrounds, the sender needs to make sure that the message is sent
in a way that the receiver can receive and understand it. This means that the sender needs to take into
account any cultural, educational or other differences that may distort their message, creating noise.
Because so much of what a manager does involves communication in one form or another, the ability to
communication effectively is critical to success as a manager. A manager who is a poor communicator will
have difficulty being an effective manager because it is this communication that ties the individuals of the
organization together into a cohesive unit.
Interpersonal Communication
Interpersonal communication may be oral (spoken), written or nonverbal.
• Oral communication includes one-on-one conversations, speeches, group discussions and the infor-
mal rumor mill, or grapevine. Oral communication is less formal, less accurate and also much less
permanent than written communication. This is also the method that managers use to communicate
most often. An advantage to oral communication is that it enables immediate feedback.
• Written communication includes memos, letters, email, faxes, employee newsletters, bulletin board
notices or any other means of communicating in writing. Written communications have the ad-
vantage of being tangible. The sender and the receiver both have a written record of what was
communicated. If there are any questions, the written record can be referred to. Although written
communications are more precise than oral communications, they have the disadvantage of being
time-consuming to create. Another disadvantage is that there is no immediate feedback.
• Nonverbal communication is transmitted along with every verbal message we give. The nonverbal
message may be even stronger than the verbal message. Nonverbal communication includes body
language, the emphasis or inflection we give to words and the tone of our voice, our facial expres-
sion, and the physical distance between the sender and the receiver. We usually transmit nonverbal
messages unconsciously. Nonverbal messages can convey the relative status between sender and
receiver, and whether one of the individuals likes the other and is interested in the other’s opinions.
The receiver needs to be alert to nonverbal communication as well as the verbal message, especially
when the nonverbal message contradicts the verbal message.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 55
Communication CIA Part 3
Communication within a company may be upward, downward or horizontal (from one peer to another
within the same level).
• Downward communication usually flows along reporting lines from superior to subordinate and
provides directions such as job descriptions, official memos, and procedures manuals.
• Upward communication is vertical communication that provides feedback to management such as
surveys, suggestion systems, informal meetings, exit interviews, and conferences.
• Horizontal communication crosses traditional reporting lines and involves employees getting the
information they need to perform their jobs. Horizontal communication is faster than either upward
or downward communication, because it does not follow any organizational “chain of command.”
Formal Communications
Formal communication is the communication that occurs within the formal structure of the company.
Communications networks form spontaneously as part of the interactions among workers.
1) A wheel network has one person who is central to the group, and communications flow back and
forth between that person and every other person in the group. If a team has a strong leader, this is
the type of network you would expect to find, although participants may have a low level of satisfac-
tion. A wheel network is fast and accurate.
2) A chain network relies on the chain of command to relay messages. Each member communicates
only with the person above and below him.
3) In a circle network, each person in the network communicates only with the people on either side.
4) In a Y network, the information is highly centralized, with a central supervisor through whom most
of the information is communicated. The network is in the shape of Y, and the central supervisor is
positioned at the junction. Satisfaction among participants is low. As in a wheel network, the net-
work is fast and accurate and facilitates emergence of a leader.
5) In an all-channel network, all members communicate with all the other members. Formal, all-
channel networks are most often used by self-managed teams when all the members contribute
equally and no one person is the leader. Member satisfaction is relatively high.
Informal Communications
Informal communication takes place outside the formal communication structures of an organization. The
grapevine is the informal communication network, and it operates like an all-channel network. The
grapevine is an important source of information for employees.
56 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section D Communication
Studies have shown that only a small subset of grapevine members (about 10%) actually pass on information
that they receive from the grapevine.
Because the grapevine can identify issues that employees consider important and that cause them anxiety,
managers are well advised to pay attention to it.
• A gatekeeper controls information moving through the channels by virtue of the strategic position
that he or she holds. If a manager wants to make sure the CEO receives some information, the gate-
keeper is the one to approach.
• A liaison serves as a bridge between groups. The liaison facilitates communication flow in order to
integrate group activities.
• The cosmopolite links the group to the outside, perhaps by attending meetings and trade shows and
generally keeping up with developments in the field. This person often functions as the opinion
leader in the group.
• The isolate is a person who tends to work alone and has little contact with others. The isolated
dyad consists of two employees who have contact with each other but little contact with any others.
If an employee who is an isolate has technical information that is needed for a project, a manager
may need to make a special effort to integrate that person into the communication network for the
duration of the project.
Question 26: A company is rumored to be considering downsizing. Because a manager stops the use of all
temporary employees, the staff concludes that some jobs will be lost. Which of the following is true about
the manager's communication about job losses?
a) The staff decoded the formal communication sent by the manager correctly.
d) The channel through which the message was sent was appropriate.
(CIA adapted)
Question 27: Communication plays a major role in the successful operation of all organizations. Which of
the following statements concerning organizational communications is false?
b) Communication is what the sender says, not what the receiver understands.
d) Management spends the majority of its time communicating with other members of the organiza-
tion.
(CIA adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 57
Communication CIA Part 3
(CIA adapted)
Question 29: Which of the following is least appropriate with regard to management's approach to
informal group or grapevine communication? Management should:
d) Make use of it as a means of transmitting information not appropriate for formal communication
channels.
(CIA adapted)
Question 30: A purchasing agent placed a rush telephone order with a supplier. The clerk in the supplier's
office repeated the order specifications back to the purchasing agent. No written confirmations were
exchanged. When the shipment arrived, it was late and of the wrong quantity. However, the purchasing
agent was unable to prove that the shipment was unsatisfactory. What link of the communication chain
has failed in this scenario?
a) Encoding
b) Decoding
c) Medium
d) Feedback
(CIA adapted)
Question 31: The supervisor of purchasing reviewed a memorandum prepared for a buyer in the
department. The memo read, "Effective September 30, the corporation has determined that your
functions will be absorbed into our parent company's small-unit purchasing function. This will reduce
operating costs, improve communications, and facilitate production-engineering changes. You will be
provided with outplacement support." "That should cover the situation," thought the supervisor. "It's too
bad that I am leaving on vacation before the buyer returns from vacation, but this memo will give the
buyer the general idea."
d) The supervisor did not account for the noise in the communication chain.
(CIA adapted)
58 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section D Communication
Problems in Communication
There are a number of things that can cause communication to break down. Some of them are discussed
below.
• Filtering means putting a “spin” on a message. The sender purposely presents the information so it
will be received favorably. This may mean telling only part of the information or telling only what the
receiver wants to hear. Some filtering is expected when the sender is of lower status than the receiv-
er, due to the sender’s desire to please the boss and fear of being the bearer of bad news.
• Selective perception refers to the receiver being selective in what he or she hears due to needs,
motivations, bias or other personal matters. Receivers decode messages according to their own inter-
ests and expectations.
• Information overload occurs when information comes in at a rate that exceeds our ability to
process it. When people have more information than they can use, they may stop processing until the
overload situation is over, or they pass over some of the information. The result is lost information.
• Language varies among cultural backgrounds, age groups and educational levels. People interpret
words differently, and the way the message is interpreted may be quite different from what the send-
er intended. Semantic problems can occur when people attribute different meanings to the same
word.
• Jargon, which is a specialized language of a given trade or profession, can aid communication among
members of that trade or profession. However, sometimes people use jargon that people are not
comfortable with, and as a result communication breaks down.
• Communication apprehension affects many people. It refers to anxiety they feel at communi-
cating, either orally or in writing, or both.
• Status barriers can impede communication if, for example, the CEO pays no attention to communi-
cations from employees far down in the hierarchy, and employees disregard communications from the
CEO.
• Gender barriers can create communication problems between men and women. In general, men
and women have different conversational styles. Research has indicated that men use talk to empha-
size status, whereas women use talk to create connections. Men are more direct than women and
tend to be more boastful. These differences can lead to misunderstandings.
• Poor channel selection results if the sender uses the wrong medium of communication. For in-
stance, if you were trying to convey something to someone over the telephone, a gesture would not
be communicated.
• Noise in the communication channel is any disturbance that prevents the receiver from receiving
the message, or it may be confusion created by the sender as a result of communicating something
at an inappropriate time or in an inappropriate setting. Emotions that affect the receipt of a commu-
nication because of the way the receiver is feeling are a type of noise. The grapevine is even a form
a noise, because the grapevine can distort communication.
Question 32: In some organizations, first-line supervisors withhold or alter unfavorable information that
they do not want higher management to know. This selective withholding of information is widely known
as:
a) Selective reception
b) Filtering
d) Perceptual defense
(CIA adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 59
Communication CIA Part 3
(CIA adapted)
• Reduce noise by eliminating distractions. If the grapevine is causing noise because of inaccurate
information, management can reduce the distortion by using the grapevine to disseminate accurate
information and by monitoring it for accuracy.
• Encourage informal communication, which is more open than formal communications. Open
communication fosters trust and sometimes permits information to be communicated in a timelier
manner than does the formal information system.
• Feedback is a very important part of communication. Feedback verifies to the source of the mes-
sage that the message has been received and verifies to the recipient that he or she has interpreted
the message correctly. Without feedback, if the source needs to send another message that depends
upon receipt of the first, the source will not send the second message or may re-send the first mes-
sage. And if the receiver of the message acts on the message without first verifying that he or she
has received it correctly, the action taken may be inappropriate. The source must ask for feedback,
and the receiver must supply the feedback.
• Trying to understand each other’s perspective will help the source and the receiver overcome per-
ception problems, because we may be able to eliminate some of the problems by knowing how the
other person is approaching the exchange.
Listening
Having proper listening skills plays an important role for employees involved in sales, customer service, or
management because these people have to listen to others. Based on surveys, the typical manager spends
about 9% of a working day reading, 16% writing, 30% talking, and 45% listening. But, listening is not just
about hearing a message, it is also involves the process of decoding and interpreting the messages.
Typically a problem with listening has to do with the fact that people generally can process information at a
much faster rate than most people talk. Researchers have found that the average speaker communicates
about 125 words per minute, but is able to comprehend about 500 words per minute. The difference between
communication and comprehension is called an information-processing gap. A poor listener will use this
information-processing gap to daydream and think about other things, thereby not comprehending what is
being said.
60 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section D Communication
Keys to Effective
The Good Listener The Bad Listener
Listening
1. Capitalize on thought The good listener will stay with The bad listener tends to daydream
speed the speaker, mentally summariz-
ing the speaker, weighing
evidence, and listening between
the lines
2. Listen for ideas Listens for central or overall ideas Listens for facts
3. Find an area of interest Listens for any useful information Tunes out dry speakers or subjects
4. Judge content, not Assesses content by listening to Tunes out dry or monotone speakers
delivery entire message before making
judgments
5. Hold your fire Withholds judgment until Gets too emotional or worked up by
comprehension is complete something said by the speaker and
enters into an argument
6. Work at listening Gives the speaker full attention Does not expend energy on listening
8. Hear what is said Listens to both favorable and Shuts out or denies unfavorable
unfavorable information information
10. Use handouts, Takes notes as required and uses Does not take notes or pay attention
overheads, or other visual visual aids to enhance under- to visual aids
aids standing of the presentation
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 61
Communication CIA Part 3
Question 34: Which of the following is the best indicator of the effectiveness of a communication on a
receiver?
b) Clarity of message
(CIA adapted)
Question 35: An advisable strategy for a participant in a meeting of employees would be to:
a) Read the agenda and supporting materials for the meeting during the early part of the meeting to
prepare for later discussion.
d) Consider the opinions and information needs of other participants before speaking.
(CIA adapted)
Question 36: Studies have shown that the typical manager spends about 9% of a working day reading,
16% writing, 30% talking, and 45% listening. Listening effectiveness is best increased by
c) Tuning out messages that do not seem to fit the meeting purpose.
(CIA adapted)
62 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section D Communication
Electronic Communications
Electronic communications has changed the way individuals, managers, and businesses receive, process and
send information. This change gives businesses the opportunity to use “IT as a lever to improve productivity
and customer and employee satisfaction.” 6 Ultimately, these changes have meant that mangers at all levels
of the organization are able to stay on top of their jobs.
The five key components of IT that impact communication patterns within the workplace are:
1) The Internet is a global computer networking system that, in essence, is able to connect everything
together from supercomputers to personal computers. Included within the Internet system are Intra-
nets and Extranets.
2) E-mail is a method of composing, sending, storing, and receiving messages over electronic communica-
tion systems. The term email applies both to the Internet email system and to Intranet systems allowing
users within one company or organization to send messages to each other. Some of the primary bene-
fits of email are:
• Its ability to reduce cost of having to distribute information to a large number of employees.
• Its ability to increase teamwork by enabling employees to quickly send out messages to col-
leagues, whether they are in the same building, or in another country.
• Its ability to be flexible. This is particularly true for employees with laptop computers.
Despite the potential benefits from using emails, there are some disadvantages, including:
• The potential to waste time and effort. Using email can distract employees from more important
work.
• The potential for information overload. The problem used to be a lack of information, but today
the problem is with junk mail, bad jokes, and useless memos. Companies today need to have a con-
certed effort to control the use of email, so employees can stay more focused on the achievement of
company goals and objectives.
• The potential to reduce communication effectiveness. With the advent of email, there is less
face-to-face communication, which can lead to employees feeling less connected.
3) Videoconferencing allows two or more locations to interact via two-way video and audio transmissions
simultaneously. Videoconferencing enables people at different locations to conduct a meeting without
having to travel, reducing travel costs and time required to travel.
4) Cell phones are another means that people can communicate at a reasonable cost. Cell phones allows
for timely, flexible and convenient communications.
6
Kreitner R. & Kinicki A., Organizational Behavior, 5th edition, pg. 501.
7
Ibid., 503.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 63
Communication CIA Part 3
5) Telecommuting is a work arrangement in which employees enjoy limited flexibility in working location
and hours. Therefore, the daily commute to the office is replaced by telecommunication links.
• Reduction of costs by not having to pay for office space and other support costs, and
• Increased flexibility and autonomy for workers, which eases the working parent’s burden, increases
employee productivity, and reduces absenteeism.
• Telecommuting employees have a tendency to fall behind in their fields of specialization, and thus,
further job advancement may be more difficult to achieve.
• Intranet access for the telecommuter may be slower due to telephone or modem connections and
may be blocked for security reasons.
• Work hours at home can either be not enough or too much, and there may be too many distractions
at home.
• Employers risk the potential loss of data confidentiality and integrity because of the lack of access
control in the home office.
• Certain office functions such as corporate culture, loyalty, communication, access to people, and
managerial control have yet to be replaced by the virtual office.
I. Information overload.
a) I and II only
b) II and IV only
(IIA adapted)
64 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section D Stakeholder Relationships
Stakeholder Relationships
A stakeholder is an individual or entity who has a material interest in a company’s achievements, validated
through some form of investment, and who thereby expect a benefit in return. The specific benefit that a
stakeholder aims to receive varies depending on the nature of the interest and investment. That said, any
significant investment confers a certain degree of power or influence upon the stakeholder, and that
leverage can be used to exert pressure on decisions that a company might make. Generally speaking,
stakeholders can be divided into two categories: internal stakeholders and external stakeholders.
Internal stakeholders are those people who operated under the employment of the company, directly invest
capital, or who are otherwise connected to the daily operations:
• Directors invest time and talents and expect personal advancement, remuneration, and status.
• Senior management invests time and talent and expects personal advancement, remuneration,
and status.
• Employees invest labor and talents and expect pay and, where applicable, benefits.
• Trade unions or staff associations invest time and resources and expect to negotiate benefits
and concessions from the company on behalf of organization members.
External stakeholders, although not directly employed by or investing in the company, nevertheless have
significant interests in the company’s performance:
• Customers “invest” money by way of purchasing goods and services; they expect to have use and
satisfactory enjoyment from the products and services they acquire.
• Suppliers invest their goods and services and expect to be paid and, in certain circumstances,
develop working relationship with the company to which it provides supplies.
• Contractors and subcontractors invest resources to create specialized services and expect to be
compensated by companies who work with them.
• Distribution networks invest money in transportation infrastructure or other delivery systems and
expect to be compensated by the company for the use of their resources.
• Communities invest their social, economic, and environmental interests and expect employment
and economic prosperity from the company that operates in their locations.
• The general public and government invest public resources and, in certain instances, create
laws, regulations, and incentives (such as tax abatements or special rezoning) in exchange for em-
ployment and economic prosperity.
In the course of exercising prudent corporate governance, management must oversee the varying and
sometimes incongruous expectations of internal and external stakeholders. For instance, there are occasions
where the desires of company directors may openly conflict with the desires of shareholders, and such
opposing objectives must be mediated if the company is to succeed. One way of managing these competing
expectations is the enlightened shareholder view (or stakeholder theory), which is a corporate
governance strategy whereby the board of directors governs the company in the interest of shareholders but
at the same time recognizing the interest of the other stakeholder groups.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 65
Stakeholder Relationships CIA Part 3
Managing Stakeholders
An organization’s stakeholder relationships must be managed in accordance with their bargaining strength,
influence, power and degree of interest. Mendelow summarizes the possibilities in his stakeholder map,
which can be used to understand who has the power and influence over the organization. Business
organizations should manage its stakeholders, particularly those with the greatest influence.
Mendelow classifies stakeholders on a matrix by showing the level of interest and the amount of power
stakeholders have in the organization’s activities. These factors will help define the type of relationship the
organization should seek with its stakeholders. Mendelow’s power/interest matrix is shown below.
Interest is horizontal, and power is vertical. The four quadrants are: Ignore, Keep informed, Keep
satisfied, and Key players.
Level of Interest
Low High
• Ignore quadrant – Stakeholders who are in this category can be ignored by the company. In this
quadrant might be the government, some smaller shareholders, or employees who really don’t have
any power or interest. However, this strategy does not take into account any moral or ethical con-
siderations in respect to the stakeholders. It is simply the stance to take with some stakeholders if
strategic positioning is the most important objective.
• Keep Informed – Most shareholders would fall into this quadrant. You need to keep shareholders
informed of what’s going on (e.g., annual report), but they don’t exert much power. However,
stakeholders in this quadrant can increase their overall influence by forming coalitions with other
stakeholders in order to exert a greater pressure and thereby make themselves more powerful.
• Keep Satisfied – In this quadrant the stakeholder doesn’t have much interest but does have strong
power over the company. All these stakeholders need to do to become influential is to re-awaken
their interest. This will move them across to the right and into the high influence sector, and so the
management strategy for these stakeholders is to ‘keep satisfied.’
• Key players – Key players are those who have the greatest influence on the company. The question
here is how many competing stakeholders reside in this quadrant of the map. If there is only one
(e.g., management) then there is unlikely to be any conflict in any given decision-making situation.
If there are several, then there are likely to be difficulties in decision-making and ambiguity over
strategic direction.
Stakeholder mapping is use to assess the significance of stakeholder groups. This in turn has implications
for the organization.
• The framework of corporate governance should recognize stakeholders’ levels of interest and
power.
• It may be appropriate to seek to reposition certain stakeholders and discourage others from reposi-
tioning themselves, depending on their attitudes.
66 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Section E – Management and Leadership Principles
1) Strategic Management
Strategic management differs from operational planning in that it takes a longer-term planning view. This
means that it focuses more on where the company wants to go and less on how it will get there.
2) Organizational Behavior
There are two primary topics discussed in organizational behavior:
• Organizational theory. In this part we look at the organizing function of management. Of particu-
lar interest is the contingency approach to organizational design which assumes that no design will
fit all organizations. The greater the amount of environmental uncertainty the organization faces, the
more adaptive the organization needs to be.
4) Conflict Management
There are two topics here – conflicts and negotiations. Every organization at some point has conflict. So, how
can the organization manage the conflict? Also, every organization has to negotiate. Negotiation involves
examining the facts of the situation and then bargaining to resolve issues, if possible.
• Change management. Every company at some point has to go through change. The change may
be the result of growing the business, or it may be the result of declining sales so the organization
has to reorganize itself in order to survive.
Section E makes up 10 – 20% of the exam, so you do need to spend adequate time on this section. We
recommend you read through the material, make sure you understand the general concepts, and use
ExamSuccess to become familiar with what has been asked in the past.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 67
Strategic Management CIA Part 3
Strategic Management
Strategic management takes a long-term planning view, covering periods longer than one year. Strategic
management is the process of specifying the organization’s objectives, developing policies and plans to
achieve the objectives and allocating resources so the plans can be implemented.
A characteristic of strategic planning is that it is done at the highest level of management, usually involving
the Chief Executive Officer (CEO) and other members of the executive team. The strategic plan is what
provides overall direction to the entire company. It does this by matching the company’s overall strategic
advantages to the business environment the firm faces. A good strategy is able to integrate the firm’s goals,
policies, and action sequences into a cohesive whole, and must be based on business realities.
Note: Strategic planning is directional, rather than operational. This means it focuses on where the
organization wants to go instead of specifically how it will get there. On the other hand, operational
plans are short-term plans that are usually quantitative (numerical) and often revolve around production,
expenditures, inventory and other common activities in the company.
Whether we talk about strategic planning or operational planning, the ultimate goal of any company is to
achieve superior performance in comparison with its competitors. It is expected that when superior
performance is achieved, company profitability will increase, thereby increasing shareholder wealth.
The result of attaining superior performance will be competitive advantage. A company is said to have
competitive advantage when it is more profitable than the average company in its industry.
Shareholders want profitable growth, looking for both high profitability as well as sustained profit growth.
The general rule is that a company with profits, but whose profits are not growing, will not be valued as
highly by shareholders as a company with profitability and profit growth. Attaining these two objectives is one
of the greatest challenges facing managers.
Profitability can be measured by means of the return earned on invested capital. Return on Invested Capital
(ROIC) is Net After-Tax Profit ÷ Capital Invested. Thus, profitability is the measure of how efficiently and
effectively the company’s management has used the capital that they have in producing goods and/or
services that satisfy the needs of customers.
Profit growth can be measured by the increase in Net After-Tax Profit over a period of time. Profit growth
comes from sales made in markets that are growing rapidly; from taking market share from competitors;
from increasing the sales made to existing customers; or from expansion into new markets or diversification
into new lines of business.
Strategic leaders are responsible for effectively managing the company’s strategy-making process to increase
company performance and maximize shareholder value. The strategies that a company’s management follows
will determine the company’s performance in relation to the performance of its competitors.
In order to increase profitability and sustain growth, managers need to formulate strategies that will give
their company a competitive advantage. This is where strategic planning comes into play. The strategies
that managers pursue create the activities that together can set the company apart from its competitors and
cause it to consistently outperform them.
However, remember that even under the best of circumstances, it is not unusual for a business to fail despite
having “excellent” strategies because there are external influences that the company failed to take in to
account. Strategy must connect with vision, purpose and likely future trends.
68 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Strategic Management
• Strategy implementation involves successfully acting upon the strategy to achieve the desired
results. 9 In other words, to put the strategy into action.
The diagram below outlines these two strategic-making processes. As we can see, strategy formulation and
strategy implementation is not static; it is an “on-going, never-ending, integrated process requiring
continuous reassessment and reformation.”
Strategic Control
Note: There are two parts to strategic control: monitoring the effectiveness of the strategies and actions,
and taking corrective action when required.
As we see, for strategy to work it must be closely aligned with purpose. Purpose is what gives
management direction, which drives performance, which drives the bottom line. But, as Dr. Patrick Dixon 10 so
famously said about strategy: “What is the point [of strategy] if no one cares?”
• Corporate level
A good way to understand these strategic levels is to think of corporate level strategy as being “responsible
for market definition, business-unit level strategy as being responsible for market navigation, and
functional level strategy as the foundation that supports both of these.”
8
Patrick Montana & Bruce Charnov (2000), Management, 3rd Edition, pg. 137.
9
Ibid., pg. 137.
10
Dr. Patrick Dixon was ranked in 2005 as one of the 20 most influential business thinkers alive today (Thinkers 50 2005)
and is often described in the media as Europe’s leading Futurist (www.globalchange.com).
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 69
Strategic Management CIA Part 3
Corporate Level
It is at the corporate level that the overall corporate strategic plan is developed. This is the highest level of
strategic management where decisions are made on resource allocation for each division as well as which
businesses to start or terminate. This gives top management the “big picture” view of the organization.
Thus, the critical questions answered at this level would include:
• What level of diversification should the company pursue, i.e., which businesses represent the future?
• Where should the boundaries of the company be drawn and how will these boundaries affect rela-
tionships across businesses, with suppliers, customers and other constituents?
• Do the organizational components such as research and development, finance, marketing, and
customer service fit together?
• Are the responsibilities of each business unit clearly identified and is accountability established?
• Should the company enter into strategic alliances – cooperative, mutually beneficial relationships
with other companies? If so, for what reasons? If not, what impact might this have on future profita-
bility?
As these questions indicate, corporate strategies put in place the long-term direction of the business, but
these strategies have to have the flexibility to change as conditions within the company or industry change.
Top management is directly responsible for the development of corporate strategy and reports to the board of
directors. It is then the board’s responsibility to make sure that management is actually representing the
shareholders’ interest when making these strategic decisions.
• Anticipating changes in demand and technologies and adjusting the strategy to accommodate them.
• Influencing the nature of competition through strategic actions such as vertical integration and
through political actions such as lobbying.
70 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Strategic Management
These strategies are limited to the domain of each department’s functional responsibility, but each functional
department attempts to do its part in meeting the overall corporate objectives.
Example: Advertising for a new product could be expected to begin sixty days prior to the shipment of the
first product. Production could then start thirty days before shipping begins. Raw materials, for instance,
may require that orders are placed at least two weeks before production is to start. These are all functional
questions and thus, functional strategies have a shorter time orientation than either business-level or
corporate-level strategies.
Through business portfolio analysis, management identifies the company’s key businesses, which are
called the strategic business units (SBUs). Each of these SBUs is treated as though they are a separate,
independent business, having their own mission and objectives (i.e., a marketing plan to support their
products or services). It is critical that the company understands how to best use its strengths to take
advantage of lucrative opportunities in the marketplace. Therefore, most portfolio analysis methods evaluate
SBUs on:
Synergy
Strategic management within different parts of an organization is enhanced with when managers are able to
think synergistically. Synergy refers to the “phenomenon in which two or more discrete influences or agents
acting together create an effect greater than the sum of the effects each is able to create independently.” This
positive synergy is referred to as the 2 + 2 = 5 effect.
• Market synergy occurs when products or services can positively complement each other. Shopping
malls would be an example of market synergy where different stores generate sales for each other.
• Cost synergy has to do when combined entities are able to reduce or eliminate expenses. For
example, costs could be reduced by the joint production, delivery or marketing of different products.
• Technological synergy has to do with the transfer of technology from one application to another.
An example of very high-level technological synergy is the transfer of technology that is developed
for the space program to civilian uses.
• Management synergy has to do with the transfer of knowledge between parts of the organization.
For example, if a department lacks specific managerial skills it may be able to access skills in other
departments to fill its needs.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 71
Strategic Management CIA Part 3
On the other hand, combining organizations can sometimes cause negative synergy. In these cases the
combination of the organization’s efforts results in less output than what they would have achieved if they
had each worked alone. This negative synergy can be called the 2 + 2 = 3 effect. The causes of negative
synergy can be from the result of inefficient committees, business units that lack strategic fit, or from poorly
functioning joint efforts.
(IIA adapted)
Question 39: The alignment of strategic initiatives is a corporate-wide effort. Which of the following
strategies best addresses the entire scope of the organization?
c) Business-unit strategy.
(HOCK)
Corporate
Level (HQ)
• The highest level is the corporate strategy. It is at this level that the scope and direction for the
whole company is decided.
• The next level is the business strategy. If a company has more than one independent business
unit, then these are referred to as Strategic Business Units (SBUs). Each of these SBUs helps the
company achieve its corporate strategy.
• The last level is the functional or departmental strategies. The purpose of strategies at this level
is to support the business strategies and corporate strategies.
72 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Strategic Management
Another method of classifying an industry is based on its competitive structure, which is the nature of the
market in which the businesses operate.
4) Pure and Natural Monopoly (government-regulated power monopolies) – 100% control of the
market.
All companies want to earn the highest possible profits. One way to accomplish this is to increase the price for
their product. However, depending on the competitive structure of their industry, they may have very little
influence over prices, and if they were to raise their prices, they may lose their customers to other
businesses. The more market control firms have, the more they are able to change the price that they
charge. However, even in a situation where there is only one provider (meaning that competition will not limit
the price that they charge), consumers will provide the final control by reducing demand as prices increase.
You need to be familiar with the characteristics of the different market structures and how they affect the
ability of the organization to control prices.
Perfect Competition
A perfectly competitive market (an example is kiosks) will exist if the following assumptions are true:
• There are no barriers restricting organizations from entering or exiting the market.
Additionally, the assumptions above imply that competitive organizations are price-takers. This means
that an individual can’t set prices higher or lower than the market equilibrium price.
Note: In perfect competition, every organization sells their output at the same price – the market price. As
a single competitive organization expands output, the extra, or marginal, revenue received from producing
each additional unit is equal to the market price. Since organizations expand production as long as the
marginal revenue of making another unit is at least as high as the marginal cost, perfectly competitive
organizations will stop producing at the point where the cost of producing one more unit (the marginal
cost) is equal to the revenue from producing one more unit (the marginal revenue).
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 73
Strategic Management CIA Part 3
Monopolistic Competition
The assumptions for monopolistic competition (example is restaurants in a city) are:
• There are many non-collusive organizations operating within the market (non-collusive means
that they operate independently of each other).
• The market is for a product or products that can be differentiated (a differentiated product is one
that is similar to, but not exactly like, other products – it is a close substitute, but not a perfect sub-
stitute).
• There are only minimal barriers restricting organizations from entering or exiting the market.
• The organizations only have “limited” control over price, because of the presence of so many
other organizations producing a similar product. They do have “some” control, because the product
they produce is unique, so they can charge a different price from what other organizations are
charging; there is not a single price that will prevail in this market, unlike perfect competition.
• There is a considerable amount of non-price competition such as advertising, service after the
sale, and emphasis on trademark quality.
• There is a highly elastic demand curve (if they raise their price a little bit, they will suffer a larger
decrease in demand than the increase in price).
Oligopoly
The oligopoly structure (examples are the car, steel or oil industries) is not as clearly defined as the other
market structures, but generally it will exist under the following conditions:
• There are only a few organizations operating in the market, but each is affected by the decisions
of the others (it is like a club, with a limited number of members).
• Prices may be rigid (meaning that they do not change) due to the organizations’ mutual interde-
pendence. This price rigidity causes something called a “Kinked Demand Curve.” This kink is
caused by the fact that in an oligopolistic market an individual organization will not raise the price of
its product because the other organizations will not follow suit. Thus, the company that raises its
price will lose customers to their now cheaper competitors. Similarly, an individual organization will
not will reduce their price because if they do, the other organizations will follow and no market share
will be gained and they will have reduced the price they receive from their customers.
• Demand is static in the short term, or has limited growth opportunities. This means that a
new organization is unable to obtain customers as a result of the market simply getting bigger. In
order for a new organization to attract customers, it would need to take them from an existing or-
ganization. This is also true in respect to the few companies in the oligopoly – the only way to
increase their customer base is to take customers from another organization.
Entry is difficult because an oligopolistic industry usually has substantial economies of scale. In addition,
because of the small number of organizations, collusion is possible; organizations may attempt to
cooperate, or collaborate and manipulate price so as to make it unprofitable for new organizations to enter.
Additionally, economies of scale may make it difficult for new organizations to enter, since they would have to
enter producing at a large scale in order to have average costs comparable to the existing organizations.
Other barriers, such as existing organizations’ control of technology or raw materials, the need for substantial
advertising, or costly licensing requirements can also make entry difficult.
74 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Strategic Management
Note: A natural barrier to entry usually equates to an absolute cost advantage, while created entry
barriers are ongoing advertising, patent rights or some other external factor that the already existing
companies have that a new organization would not share.
Natural Monopoly
A natural monopoly exists because economic and technical conditions are present in the industry or economy
that permit only one efficient supplier in a location. A common example of a natural monopoly is an
electric company. It is simply not efficient for more than one electrical grid to be built in a specific area. These
electric companies may be local or regional monopolies, rather than national, but they are monopolies within
their geographic area of business.
A natural monopoly exists when economies of scale are very great. This means that only large-scale
operations can achieve a low enough unit cost to profitably supply the product. In a natural monopoly, the
unit cost (the long-term average cost) of meeting the entire market demand is minimized when the industry
consists of only one organization.
Thus, competition would be undesirable in this market, because the presence of two or more organizations
would prevent the realization of the necessary economies of scale. Multiple organizations, each taking a
portion of the market demand, would each be producing at a higher average cost than a single organization
servicing the entire market; therefore, the presence of multiple organizations might result in a higher price in
the market to cover these higher average costs.
• A single organization and the market is for a unique product, or products, that have no close
substitutes,
• There are barriers of entry that restrict organizations from entering or exiting the market (exam-
ples are a patented item or extremely high initial capital costs), and
• The first two conditions above suggest that the monopoly will have “control over price” in the sense
that it will be able to select a price that maximizes profit, as opposed to competitive companies that
have no control over price, but must sell their output at the “prevailing market price.”
Note: Organizations that are not in perfect competition are not bound to sell their output at one
competitively determined market price. As a result, relative to competitive organizations, non-competitive
organizations will tend to restrict output in order to maintain higher levels of prices. This lower level of
output creates a shortage in the market relative to what would be observed under competition. In these
non-competitive situations consumers have fewer goods to choose from and the price that they pay for
those goods is more than in a perfectly competitive environment.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 75
Strategic Management CIA Part 3
Porter’s theory is still widely used by business analysts, whether they are examining a whole industry or a
single, individual company. These forces determine the attractiveness of a market. Porter referred to these
forces (buyers, suppliers, competitors, new entrants) as the microenvironment, contrasting it with the more
general term macroenvironment. These forces affect the ability of all players within an industry to set prices
and make a profit. But, a change in any one of these forces requires the organizations to re-assess the
marketplace.
Threat from
New Entrants
Intensity of
Suppliers’ Competitive Buyers’
Power Power
Rivalry
Threat from
Power of other
Substitutes
Stakeholders
On the next page is a discussion of each of the forces. For the most part, the stronger the individual force,
the more it limits the industry’s organizations’ ability to set price and make profits. Stronger forces are
threats because they are likely to reduce profits. Weaker forces are opportunities because they allow
organizations the chance to earn greater profits.
11
Michael E. Porter is a University Professor at Harvard Business School. Porter is considered the leading authority on
Strategic Management.
76 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Strategic Management
• Economies of scale. Economies of scale are reductions in average costs that are achieved by
producing and selling an item in large quantities. If the economies of scale in a particular industry are
large, and the biggest organizations can achieve substantially lower costs than smaller producers,
then it is much more difficult for a new organization to enter the market.
• Capital investment requirements. If the new entrant is going to have to make a sizable capital
investment, this will deter organizations from entering the market.
• Switching costs. Switching costs are costs that a buyer has to incur in switching from one supplier
to another. Depending on the industry, these switching costs might be high, thus, it might be difficult
for new entrants to break into the market.
• Access to distribution channels. Some markets might have only a limited number of distribution
channels, thus, it might be more difficult for a new entrant to gain access to these distribution chan-
nels. In this case, the barriers to entry will be high.
• Government regulations. The principal role of the government is to preserve competition through
anti-trust actions, but government also restricts competition through the granting of monopolies and
through regulation, e.g., utilities are considered to be natural monopolies because it is more efficient
to have one electric company provide power to the locality than to permit many electric companies to
compete in a local market.
Factors that can determine the intensity of the rivalry include the following:
• The structure of the competition. The rivalry will be more intense if there are lots of small and
equally sized competitors. The rivalry will be less intense if the industry has a clear market leader.
• The structure of industry costs. High fixed cost relative to variable cost indicates that the rivalry
will be more intense. This cost structure encourages companies to produce at full capacity by cutting
prices, if needed.
• The degree of product differentiation. Industries where there is little product differentiation tend
to have greater rivalry.
• Switching costs. Industries that have high switching cost will have less rivalry.
• Stage of industry lifecycle. If competitors pursue more aggressive growth strategies, rivalry will be
more intense. If competitors are merely “milking” profits in a mature industry, the degree of rivalry
will be less.
• Exit barriers. When barriers to leaving the industry are high, competitors tend to exhibit greater
rivalry.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 77
Strategic Management CIA Part 3
Factors that can determine the threat of substitutes include the following:
• Quality of substitute.
• Buyers’ willingness to substitute. If buyers’ are easily able to substitute products (services), the
more likely that demand is elastic and the greater the threat of substitution.
Factors that can determine the buyer’s bargaining power include the following:
• Concentration of buyers. When there are a number of dominant buyers, their bargaining power is
greater.
• Switching costs. Bargaining power is increased (decreased) when there are high (low) switching
costs.
• Threat of backward and forward integration into the industry. Bargaining power is increased
when supply capacity is acquired.
• Profitability of buyers. Bargaining power is likely to be greater when buyers are forced to be tough.
• Role of quality and service. Bargaining power is likely to be greater (less) when the supplier’s
product is less (more) important.
• Concentration of suppliers. When there are few suppliers, their bargaining power is increased.
• Threat of forward integration into the industry. Bargaining power is increased when suppliers
vertically integrate their operations, e.g., brand manufacturer sets up their own retail outlets.
• Prices of substitutes. Bargaining power is greater when prices of substitutes are high.
• Switching costs. Bargaining power is increased the easier it is for suppliers to find new customers.
78 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Strategic Management
Question 40: Factors that can increase the intensity of a competitive rivalry include all of the following
except
a) Price cutting
d) Inelastic demand
(HOCK)
Question 41: Which of the following factors can influence the buyer’s bargaining power?
I. Concentration of buyers.
a) I only
b) II only
c) I and III
(HOCK)
There are some that would argue that a sixth force should be added to Porter’s list to include a variety of
stakeholder groups from the task environment. This sixth force is referred to as Power of the other
Stakeholders. Examples of these other stakeholders are government, local communities, creditors, and
shareholders.
Strategic Groups
The development of a successful marketing strategy requires that the company not only study its own
customers and prospects, but it must also study and understand its competition. After identifying its primary
competitors, a company needs to understand their strategies, goals and objectives, strengths and
weaknesses and behavior or reaction patterns.
Porter’s Five Forces determines the attractiveness of a market in broad industry-wide terms. It is possible to
refine this by considering strategic groups. A strategic group is a group of companies that follows a similar
strategy in the same target market. A strategic group will have one or more competitive characteristics in
common:
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 79
Strategic Management CIA Part 3
Example: It might be possible to classify market position in terms of price and quality. Some organiza-
tions will offer lower-priced products, but their quality is probability not as good. Some organizations might
offer higher-quality products for a higher price.
The strategic groups in a market might be mapped according to price and quality in the following way:
Price
Group 4
Group 3
Group 2
Group 1
Quality
This map indicates that there are four strategic groups, each in a different market position in relation to price
and quality. The largest group (Group 2) sells products in the middle price and quality range price.
The closer the strategic groups are on the map, the stronger the competitive rivalry among member
organizations tends to be, e.g., Group 3 could be a rival for Group 4 and Group 2, but it is highly unlikely that
Group 2 and Group 4 would be rivals, or Group 1 and Group 3 or 4.
Question 42: Which of the following would not be a characteristic of a strategic group?
(HOCK)
80 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Strategic Management
Analysis of Competitors
Successful strategists make a large investment into scouting competitors. They do this by:
– Examining public pronouncements about the competitor’s discussion of its own position.
– Gathering information from the grapevine about current activities and potential changes.
– Determining who has flexibility to make major changes and who is locked into same strategy.
Note: Strategic groups are not to be confused with Porter’s generic strategies which are internal strategies
and do not reflect the diversity of strategic styles within an industry.
SWOT Analysis
Another commonly used model for strategic management and planning process is SWOT analysis. A SWOT
analysis is an evaluation of the company’s:
• Strengths
• Weaknesses
• Opportunities
• Threats
This analysis takes places after the business unit has clearly defined its mission in the marketplace, and the
SWOT analysis process must consider and complement the larger mission of the organization.
If a company does not have a certain strength, that would be considered a weakness. In other words, if it
does not have any patents, does not have brand equity, has high costs or limited access to capital because of
previous poor performance, etc., those are weaknesses.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 81
Strategic Management CIA Part 3
Strengths and weaknesses generally exist in the company’s internal environment and impact the company’s
ability to pursue opportunities. SWOT analysis helps the company determine whether to limit its opportunities
based on whether it has the required strengths, or whether it needs to acquire and develop new strengths
(therefore overcoming some of its weaknesses) in order to pursue emerging market opportunities. Another
example of an internal strength or weakness is the company’s overall ability or lack of ability to work together
as a team, leveraging interdepartmental working relationships to pursue new opportunities. The same is true
for analyzing whether the company has the competencies and capabilities to create a new product or service.
Marketing opportunities include new areas where customer wants or needs or interests exist, and the
company needs to continually identify these areas. Opportunities may arise in many areas such as fulfilling
informational needs, enhancing the buying process for customers, offering products or services to customers
at a lower price, delivering products more quickly, etc.
Marketing threats exist in the external environment and usually require some type of defensive marketing
action to ward off an adverse trend or development that could lead to deterioration in sales or erode
profitability. Threats pose various levels of severity and probability of occurrence. Therefore, they are best
detected in advance through SWOT analysis so that the organization can determine whether they are major
or minor threats, and then deal with them appropriately before damage occurs to the company. Typical
threats include changes brought about by new legislation, prolonged economic depression, development of a
superior product by a competitor, etc.
Consideration and monitoring of both the macro-environmental and micro-environmental factors that can
introduce opportunities and threats will influence the company’s ability to gain and sustain profitability.
Once the company has analyzed its strengths, weaknesses, opportunities and threats, it can:
• Create a plan that has a low level of threats but a high level of opportunities (this is the ideal situa-
tion), or
• Create a plan that is low in both opportunities and threats because this is a already mature business
that wants to maintain its position, or
• Move toward a plan that is low in major opportunities but high in threats because it is a troubled
business that may require drastic change, or
• Even consider a speculative business plan that is high in major opportunities, yet may also have a
high level of threats.
82 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Competitive Strategies
Competitive Strategies
There are two competitive strategies that we want to examine. The first, the generic strategy model, was
developed by Michael Porter. The second is referred to as market-based strategies.
Narrow
Market Segmentation
Scope Strategy
Broad
Market Differentiation Cost Leader-
Scope
Strategy ship Strategy
In order for this strategy to be successful, it usually requires considerable market share advantage or
preferential access to raw materials, components, labor, or some other important input. Without one or more
of these advantages, it makes it easier for the strategy to be copied by the competition by reducing their
costs as well.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 83
Competitive Strategies CIA Part 3
Differentiation Strategy
This strategy entails producing a unique product or service. Porter believes that the “unique features or
benefits should provide superior value for the customer if this strategy is to be successful.” Differentiation can
allow organizations to earn higher profits because customers see the product as unrivaled and unequaled.
Thus, the price elasticity of demand tends to be reduced and customers tend to be more brand loyal. This can
give the company some insulation from the competition. However, there are generally some additional costs
associated with differentiating product features and this could require a premium pricing strategy.
Generally, organizations that are successful typically have the following strengths:
• Strong marketing skills, with the ability to communicate the importance of the differentiating product
characteristics.
Segmentation Strategy
Segmentation strategy is simply where the organization concentrates on a selected few target markets. This
is also called a focus strategy or niche market. By focusing its marketing efforts on one or two narrow
market segments and tailoring its marketing mix to these specialized markets, the organization believes that
it is better able to meet the needs of that target market.
Organizations that have this type of strategy look to gain competitive advantage through effectiveness rather
than efficiency (lower cost). Although, this strategy is more suitable for smaller organizations, it can also be
used by any size company. Companies use this strategy in markets that are less vulnerable to substitutes, or
where competition is weakest.
In Porter’s opinion, a company that does try to follow multiple strategies will be more successful if it creates
SBUs to implement each strategy.
However, there are those that question Porter’s notion of being “caught in the middle.” These critics claim
that there can be a middle ground between strategies. There are examples of companies that have entered a
market as a niche player, and gradually expanded.
84 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Competitive Strategies
Question 43: A manufacturing company produces plastic utensils for a particular segment at the lowest
possible costs. The company is pursuing a cost
b) Focus strategy
c) Differentiation strategy
d) Containment strategy
(IIA adapted)
Question 44: Which basic force(s) drive(s) industry competition and the ultimate profit potential of the
industry?
a) I only
b) I and II only
(IIA adapted)
Question 45: Which of the following is a favorable condition for a company competing in a profitable,
expanding industry?
d) The company has high costs relative to other companies in the industry.
(IIA adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 85
Competitive Strategies CIA Part 3
2. Marketing-Based Strategies
Having discussed Porter’s generic strategies, which assessed strategy on the dimension of strategic scope and
strategic strength, we want to turn our attention now to marketing-based strategies, which are marketing
strategies based on market dominance, or market share.
Market dominance is how strong the company’s brand, product and service is relative to the competition.
However, in measuring market dominance, you must keep in mind that there is also be a geographical
element to the competitive landscape. Therefore, you must see to what extent does the product have control
over a given geographical area or region.
For the most part, there are several ways of calculating market dominance, but the most common method is
to measure its market share. Market share is simply the percentage of the total market that is serviced by
the organization. For example, the organization may have a 50% share, the next largest may have a 25%
share, the next a 12% share, the next a 7% share, and all of the remaining organizations combined may
have the remaining 6%.
Note: Historically, the top three brands in a product category occupy market share in the ratio of 4:2:1.
This means that the number 1 brand has twice the market share of number 2, which as twice the market
share of number 3.
An organization has to be careful when using market share in determining its market dominance because it
may not be the perfect description of market dominance. Companies also need to take into account the
influences of the customers, suppliers, competitors in related industries, and government regulations on that
market share. This is a measure of how easily lost the market share is, or how loyal the customers are to the
company’s brand or product.
Although, there are no absolute rules governing the relationship between market share and market
dominance, the following are general criteria:
• A company has market power and market dominance when its brand, product, or service has a
market share exceeding 60%.
• A company has market strength, but not necessarily dominance when its brand, product, or service
has market share over 35%, but less than 60%.
• A company has neither market strength nor dominance when its brand, product, or service has
market share less than 35%. But, we need to mention that companies that meet this last criterion
are not apt to raise anti-monopoly concerns of government regulators, whereas the first two might.
Typically, there are four types of market dominance strategies that a company will consider: market leader,
market challenger, market follower, and market nicher. In the following pages we will discuss these
strategies in more detail.
Market Leader
Quite simply, the market leader is the dominant player in the industry. A market leader exhibits the following
characteristics:
• It has a dominant market share and often-extensive distribution arrangements with retailers.
• It is the industry leader in developing innovative new business models and new products.
• It tends to be on the cutting edge of new technologies and new production processes.
86 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Competitive Strategies
However, being the market leader is not always the absolute best position for the company to be in. It is
possible that the company could be the target of competitive threats and government anti-monopoly actions
if the market share is too strong or too dominant. These actions may cause the company to lose market share
or spend so much money defending their business that they would actually have been better off occupying a
slightly smaller position in the market and avoiding the legal issues that arose from being too dominant.
Most managers used to believe that market leadership was the only way to go and that it was the most
profitable strategy for the company to undertake. It used to be that if you could not get enough market share
to be a major player, then you should not be in the business; you would be better off to concentrate your
resources where you can take advantage of economies of scale and increased bargaining power to gain
dominant market share in another market. This is a business philosophy that was, and still is, emphasized by
some companies. Jack Welch, former head of GE, was convinced this was the only way to go and wanted GE
to exit from businesses where it was not a market leader or major player in the market. But, today’s
managers realize that it may be better to be less dominating, but be more profitable. For example, overall
profits may decline if market share is gained by increasing promotional expenditures or by decreasing price.
• More overall usage of the product, or service. For example, this can be done by planned obsoles-
cence, which means that the company will cause the product to become obsolete and force
consumers to buy the new product.
Offensive actions are intended to strengthen the company’s position, thereby making it harder for others to
take their existing market share. Common offensive strategies are:
• Reducing costs.
Defensive actions are intended to protect the market share that a company already has by protecting the
status quo. Commonly used defense strategies are:
• Position defense generally involves building fortifications around your markets, such as barriers to
market entry around a product, brand, product line, etc. Methods to achieve this could include exclu-
sive distribution contracts, or patent protection.
• Mobile defense generally involves the leader proactively and aggressively defending its market
while at the same time exploring new market opportunities. This can be done by introducing new
products or services, modifying existing products, changing market segments, repositioning prod-
ucts, or changing promotional focus. But, in order to accomplish this the company has to be very
flexible, with strong marketing, product development, and marketing research skills.
• Flanking defense involves the company watching its weaker flank (areas of its business that are
not as strong). This is done by the company strengthening its competitive position by introducing
new products in areas that may provide an entry into a more beneficial market.
• Counter offensive defense involves countering an attack with an offense of your own. For exam-
ple, the company might respond to a price cut in one market by a competitor with a price cut of its
own in another market that is of equal, if not greater, importance to the competitor.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 87
Competitive Strategies CIA Part 3
• Pre-emptive defense involves striking the competitor before they can move against the company.
Product or brand proliferation (the production of new products or brands) is a form of pre-emptive
defense.
• Contraction defense involves the company giving up weaker positions so it can concentrate its
resources on stronger ones.
3) Expand market share even if market size remains the same. A company does this by:
• Winning customers away from competitors through expensive and innovative initiatives.
• Targeting the competitors, but without drawing the attention of government regulators.
• Winning the loyalty of new customers through loyalty programs that reward the customer for contin-
ued use of the company’s products and services.
Market Challenger
A characteristic of a market challenger is that the organization is strong, but not the dominant player in the
market. A market challenger is typically a company who is number 2, or possibly number 3, in the market. In
these cases, an offensive marketing strategy is appropriate to try to improve that position.
Note: Offensive marketing warfare strategies are a type of strategy that uses military metaphors to craft a
business strategy. Al Ries and Jack Trout popularized the terms in their book Marketing Warfare.
• The challenger’s concern should be to assess the strength of the leader’s position, not the
challenger’s own strengths and weaknesses.
• The challenger should find a weakness in the leader’s strength, not simply a weakness in the
leader’s position.
• Launch an attack on as narrow a front as possible. The challenger should avoid a broad attack.
There are five general attack strategies that can be used against the competitors. These strategies are:
1) Frontal attack involves a head-on attack, such as price-cutting. Generally, frontal assaults are
expensive and thus rare. This strategy can work if there is no price retaliation by the targeted com-
pany.
2) Flanking attack involves the company not attacking on head-on, but seeking to identify and attack
the competitor’s weak points. This strategy typically works when:
• The target competitor has relatively strong resources and is well able to withstand a head-on at-
tack.
• The challenger has fairly strong resources, enough to successfully defend several niches.
88 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Competitive Strategies
3) Encirclement attack involves the challenger attacking from all sides. This strategy typically works
when:
4) Bypass attack involves the challenger bypassing the competitor and targeting easier markets. This
often involves diversifying into unrelated products or new geographic markets.
Pepsi used a bypass strategy against Coke in China when it located its bottling plants in the interior
provinces rather than in the larger cities where Coke was already established.
5) Guerrilla attack is typically more conducive for smaller organizations. The guerrilla marketer must
have flexibility so that it can change tactics very quickly. This may mean abandoning a market seg-
ment, product, product line, brand, business model, or objective. A common trait of guerrilla
marketers is that they are not ashamed to change direction, or make a strategic withdrawal. This
strategy typically works well when:
• The target competitor has relatively strong resources and is well able to withstand a head-on at-
tack.
Which strategy should the challenger choose? The challenger should use a combination of several
strategies to improve market share over time. These strategies might include:
• Price discounting is more effective when buyers are price sensitive, the products or services are
similar to the leader’s, and the discounts are not matched. When implementing price discounting or
price-cutting strategies, the company has to be conscious of the legal aspects of its actions.
• Line extensions can be used to extend an existing line rather than starting a completely new one.
• Producing high quality prestige goods that can be sold at high prices.
• Other specific strategies can include changing or developing new distribution channels, intensifying
promotional activity, or reducing costs.
Market Follower
Companies that are not wishing to challenge the leader adopt a follower strategy. The follower can also be
a major player, but has made the conscious decision not to directly attack the leader because it knows that
doing so could lead to a costly price war that it cannot win. Instead it maintains its position by following the
market leader. If the leader increases its prices, the follower will do the same. If the leader develops a new
product, so does the follower. Over the long-term, the relative market shares of the two companies tend to
remain constant. This “play it safe” strategy is how Burger King retains its position behind McDonalds.
Followers tend to be imitators, not innovators. For example, Sony is a product innovator and market
leader, whereas, Panasonic is a product imitator, and thus, a market follower. Theodore Levitt argued in his
article “Innovative Imitation” that a product imitation strategy might be just as profitable as a product
innovation strategy.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 89
Competitive Strategies CIA Part 3
3) Imitator copies some things from the leader, but differentiates itself with packaging, advertising,
pricing and service. Car manufacturers imitate the style of one another.
4) Adapter builds upon the leader’s products and marketing programs, often improving upon them.
Japanese organizations are excellent adapters initially before developing into challengers and even-
tually leaders.
Market Nicher
A market nicher does not compete directly with the market leader. Instead the organization will focus its
markets efforts where the standard products and services of the market leader cannot satisfy the needs of
the customer. It has identified its position of relative strength and it concentrates its efforts in that area.
A company must spend considerable time developing its niche strategy. It should consider alternatives and
determine how each would affect its market share and profitability. It is only when it has completed this work
that it move on and develop a marketing plan.
• They tend to market high-end products or services, and thus are able to have a premium pricing
strategy.
• They tend to keep expenses down by spending less on R&D, advertising, and selling.
The essence of niching is specialization, however, Dr. Philip Kotler believes that “a company should ‘stick to
its niching’ but not necessarily to its niche. This is why multiple niching is preferable to single niching. By
developing strength in two or more niches the company increases its chances for survival.”
The major risk faced by nichers is that larger companies may attack them once they notice the nichers are
becoming successful.
Question 46: When businesses compete in different geographical locations or have multiple product lines
that do not necessarily overlap, the most effective way of responding to an aggressive move by a
competitor without directly triggering destructive moves and countermoves is to
(IIA adapted)
90 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Competitive Strategies
Question 47: A market leader is defined as being the dominant player in an industry. Leaders tend to take
on a more defensive strategy then market challengers. Which of the following best describes an action
taken by a company that is using a flanking defense?
(HOCK)
Question 48: The market challenger’s strategic objective is to gain market share and eventually become
the leader. It does this using a variety of attack strategies. A characteristic of a flank attack is that
a) The company attacks the leader head-on. It can do this by having sufficient fire and staying power.
b) The company attacks the leader at many fronts at the same time. It can do this if it has superior
resources.
c) The company diversifies into unrelated products or markets neglected by the leader.
(HOCK)
Question 49: A business that is trying to increase its market share to become a market leader is often
referred to as a
a) Market challenger
b) Market follower
c) Market nicher
d) Market leader
(HOCK)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 91
Competitor Analysis CIA Part 3
Competitor Analysis
A part of strategic management is assessing the strengths and weaknesses of current and potential
competitors. This is called competitor analysis (or competitive analysis). Competitor analysis is important
because managers who fail to study competitors take the risk of being blindsided by “surprise” actions on part
of the competitor.
Competitive Intelligence
A term that is often viewed as synonymous with competitive analysis is competitive intelligence. Ian
Gordon in 1989 published “Beat the Competition,” which was one of the first books on competitive
intelligence. Gordon described competitive intelligence as the “process of obtaining and analyzing competitive
information to help achieve the objectives of the organization.”
Competitive intelligence (CI) is different from industrial espionage, because CI entails collecting, analyzing
and disseminating information ethically, in accordance with legal guidelines. Today, a lot of large
companies have CI functions, and in some cases the CI staff can be members of professional organizations,
such as The Society of Competitive Intelligence Professionals.
• Planning and directing the system involves working with the decision-makers to discover and
hone their intelligence needs.
• Collecting information should be done ethically and legally. Information can be collected from a
variety of sources, including:
– Published sources that information can be collected from, including Dun & Bradstreet, Moody’s,
Standard & Poor’s, etc.
– The Internet is probably the most frequently used in the CI process. For example a business
Web site generally contains a vast amount of information usually including company history,
business visions, product overviews, financial data, sales figures, annual reports, press releases,
biographies of top executives, location of offices, and hiring ads.
• Feedback is the final step of establishing a CI program, and it entails taking into account the re-
sponse of the decision-makers and their need for continuous intelligence.
A CI program will allow a company to develop a competitive strategy that targets the appropriate markets
and appropriate competitors.
92 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Competitor Analysis
This CVA methodology can be explained by examining the relationship between the perceived benefits
customers identify with a product or service and their willingness to pay for those benefits. Benefits and
associated costs are grouped and analyzed to develop a single “value” measure that is both relative to
competition and empirically linked to business performance.
Thus,
The benefits that a customer receives from a product or service, i.e., the satisfaction they gain from it,
determines the value that they place on the product or service. Thus, benefit is not the same thing as the
price of the good or service.
Regardless of what pricing a company chooses, the price the company charges has to be equal to or less than
the benefit that its customers place on the good or service.
If a company is able to lower its costs, then it can create more value for its customers. Or, alternatively, if the
company makes a product or service more valuable through superior design, performance, quality and
service, the company is also creating more value for its customers. When customers assign more value to a
product or service, they are willing to pay a higher price. Thus, a company has a competitive advantage if it
can create more value for its customers than its competitors.
Image Benefits
CUSTOMER
VALUE
Total Cost
Buy Price
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 93
Competitor Analysis CIA Part 3
Based on the results of the CVA, the company can target a class of competitors. For example:
• A company may decide that the best and cheapest way to gain market share is by targeting the
weaker competitors. However, this same company may decide instead that targeting the stronger
competitors would force it to have to improve its own product or service, thus being the more ap-
propriate strategy.
• Direct competitors are the most often targeted, e.g., Ford Taurus and Toyota Camry are direct
competitors, but indirect competitors can also be threats, e.g., coffee and mineral water are indi-
rect competitors.
Question 50: What is the proper order of steps in the establishment of a competitive intelligence system?
I. Data collection
IV. Feedback
V. Data Analysis
a) III, I, V, II and IV
(HOCK)
Question 51: A company may decide that it is best for it to target a strong competitor. A viable reason
that a company may implement this type of strategy is because
(HOCK)
94 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Competitor Analysis
There are number of portfolio models that are used for strategic management, but we will cover only two:
2) GE multifactor analysis
This model has two variables: the market growth rate (MGR) is on the vertical axis, and the company’s
relative market share (RMS) on the horizontal axis.
The growth-share matrix has four quadrants: Stars, Question Marks, Cash Cows and Dogs.
The firm’s SBUs are commonly plotted on the matrix as a circle. The size of the circle is directly proportional
to the SBU’s sales volume. Thus, a large circle represents a SBU with large annual sales.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 95
Competitor Analysis CIA Part 3
Resources are allocated to SBUs according to where they are situated on the grid.
• Cash Cows are business units that have large market share in a mature, slow growth industry. Cash
cows, as its name indicates, generate good cash flow. This cash can then be invested in other busi-
ness units.
• Stars are business units that have large market share in a fast growing industry. Stars generate
good cash flow, but because the market is growing fast, these companies require high investment in
order to maintain their lead. If these companies become successful, a star can become a cash cow
when the industry matures. If they fail to hold market share, they become dogs.
• Question Marks are business units that have small market share in a high-growth market. Question
Marks can become cash traps and gambles. They have high cash needs because of their growth, but
their cash flow is low because their market share is low.
• Dogs are business units that have a small market share in a mature market. A dog may not require
much cash to sustain it, but it ties up capital that could be better spent on other higher-growth pro-
jects.
• Hold strategy. This strategy is used to defend and maintain market share. It is a strategy that is
typically used by cash cows.
• Build strategy. This strategy is used when there is a chance that a question mark can become a
star. With this strategy there is a need for a lot of investment to increase market share.
• Harvest strategy. This strategy is typical for companies that hope to maximize their short-term
cash flows. This generally means that companies cut out all unnecessary cash disbursements, such
as cutting its marketing expenses, reducing R&D, not replacing needed facilities, etc.
• Divest strategy. This strategy is typically used for companies that are question marks, or dogs. The
purpose of divesting is to be able to take the proceeds of the sale, or liquidation and invest them in
more favorable business units.
96 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Competitor Analysis
The SBUs are shown on the matrix as circles. The size of the circles is proportional to the size of the related
market and the circles may have a shaded portion that represents the SBU’s market share.
Industry Attractiveness
3.67
Build Selectively / Limited
Medium
Refocus earnings
1.00
Invest/Grow
Selectivity /
Earnings
Harvest /
Divest
The GE matrix is particularly useful when developing 3-5 year forecast. These forecast can be made to
estimate each of the SBU’s position given the current strategy, the stage of product life style, competitor
actions, and other events.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 97
Competitor Analysis CIA Part 3
Question 52: A SBU has a relative market share of 2.5x, and a market growth rate of 15%. Based on
BCG’s growth-share matrix, the SBU would be in which quadrant?
a) Cash cow
b) Star
c) Question mark
d) Dog
(HOCK)
Question 53: A SBU has a industry attractiveness of 3.80x, and a business strength of 3.15x. Based on
GE/McKinsey multifactor matrix, the SBU would be in which quadrant?
a) Invest to build
b) Protect position
c) Build selectively
(HOCK)
Question 54: Which of the following would best describe a cash cow?
(HOCK)
98 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Market Signals
Market Signals
According to Michael Porter, a market signal is “any action by a competitor that provides a direct or indirect
indication of its intentions, motives, goals or internal situation.”
Thus, market signals become the means of communicating to the market place and are an essential input in
competitive analysis and in the development of competitive strategies.
Example: A smaller company would signal that it does not intend to build market share if it decided to
reduce its capacity that would limit the amount of a larger company’s demand that it can steal.
Companies need to keep in mind that not all signals are accurate and, in fact, some signals may be
misleading. Therefore, it’s imperative for companies to have some kind-of understanding of their competitors,
as not to become deceived by, or ignore their signals.
• When the competitor carries through with its intent, this is referred to as a true signal.
• A bluff, on the other hand, is the intent to mislead or deceive the competition. For example, a
company may issue a threat to a competitor in order to stop its actions even though following
through with the threat would be unbeneficial to the company. But, a company has to be careful
about playing the bluff game because there is always a chance that the company could lose credita-
bility for future announcements.
• Prior announcements of moves. These are formal communications made by a competitor that
indicates that it will, or will not take some action, such as building a plant, or possibly change its
price. These prior formal communications can serve many functions:
– They can be attempts to preempt other competitors by seeking to get buyers to make a com-
mitment to wait for its new product instead.
– They may be announcements of possible threats of action if the competitor chooses to follow
through with a planned move.
– They can test the competitor’s sentiment by taking advantage of the fact that they do not nec-
essarily need to be carried out.
– They can be a means of communicating pleasure or displeasure with the competitor’s actions.
– They can help to avoid costly simultaneous moves, such as capacity expansion, where the addi-
tion of new plants might cause overcapacity in the industry.
– They can be communicated to the financial community, for example, to boost stock price or im-
prove the reputation of the company.
– Or, they may sometimes be used to gain internal support for a move. For example, a company
may announce something publicly as a means of cutting off internal debate.
When announcements are made far in advance, they tend to be conciliatory. This has to do with the
timing of the announcement.
On the other hand, the form of media can play a big part in how the announcement is perceived.
For example, an announcement in a specialized trade journal is likely to be noticed only by competi-
tors or other industry participants. This may carry a different connotation from an announcement
that was made, say, to a group of security analyst, or to a national press corps.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 99
Market Signals CIA Part 3
• Public discussion of the industry by competitors. It is not unusual for competitors to discuss
their thoughts on the condition of the industry, i.e., forecasts of demand and prices, forecast of fu-
ture capacity, material cost increases, etc. These discussions may be an attempt by the company
making the comments to interpret industry conditions in such a way as to improve its own competi-
tive position.
• Competitors’ discussions of their own moves. Competitors who discuss their own moves may be
trying to signal that a move is appropriate and not provocative. This kind of signal is conciliatory.
• Divergence from industry precedent. These signals are usually aggressive signals and could alert
the competition in a change in strategy or direction. For example, if the company were to start offer-
ing discounts, or other promotional schemes that are not industry norm, this could alert the
competition of the intent to take a more aggressive marketing position.
• Cross-parry. This is a situation when a company initiates a move into one area and a competitor
responds in a different area that affects the initiating company. By responding indirectly, the defend-
ing company may well be trying not to trigger a set of destructive moves and countermoves in the
encroached-upon market, but yet clearly to signal displeasure and raise the threat of serious retalia-
tion later.
• Fighting brand. A company introduces a fighting brand when it feels threatened by a competitor. In
these cases, the threatened company introduces a brand that has the effect of punishing or threat-
ening to punish the source of the threat. For example, Coca-Cola introduced a new soft drink called
Mr. Pibb in the mid-1970s, which tasted somewhat like Dr. Pepper. Dr. Pepper was gaining market
share and Coca-Cola wanted to slow down or reduce Dr. Pepper’s share.
• Private antitrust suits. Governmental antitrust suits are, of course, more serious than private
suits. In a private suit, the plaintiff can dismiss the suit at any time and may be an indication of dis-
pleasure with a company’s competitive price cut. But, a suit filed by a large company against a small
company can have a negative impact on the small company, regardless of the outcome. For exam-
ple, the legal costs of the suit might be a long-term distraction for the small company.
An aspect of competitive analysis is the use of history as a basis to improve one’s ability to read signals
accurately. This can be done by studying the historical relationship between the company’s announcements
and its moves. But, the danger is that this relationship may not always hold true.
Question 55: A marketing scheme that is not generally seen in the industry is an example of a
c) Bluff.
(HOCK)
(HOCK)
100 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Industry Evolution
Industry Evolution
As we discussed earlier, the five forces model that was designed by Porter is a business strategy tool used
to make an analysis of the attractiveness (value) of an industry structure. The main fundamental forces that
affect structure and influence the attractiveness of the market are:
• Entry of competitors. This is how easy or difficult is it for new entrants to start competing, and
what the existing barriers to entry are.
• Threat of substitutes. How easy a product or service be substituted for another product.
• Bargaining power of suppliers. This is how strong is the position of the sellers. For example, does
a supplier enjoy monopolistic power?
• Rivalry among the existing players. What is the strength of the competition between the existing
companies? Is one company more dominant than the others, or are they all about the same strength
and size?
However, Porter recognized that the company’s structure and competitive advantage would evolve over time.
Therefore, in order for a company to maintain its competitive advantage, it is essential that it has the ability
to recognize changes early on and can make prompt adjustment in its strategies. The sooner these
adjustments can be made, the lower the cost of the adjustment and greater the benefits to the company.
Evolutionary Processes
In his book, Competitive Strategy, Porter talks about evolutionary processes as being the “incentives and
pressures” that cause an industry to change over time. The rapid change of today’s technology has only
added to the speed at which these changes are occurring, thus making sound strategic management even
more crucial for company success.
The major types of evolutionary processes described by Porter are listed below. Although, these evolutionary
processes tend to be common to all industries, the speed and direction of change may vary.
• Long- run changes in growth rate. This factor has perhaps the greatest effect on the evolution of
an industry. The greater (lesser) perceived growth potential of an industry, the greater (lesser) af-
fect it will have on competition, expansion, and supply. The following factors are why long-run
industry growth changes:
– Trends in needs - Changes in lifestyle, tastes, philosophies, and social conditions of the buyer
population.
– Changes in the relative position of substitutes – A company must identify all the substitute
products that can meet the needs of the product consumers.
– Changes in the position of complementary products – For example, mobile homes to mo-
bile parks, credit at prevailing interest rates to purchases of durable goods, mining engineers to
coal miners.
– Sales to new customers (market penetration) – An industry must essentially reach complete
penetration. The industry’s growth rate is then determined by its replacement demand.
– Product change – Product innovation allows the industry to serve new needs and improve the
industry’s position against substitutes, and it can eliminate or reduce the necessity of scarce or
costly complementary products.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 101
Industry Evolution CIA Part 3
• Changes in buyer segments served. This occurs when new segments are created, or old seg-
ments are dissolved. Thus, industry structure evolves to meet the needs of new customers. For
example, light aircraft were initially sold to the military and later to private and commercial users.
• Learning by buyers. As buyers become better informed and more sophisticated in the products
they buy, there tends to be a decrease in product differentiation. This is because buyers increasingly
demand products with similar quality and service. Thus, to overcome this effect, there can be chang-
es in the products or its marketing, or to market to less informed and sophisticated buyers.
• Reduction of uncertainty. A reduction in uncertainty and risk can lead to the attraction of new and
larger competitors, particularly if the market potential is large.
• Accumulation of experience. The learning curve is where manufacturing costs per unit decreases
as personnel become more experienced and efficient in the production of goods. Though, the effect
of the learning curve may not be as significant due to the diffusion of proprietary knowledge.
• Expansion (or contraction) of industry scale. Expanding industries tend to experience greater
economies of scale, but capital needs are greater as well, making it harder for market entry. Also, in
these circumstances, suppliers and customers tend to gain bargaining power. A contracting industry
would have the opposite effect of an expanding industry.
• Changes in input costs, quality and exchange rates. Changing input costs has a great impact
on consumer demand by affecting cost and price of the product. These changing costs affect the
economies of scale, and may encourage the substitution of inputs. Changes in quality and exchange
rates can have similar effects on competition.
• Product innovation. This involves the introduction of a new goods or services that are new or
substantially improved. Product innovation can be from external or internal sources. Many innova-
tions flow vertically, originated by customers and suppliers, where the industry is an important
customer or source of inputs.
• Marketing innovation. Marketing innovation is the development of new marketing methods with
improvement in product design or packaging, product promotion or pricing. This can lead to in-
creased sales by appealing to new buyers, or lowering costs.
• Process innovation. This involves the implementation of a new or significantly improved production
or delivery method.
• Structural change in adjacent industries (buyers and suppliers). Structural changes in these
industries have a direct impact on their bargaining power. For example, when there are a number of
dominant buyers, their bargaining power is greater. On the hand, when there are only a few suppli-
ers, their bargaining power is likely to be less.
• Government policy change. The government can have a profound effect on industry evolution by
regulating entry, competitive practices, licensing, and pricing. Government policies also have an ef-
fect on global competition through the use of tariffs, import quotas, and embargoes.
• Entry and Exit. Changes in either one of these factors will affect the ability of companies to enter or
exit an industry, which has an effect on competition. Firms enter an industry when they believe the
growth potential and profits justify the costs of entry. On the other hand, the exit of firms from the
industry is caused by diminishing returns on investments. The exit of firms will improve the strategic
position of the other remaining firms, but exit barriers may sometimes prevent a firm from leaving a
market.
102 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Industry Evolution
The tendency is for industries to consolidate over time, but this may not always be the case. Whether
an industry consolidates or not can depend on the following factors:
• Industry concentration and mobility barriers move together. Therefore, it is possible to predict
increases in industry concentration if mobility barriers are high, or are increasing.
• Exit barriers deter concentration by keeping less successful firms in the industry.
Question 57: Porter described several evolutionary processes. Which one has the effect of lowering
manufacturing cost, as personnel become more experienced and efficient in performing their jobs?
d) Government policies.
(HOCK)
Sales
Development Introduction Growth Maturity Decline
$0 Time
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 103
Industry Evolution CIA Part 3
Development Stage
In essence, this is the incubation stage of the product life cycle. As indicated by the chart, there are no sales
and the firm is preparing to introduce the product. It is in this stage that R&D, market research and product
testing are conducted.
Introduction Stage
The introduction stage of the product life occurs when the product first enters the market. In this stage, sales
grow slowly, and profit is generally negative. This negative profit is the result of additional costs associated
with the initial distribution of the product. In addition, advertising costs are going to be higher in order to
increase customer awareness of the product.
Growth Stage
The growth stage is the third stage of the product life cycle. Growth is characterized by dramatic increases in
sales, and it is generally in this stage that new competition appears. In addition, cost per customer decreases,
new product models and features are introduced, and promotion spending declines or remains stable.
The pricing strategy during the growth stage is to maintain prices as the company is enjoying little
competition, with high demand.
Maturity Stage
Maturity is characterized by a leveling off of sales. During this stage competition has appeared with similar
products. The primary objective of the company is to maintain market share while maximizing profit.
The pricing strategy during this stage is to defend market share. This may mean lowering prices in order to
retain its customer base. Today, the majority of products are in the maturity stages.
Decline Stage
The decline stage is really the beginning of the end of the product. During this stage, sales and profits
steadily decline. In some cases, the product enters this stage not so much because of a wrong strategy, but
because of environmental changes. New technology plays a huge role in the decline of many products. For
example, the introduction of CD players led to the decline of record players, and new video cameras led to the
discontinuation of 8 mm movie cameras.
To handle the declining product, management will follow one of three strategies:
• Harvesting the product. This is when the company retains the product but reduces support costs.
The purpose of this option is to maintain the ability to meet customer needs.
• Maintain the product. The company may be able to rejuvenate the product by adding new features
and finding new uses.
The decline stage is often the most difficult for a company to address. But, products in decline often tend to
consume a disproportionate share of management time and financial resources relative to their worth.
104 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Industry Evolution
Question 58: Brands, products and technologies have life cycles with product life-cycle stages, each
requiring different strategies. Which of following is false?
a) Introduction stage: slow growth, low profits, but if successful, the product enters the growth stage.
The majority of products today are in this stage.
c) Maturity stage: sales growth levels off or slows down, profits stabilize.
(HOCK)
Question 59: In the product life cycle, the first symptom of the decline stage is a decline in the
b) Product sales
d) Product’s prices
(IIA adapted)
Question 60: At the introduction stage of an innovative product, profit growth is normally slow due to
b) High competition
c) A mass market
d) Available alternatives
(IIA adapted)
d) The quality of the products becomes more variable and products are less differentiated.
(IIA adapted)
Question 62: While auditing a marketing department, the internal auditor discovered that the product life
cycle model was used to structure the marketing mix. Under such a philosophy, the price charged on a
consistent basis for a specific product would probably be lowest during which life cycle stage?
a) Introduction stage
b) Growth stage
c) Maturity stage
d) Decline stage
(IIA adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 105
Industry Environment CIA Part 3
Question 63: While auditing a marketing department, the internal auditor discovered that the product life
cycle model was used to structure the marketing mix. The manager has asked the auditor for advice
about increasing advertising of various products. During which stage of the life cycle would it be
appropriate to advertise that the company product is the lowest price and best quality of all competitors?
a) Introduction stage
b) Growth stage
c) Maturity stage
d) Decline stage
(IIA adapted)
Question 64: While auditing a marketing department, the internal auditor discovered that the product life
cycle model was used to structure the marketing mix. Under such a philosophy, the opportunity for cost
reductions would be greatest in which stage of the life cycle?
a) Introduction stage
b) Growth stage
c) Maturity stage
d) Decline stage
(IIA adapted)
Industry Environment
In the previous section on Industry Evolution, we discussed a product’s life cycle. Now, we will cover
competitive strategies related to fragmented industries, emerging industries and declining industries.
Fragmented Industries
According to Michael Porter, in his book Competitive Strategy, fragmented industries have many small
competitors and have structural factors that inhibit concentration.
Note: As a rule of thumb, an industry is considered to be concentrated if five or fewer firms control 60%
or more of market share. If the two largest firms have market shares within 10% of each other, then the
industry is balanced.
Examples of fragmented industries include the book publishing industry, restaurant industry, clothing
retailers, barbers, furniture, agriculture, computer components/hardware retail, and construction. It is these
industries that most closely approximate what economists call pure competition.
• Low barriers to entry needs to exist in order for competition to remain strong.
• Economies of scale and the effect of the learning curve are generally not present in fragment-
ed industries. This is because operations tend to be simpler or less labor intensive.
• High transportation costs may offset the effects of economies of scale, thus, giving smaller firms
an equal chance to compete.
106 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Industry Environment
• High inventory costs, like high transportation costs, may also offset the effects of economies of
scale.
• Bargaining power of suppliers and buyers may be so strong that the size of the firm may not
provide any additional advantage.
• Lack of standardization, or lack of need for it usually favors fragmentation by keeping entry
barriers low.
• Local regulatory requirements make each geographic area unique. These can act as an impedi-
ment to concentration.
• Newness of industry means that firms have not yet had the ability to concentrate.
Overcoming Fragmentation
The payoff of overcoming fragmentation can be high, given that the costs to entry are, by definition, low
and there tends to be small and relatively weak competitors who offer little threat of retaliation.
If the factors that prevent consolidation of the industry can be overcome, the industry structure will change.
The factors that can overcome fragmentation are:
• Standardize diverse market needs may come about from the creation of a new product that coalesc-
es buyers’ taste. Another possibility is that a design change might dramatically lower the cost of the
standardized variety, and thus, leading to buyers judging the standardized product as a better value
than the expensive, custom variety.
• Neutralize, or split off the aspects most responsible for fragmentation. A good example of this is the
fast food industry, where the industry relies on having the need for tight local control and maintains
good service. These needs were isolated or neutralized by franchising to local owners. The franchisor
is responsible for national marketing, centralized purchasing, and other services that can provide
significant economies of scale, leading to industry consolidation.
• Another approach might be when there are numerous buyer segments, or where there is extreme
product differentiation is for the firm to use multiple brand names to appeal to the tastes of different
customers.
• Acquisitions can allow firms to expand even if they find it difficult to compete against local firms
because of their contacts and image.
• Recognize industry trends early. As industries mature they tend to naturally consolidate, particularly
if the primary source of fragmentation is due to the newness of the industry. Exogenous factors,
such as technology changes, can lead to consolidation by altering the causes of fragmentation.
• Industries that are “stuck” for reasons other than underlying economic factors.
o Existing firms lack the resources, skills, or other factors that are needed for consolidation.
o Outside firms to do not recognize the opportunity offered by the industry because the firms
thought to be “stuck” in a fragmented state are new, small or obscure.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 107
Industry Environment CIA Part 3
• Formula facilities are a matter of standardizing products in order to reduce costs and improve
operating revenue.
• If products or services cannot be significantly differentiated, then the best way to increase value
added may be to provide more service with the sale, such as assembly of components before they
are sold to the customer.
• Specialization by product type, or product segment is a focus strategy. A focus strategy can
enhance the bargaining power with suppliers, but the downside of this strategy is that it does not of-
fer many growth opportunities. Other focus strategies might include specialization by customer type,
type of order, or geographic areas.
• Bare bones, no frills cost strategy is characterized by low overhead, tight cost control, and low
payroll.
• Lack of strategic discipline can cause a firm to stray from an appropriate strategy.
• Overcentralization can often be a problem in an intensely fragmented industry where local man-
agement, tight control and personal service are critical success factors. A centralized structure is
counterproductive in most cases because it slows response time, lowers the incentives of those at
the local level, and can drive away skilled individuals necessary to perform many personal services.
• Assumptions that are wrong can cause the wrong strategy to be implemented, e.g., an assump-
tion might be that competitors have the same overhead and objectives. Small, privately owned firms
may have noneconomic reasons for being in business, so assuming that these competitors will have
an overhead structure or objectives of a corporation may be a serious error.
Formulating Strategy
Porter developed the following steps for formulating competitive strategy in fragmented industries.
• Determine the industry’s structure and understand who are the industry’s primary competitors.
• Conduct analysis to determine whether fragmentation can be overcome, and how it can be over-
come.
• Assuming that the fragmentation can be overcome by developing a new structure, need to analyze
as to whether the new structure can provide acceptable results, i.e., profit and market share.
• If fragmentation is inevitable, then the firm needs to select the best strategy to operate in the
fragmented industry.
108 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Industry Environment
Question 65: In which of the following industry environments would an internal auditor be most likely to
recommend strategies such as franchising and horizontal mergers?
a) Emerging industries
b) Declining industries
c) Fragmented industries
d) Mature industries
(IIA adapted)
Question 66: The opportunity for franchising comes from the ability to
a) Develop products
b) Differentiate products
c) Standardize products
d) Diversify products
(IIA adapted)
a) I, II and III
b) I, III and IV
(HOCK)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 109
Industry Environment CIA Part 3
Emerging Industries
An emerging industry is a “newly recognized group of firms selling similar products or services to an
identifiable set of customers.” An emerging industry is either evolving from:
• An established industry, or
Porter observed that “no rules of the game” exist for an emerging industry, a condition that creates risks,
as well as opportunities. Features of an emerging industry are:
• There is strategic uncertainty about how fast demand for the product will grow and how big the
market will get.
• There is technology uncertainty in the products and production method, but there is an opportuni-
ty to gain from technological know-how. Also, there can be rapid improvement in the first-
generation products.
• The market of an emerging industry is generally new and unproven (embryonic companies).
• The learning curve effect allows for significant costs reductions as volume builds.
• The customers, by definition, are first-time users. The marketing task involves inducing initial
purchase and overcoming customer concerns.
• Government subsidy. In cases where the technology is radically different there might be subsidies
for new entrants. But, subsidies based on political factors can cause instability by interfering in the
market.
• Inability to secure raw materials and components. Raw materials may be scarce because new
suppliers must be found or they may have to modify or expand their existing production output.
• Period of rapid escalation of raw material prices. Suppliers may increase prices to keep up with
demand.
• Perceived likelihood of obsolescence. Sales may slow if buyers have the perception that rapid
obsolescence in the industry will occur.
• Customers’ confusion. Customer confusion can be from the result of uncertainty in technology,
conflicting claims, and counterclaims by competitors. Confusion can cause buyers to postpone pur-
chases.
• Lack of consistent product quality. Quality problems could be from the lack of agreed-upon
technical standards, or because there are a number of new firms.
• Image and credibility with financial community. If the industry is suffering an image and
credibility problem, financial institutions may be unwilling to provide capital at reasonable rates, and
thus, customers may have trouble getting credit.
110 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Industry Environment
• Regulatory approval. Approval may be difficult to obtain, thus, stunting growth. On the other
hand, a favorable government policy may help to get the industry off the ground, for example, when
the use of safety products becomes mandatory.
• Firms often run short of funds for R&D and start-up. Firms may underestimate the initial start-
up costs, thus, creating risk for the industry.
• Response of threatened entities. Entities may respond if they feel threatened. For example,
construction unions fought bitterly against modular housing.
• The nature of the benefits for buyers. Benefits to the buyer may be in the form of a perfor-
mance advantage not found in other methods, or the benefit may be purely a cost advantage.
Generally, early market purchases are because of performance advantages.
• Cost of product failure. The higher the cost of product failure, the later the buyers will adopt.
• Switching costs. Switching costs will vary among buyers, e.g., purchase and disposal of equip-
ment, service support requirements, etc.
• Cost of obsolescence. The cost of obsolescence is less if buyers can be convinced that their needs
can be met with initial purchases.
• Governmental, regulatory, or labor barriers. Each buyer will face different constraints, or barri-
ers.
• Perception of technological change. The perception of change will depend on the sophistication
of the buyer. For example, some may perceive change as a threat, whereas others might see change
as an opportunity.
• Personal risk to the decision maker. The greater the risk to the decision maker, the less likely of
early adoption.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 111
Industry Environment CIA Part 3
Strategic Choices
• The firm should try to win the race for industry leadership by employing a bold, creative strategy on
such matters as pricing and marketing.
• To appeal to first-time buyers, the firm should set in motion the ability to:
o Improve the production process and product quality.
o Develop attractive performance features that will attract new customers.
o Shape the rules of competition.
• Be aware and try to take advantage of the changing role of suppliers and distribution channels.
They may become more accommodating as the industry grows.
• Shift advertising focus from building product awareness to increasing frequency of use and creating
brand loyalty. The firm may want to use price-cuts to attract price-sensitive buyers.
• Move quickly when the firm’s technological advantage disappears. The firm may not be able to rely
on proprietary technology as an advantage. Thus, it may be necessary to respond by making large
capital investments.
Businesses that develop a successful strategy in an emerging industry have the following common
characteristics:
• They employ the concept of Bold Entrepreneurship. As mentioned above, the firm employs a bold,
creative strategy.
• They have an intuitive feel for what buyers will like and how they will use the product.
Question 68: Features of an emerging industry might include all of the following except
b) Few producers
c) Underdeveloped markets
(HOCK)
a) I only
b) II only.
c) II and III
d) I, II and III
(HOCK)
112 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Industry Environment
Declining Industries
A declining industry is one that experiences an absolute decline in demand for its products over the long run.
As competition intensifies over time, the number of competitors usually decline and the larger companies in
the industry often increase their market share.
Note: The railroad industry is a good example of a declining industry. This industry experienced decreased
demand, largely due to newer and faster means of transporting goods, primarily air transport and trucking,
and it also failed to remain competitive in pricing, compared to the benefits of faster and more efficient
transport provided by airlines and trucking services.
Michael Porter has the view that industries in decline will not exactly correspond to the decline stage in the
product life cycle. The general prescription for decline is the harvest strategy, but Porter suggests that the
nature of the competition, as well as the range of strategic choices available to companies during the decline
phase are widely diverse and vary from industry to industry. It just might be possible for some industries to
deal with the decline without the intense rivalry, long-term excess capacity, and large operating losses. While
some firms might be inclined to exit the industry, some might not harvest at all. The more common
characteristics of a declining industry might include:
1) Conditions of demand. Competition for remaining sales will be heavily influenced by the conditions of
demand and the nature of the market segments.
• Uncertainty about demand will influence whether a firm will try to hold onto its position and remain
in the industry, or get out. For example, if a firm believes that industry demand will continue to de-
cline, it will facilitate the process of withdrawing capacity from the market.
• Structure of remaining demand pockets has a major influence in determining whether the
remaining competitors can be profitable.
• Causes of decline of industry demand will depend on a number of different factors. These factors
include:
o Technological substitution. This is where the source of decline is created through technologi-
cal substitution, e.g., electronic calculators for slide rules.
o Demographics. This is where there is a decline in the size of the customer base.
o Shifts in needs. This is where there is a decline in demand for reasons that change the buyers’
needs or taste.
2) Exit barriers. These barriers are an important factor in determining how much capacity leaves the
market. High exit barriers can keep companies competing in declining industries even though these
companies might be earning below normal returns on investment. Exit barriers might be due to a num-
ber of fundamental sources, including:
• Durable and specialized assets. If the assets to be sold (fixed or working capital) are highly
specialized, then the liquidation value of the company’s investment is diminished.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 113
Industry Environment CIA Part 3
• Fixed costs of exit. If fixed costs of exiting are substantial then this can reduce the effective
liquidation value of the business.
• Strategic exit barriers. A company that is highly diversified may face barriers if the part that is to
be liquidated is important to the firm, e.g., important to the company’s image, relationship with dis-
tributors, etc.
• Information barriers. This would be applicable if the business to be liquidated shares assets or has
buyer – seller relationships that make it difficult to get clear information about the true performance
of the business.
• Managerial or emotional barriers. Sometimes the factors that go into making the decision to exit
a business go beyond just economic considerations. There might be a managerial or emotional at-
tachment to the business that keeps it from liquidating.
• Governmental and social barriers. In some situations there might be governmental and social
barriers that keep a company from exiting a business. For example, it might be impossible for a
company to exit a business because the government is concerned about the potential for lost jobs
and impact on the local community.
• Mechanism for asset disposition. The method in which assets are disposed can greatly influence
the profitability of a declining business. For example, if a business is sold at a discount, the lower in-
vestment base might allow the new managers to make decisions on pricing and other aspects of
strategy that are rational to them, but would be ruinous to the remaining companies.
3) Volatility of Rivalry. Rivalry can be much fiercer in a declining industry. This rivalry is more intense in
the following situations:
• Companies are equally balanced so no one firm is able to win the competitive battle.
• Companies are tempted to take ill-advised efforts when they are uncertain about their competitive
positions.
• Pursue a focus strategy by exploiting growth segments within the industry. This could include
going after a niche segment.
• Pursue a harvest strategy that allows the business to have a controlled, gradual liquidation. Taking
on this type of strategy can let the business maximize cash flow by minimizing costs on such items
as advertising, R&D, maintenance, etc.
• Have a quick divestment strategy that allows the business to have the highest net recovery. But,
businesses do need to be careful about divesting too soon. Business could be wrong in their assess-
ment as to the onset of the decline stage.
114 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Industry Environment
Favorable
Leadership Harvest
Industry
Structure
Or Or
for Decline Niche Divest Quickly
Unfavorable Niche
Industry Divest Quickly
Or
Structure
for Decline
Harvest
Firm’s Strategic
Needs to Remain
in the Business
Question 70: Which of the following is not a characteristic of a mature industry environment?
a) Consolidation
b) Competitive interdependence
c) Declining demand
(IIA adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 115
Competition in Global Industries CIA Part 3
Today, people around the globe are becoming increasingly connected to each other as never before. Now, you
can send an email anywhere, instantly, or be part of the 3.0 billion viewers watching World Cup games. Being
connected means that information and money flows more quickly. It also means that goods and services
produced in one part of the world are available in all parts of the world. For example, tuna caught in the North
Atlantic can be served the next day at a Sushi bar in Japan. We refer to this phenomenon as “globalization.”
The International Monetary Fund (IMF) defines globalization as “the growing economic interdependence
of countries worldwide through increasing volume and variety of cross-border transactions in goods and
services, free international capital flows, and more rapid and widespread diffusion of technology.”
What this globalization means for businesses is that their competitive analysis must often address
the issues of global competition, whether the company is global or domestic.
• A true global industry is considered to be one in which companies have to sell internationally. If
non multinationals are able to compete in the local or national market then the industry is not con-
sidered to be global. A good example of a true global industry is the automobile industry, where all
businesses within the industry do compete internationally.
• Even though there are differences between global and domestic competition (e.g., government
policies vary from country to country, as well as cost structure, availability of resources, market con-
ditions and other factors), Porter’s five forces model is still a workable model that can effectively
address foreign competition.
• The issue for companies is to decide whether to compete globally and the extent of the threat from
global competition.
There are several ways that individual companies will use to enter a foreign market. These methods are
discussed in more detail in Section H (Global Business Environment), but in brief they include licensing,
indirect and direct exporting, foreign direct investment (FDI), local component assembly and joint
ventures. Which participation method a company chooses will depend on its willingness to commit financial,
physical, and managerial resources.
Sources of global competitive advantage are discussed first, and then the impediments to global competition.
Both these factors affect how, and how fast, an industry will evolve.
• Logistical economies of scale can be realized if businesses are able to improve their logistical
systems, e.g., Wal-Mart.
• Marketing economies of scale can be realized if businesses are able to market products in multi-
ple national markets without having to customize advertising, increase sales department, etc.
• Purchasing economies of scale can be realized if a global business is able to exert bargaining
power over suppliers.
• Global experience. As a business gains experience in the global market place, it can get maximum
cost benefit, which can help it gain cost advantage when similar products are sold in multiple mar-
kets.
116 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Competition in Global Industries
• Product differentiation incorporates differentiating features that cause buyers to prefer a compa-
ny’s product or service to rivals’ brand. It is possible that selling globally can enhance the company’s
national brand.
• Proprietary technology may be applicable in several national markets, thereby giving the business
a competitive advantage. Also, marketing globally the firm has a better chance of staying in touch
with changing technology.
• Mobility of production lets a firm achieve economies of scale by being able to move production to
nations where input costs are lower.
• High storage and transportation cost could offset other cost advantages that the company
enjoys. To counter these higher costs, the company might have to build in-country facilities, thus in-
creasing costs and eroding profitability.
• Low worker productivity might offset the company’s lower wage rates.
• Customization of product might entail having to redesign the product based on different needs,
values, customs, and languages. Customization increases cost, eroding the company’s competitive
advantage.
• Limitations to established distribution channels could act as a market entry barrier. These
barriers might be resolved only if substantial concessions are made in order to induce the channel to
substitute the product for a domestic producer. These concessions might cause diseconomy of scale.
• Government impediments are designed to protect local jobs and businesses. Impediments might
include quotas, tariffs, and country content rules. Higher government taxes on foreign operations
would benefit local businesses as well.
• Financial resource limitations might mean that the company has to commit financial resources,
e.g., build a plant, etc., that otherwise were not part of the firm’s finance plan.
• Complexity of global competition might cause the company to think twice about entering the
global arena.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 117
Competition in Global Industries CIA Part 3
The next step in the evolution is for companies to start exporting. Exporting a product requires placing the
product in the distribution system of another country. Exporting can be either indirect or direct.
• Indirect exporting, or marketing through an intermediary, involves the least amount of commit-
ment and risk, but will probably return the least profit.
• Direct exporting is when a company handles its own exports directly, without an intermediary.
Direct exporting is riskier than indirect exporting, but it also opens the door to increased profits.
The second stage generally the establishment of a specific export department within the company.
The last step in the evolution is for the company to become truly a transnational corporation, or a company
that is globally oriented to marketing its products. A transnational corporation runs its business and makes its
decisions based on all the possible choices in the world, not simply favoring domestic operations because they
seem to be convenient.
Exporting
Transnational
118 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Competition in Global Industries
Strategic alternatives
There are three main distinctions between international strategies: multi-domestic, global and glocal.
1) Multi-domestic strategies refer to those companies that address competition in each country or
region on an individual basis.
2) Global strategy refers to addressing competition in an integrated and holistic manner across
country and regional boundaries.
3) Glocal strategy refers to companies who are willing and able to “think globally and act locally.”
For example, the Internet is a global phenomenon, but it allows people to make websites in their na-
tive language.
• Increased influence of emerging markets. The emerging economies are gaining economic
strength and influence. These emerging economies include countries like China, Russia, India, Ma-
laysia, countries in Eastern Europe, and parts of Africa and Latin America. The trend is to narrow the
economic differences between developed and emerging countries.
• New large-scale markets are emerging, such as Brazil, Russia, India and China (the BRIC coun-
tries).
• Freer flow of technology allows even less developed countries the opportunity to invest and
develop in world-class facilities.
• More aggressive industrial policies is being implemented by some countries in order to gain
world status, e.g., Russia, Venezuela, Iran, etc.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 119
Strategic Decisions CIA Part 3
Question 71: Which of the following would be a source of global competitive advantage?
(IIA adapted)
a) I and IV only
(IIA adapted)
Strategic Decisions
Strategic decisions are those choices that impact future operations, such as expanding into a new market or
launching a new product line. This section discusses various strategic decisions management can make to
ensure the long-term survival and profitability of the company.
Horizontal Integration
Horizontal integration is a type of ownership and control whereby a firm acquires additional business activities
at the same level of the value chain. Horizontal growth can be achieved by internal expansion or by external
expansion through mergers and acquisitions of firms offering similar products and services. A firm may also
grow horizontally by diversifying into unrelated businesses.
Example: The GAP Inc. retail clothing corporation is a good example of a business that practices
horizontal integration. GAP Inc. controls three distinct companies, Banana Republic, Old Navy, and the GAP
brand itself. Each company has stores that market clothes tailored to the needs of a different group. For
example, Banana Republic sells more expensive clothes with a more “upscale” image, whereas, the GAP
sells “moderately” priced clothes that appeal to middle-aged men and women. On the other hand, Old
Navy sells “inexpensive” clothes geared towards children and teenagers. Thus, by using these three
different companies, GAP Inc. controls a large segment of the retail clothing industry.
120 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Strategic Decisions
• Synergy is achieved when “two or more discrete influences or agents acting together create an
effect greater than the sum of the effects each is able to create independently.” For example, syner-
gy can be achieved by using the same brand to promote multiple products.
• The potential possibility that the anticipated economic gains will not materialize. It is highly recom-
mended that before expanding by horizontal integration, management should make sure that the
potential benefits are real. For example, it had been assumed that computer hardware manufactures
that entered the software business would experience synergies between hardware and software. But,
the connection between these groups of products does not necessarily imply realizable synergy.
• The potential possibility that even if benefits do exist, they do not materialize spontaneously. Thus,
there should be a specific horizontal strategy in place.
Vertical Integration
Vertical integration involves companies at different stages of production. In these cases, the buyer expands
back toward the source of raw materials, called backward integration, or forward in the direction of the
consumer, called forward integration.
Example: One of the earliest, largest and most famous example of vertical integration was the Carnegie
Steel Company. Carnegie Steel controlled not only the mills where the steel was manufactured, but the
mines where the iron ore was extracted, the coal mines that supplied the coal, the ships that transported
the iron ore and the railroads that transported the coal to the factory, the coke ovens where the coal was
coked, etc.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 121
Strategic Decisions CIA Part 3
Intermediate Intermediate
Manufacturing Manufacturing
Assembly
Assembly
Distribution
Distribution
The decision of whether to vertically integrate or not should consider two issues: cost and control. The cost
aspect depends on the cost of the market transactions between firms versus the cost of administering the
same activities internally within a single firm. The control issue has to do with the impact of asset control,
which can impact barriers to entry and which can assure cooperation of key value-adding players.
• The potential to have greater control over inputs. This is one of the main reasons why Apple
decided to make its computer hardware, accessories, operating systems, and much of the software
itself. Today, Apple is one of the few vertically integrated businesses in the IT industry.
• The potential to increase entry barriers to competitors. This would be true, for example, if the
firm could gain sole access to a scarce resource.
122 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Strategic Decisions
• The potential that flexibility due to previous upstream or downstream investments will be
decreased. But, the flexibility to coordinate vertically related activities might be increased.
• The potential for capacity problems. For example, the firm may have to build excess upstream
capacity to ensure that downstream operations have sufficient supply under all demand conditions.
Question 73: A milk producer company acquires its own dairy farms to supply milk. The growth strategy
adopted by the company can be identified as
a) Horizontal integration
b) Vertical integration
c) Concentric diversification
d) Conglomerate diversification
(IIA adapted)
Capacity Expansion
The decision whether or not to expand capacity is a major strategic decision for management and the firm.
Before making this decision, management has to have a clear understanding of the costs and benefits of
expansion. For example, any expansion requires additional capital investment. Investment could be in the
form of new equipment, additional personnel, construction of new facilities, etc. Management simply needs to
know that these additional costs will be covered by the expected increase in sales. It is for this reason that
capacity expansion is also referred to as market penetration.
In the long term, the company will need to make certain that its capacity will be able to meet the expected
demand as well as decide how to obtain this capacity. The firm may either purchase or lease the necessary
fixed assets, but a plan is required to determine how the company will obtain the necessary financing for
whatever option it chooses. This is the process of capital budgeting.
Undercapacity, on the other hand, tends to be a short-term issue in profitable industries. In these
situations, investors would be lured to making investments to increase the firm’s capacity capability, thereby
increasing the firm’s profits.
Michael Porter, in his book, Competitive Strategy: Techniques for Analyzing Industries and Competitiveness,
describes the strategic decision process to expand capacity. These are the interrelated steps in his process:
1) The first step is for the firm to identify all of the options open to it. The firm would also have to
consider responses by competitors.
2) The second step is to forecast demand, input costs, and technology developments.
• Depending on the industry, there can be a lot of uncertainty about future demand. This is proba-
bly the most crucial variable in determining the nature of the industry’s expansion.
• In regards to technology, the firm has to be aware that any new technology can quickly become
obsolete, or future design changes might not be practical.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 123
Strategic Decisions CIA Part 3
• The firm also needs to consider the possibility that expansion could put upward pressure on input
costs.
3) The third step is to analyze the competitors. The difficulty of analyzing competitors is that this
requires the ability of the firm to forecast their behavior, which requires knowing their expectations.
This is difficult even under the best of circumstances.
4) The fourth step is for the firm to develop a detailed model that predicts prices and cash flows. This
model could also possibly have information on the firm’s expected market share and total indus-
try capacity.
A critical variable that helps to determine the nature of the industry expansion is the extent of uncertainty
about future demand.
• If there is high uncertainty about demand then firms who have the available financial resources
and are willing to take on greater risk will act first.
• On the other hand, if there is low uncertainty about demand, and market signals tend to be
strong, firms will tend to take on a strategy of preemption to forestall competitor’s expansion
plans. This strategy tends to lead to excess industry capacity because firms overestimate their com-
petitive strengths, don’t understand the market signals, or fail to accurately assess competitors’
intentions.
Capacity Overbuilding
Overbuilding is most frequently associated with firms whose business cycles are cyclical in nature. The cyclical
buildup of production capabilities is due to the unbalanced inflow of fixed capital. When the investment
climate and future demand is favorable, firms invest in fixed capital, and thereby, in production capacity. This
surplus in production and competition between firms will reduce profits and eventually lead to capital
devaluation.
Note: The general thought is that overbuilding is bad, but in fact, overbuilding may be good for society
as a whole. For example, when railroads were overbuilt and the price of transportation plunged below what
was needed for recovery of invested capital, that was bad for the investors in railroads, but it was good for
the transportation-dependent industries, many of which could not have existed without the eventual lower
costs of transportation. In fact, the lower prices created non-secular elasticity: greater demand because
new industries became possible. These new industries resulted in new volumes of traffic, which eventually
made the lower prices bearable for the railroads, although not for the original investors. What happened
with the railroads also happened with Internet companies as well.
1) Technological factors
• Economies of scale are present, and there is a steep learning curve that encourages preemption.
• The industry has long lead-time that increases the risk that the industry will experience overbuild-
ing.
2) Structural factors
• Exit barriers are high. This causes firms to stay and keep producing that otherwise would not
produce.
• Suppliers of capital, input supplies, etc. may have favorable terms that promote expansion.
124 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Strategic Decisions
• The extent of the competitor’s integration may act as a promoter of expansion. A firm may feel
pressure to build capacity even in the face of uncertainty in demand.
3) Competitive factors
• Firms with capacity capability may seek to improve market share.
• Lack of true market leader(s). The lack of a true market leader may give firms an incentive to
gain market share through expansion. On the other hand, expansion tends to be more orderly in in-
dustries with true market leaders since they are able to retaliate against inappropriate expansion by
other firms.
• Low entry barriers and other favorable economic conditions may encourage new entrants to
the market, thus, causing overcapacity.
5) Managerial factors
• A firm that is more production-oriented is more likely to overbuild than firm’s that are market-
oriented. Production-oriented firms are primarily concerned with production, manufacturing, and effi-
ciency issues. Market-oriented firms allow the wants and needs of customers and potential
customers to drive all the firm’s strategic decisions.
6) Governmental factors
• Promotion of indigenous industries may cause inefficient domestic producers to stay in business,
thereby contributing to excess global capacity.
Question 74: What is a key issue for management when considering capacity expansion?
a) Avoiding overcapacity
c) Analyzing competitors
d) Capital budgeting
(HOCK)
Question 75: Which of the following is a market-oriented definition of a business versus a product-
oriented definition of a business?
b) We supply energy
c) We make movies
d) We sell clothing
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 125
Strategic Decisions CIA Part 3
(IIA adapted)
• Economies of scale. Large firms can generally produce goods at a lower cost than smaller firms.
But, these costs advantages can quickly evaporate with changing technology. For example, the
common use of PCs allowed small companies the opportunity to make use of database and commu-
nication technology that was once extremely expensive and only available to large corporations.
• Customer loyalty can be very strong with some brands. This customer loyalty can impede market
entry.
• Advertising can make a difference for those firms seeking to enter the market. Established firms
are able to spend more on advertising that new brands might find difficult to afford.
• Research & Development can be a huge entry barrier, particularly if the product requires massive
upfront investment in technology that will deter potential new entrants.
• Sunk costs are those costs that cannot be recovered if a firm decides to leave the market. There-
fore, these costs increase the risk and deter business entry.
• Distributor agreements, exclusive agreements with key distributors or retailers can make it more
difficult for other businesses to enter the industry.
• Supplier agreements, exclusive agreements with key suppliers can make it more difficult for other
businesses to enter the industry.
• Patents give a firm the sole legal right to produce a product for a certain number of years. Patents
are intended to encourage innovation by offering this financial incentive.
• Government regulations can make entry more difficult by having requirements for licenses and
permits. These requirements can raise the investment needed to enter the market.
Potential new entrants should conduct structural analysis in order to determine the feasibility of actually
entering into a new business and market. Porter’s Five Forces Model is still widely used for identifying
industries to target.
126 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Forecasting
Question 76: After a firm conducted extensive structural analysis, it decided to create a whole new
business entity. The analysis helped the firm choose the most appropriate industry in which to target. The
most likely target is an industry in which the new entity
c) Will not have to compete with a dominant firm that seeks to protect the industry.
d) Calculates that the costs of retaliation to existing firms are less than the benefits.
(HOCK)
Forecasting
Forecasting is a critical part of any business, and it involves looking into the future and attempting to
determine what future conditions and/or results will be. A budget is a form of forecasting. Examples of
forecasting are projecting sales, determining inventory demand, estimating cash flows, determining future
capital needs, and estimating costs.
Forecasting methods can be either qualitative or quantitative. Which method is used will depend on the
specific objectives of the forecast and the amount of information available to the company.
Qualitative forecasting
Qualitative forecasting is generally used when historical data is not available, or when the information cannot
be quantified. Qualitative forecasting entails the use of expert opinions, such as predicting the cost of oil over
the next six months, or the impact that rising oil prices might have on the global economy. If qualitative
forecasting uses opinions, then what are the methods used to obtain the opinions?
1) Delphi technique. This is probably the best-known method for generating forecasts based on the
use of “experts.” A survey or questionnaire is sent to a group of independent, unbiased experts,
who fill out the survey without reference to the other contributors. The replies to the survey are
summarized, analyzed and then returned back to the experts so they can reconsider and revise their
earlier responses based on the views of the group. This process continues until the facilitator deter-
mines that a group consensus (or narrower range of opinions) has been reached.
2) Jury of executive opinion. This approach involves bringing senior managers together so that they
can draw upon their collective wisdom to come up with a forecast. This differs from the Delphi tech-
nique in that the senior managers actually get together in an open meeting to discuss their opinions.
A drawback to this method is that the meeting may be subject to groupthink and personality
dominance.
Note: Groupthink is a term coined by Irving Janis that refers to faulty group decision-making.
Groups experiencing groupthink do not consider all alternatives and they desire unanimity at the
expense of quality decisions.
3) Scenario planning. This approach develops a set of well-defined assumptions and then applies
these assumptions to a series of scenarios. For example, a transportation company concerned about
rising oil prices might develop a series of scenarios indicating what would happen to its business
model if oil prices go from $100 per barrel to $150 per barrel to $200 per barrel. Scenario planning
is not about producing a consensus but rather about identifying likely or possible outcomes and
then coming up with a plan for how the business would respond to the least desirable scenario.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 127
Forecasting CIA Part 3
Quantitative forecasting
Mathematical models are used in quantitative forecasting. A mathematical model is an equation that
attempts to represent an actual situation. For example, if a company has a product that it sells for $1,000
each, and if we use R to represent total revenue, the total revenue that the company will earn by selling x
units can be represented by the following equation, or mathematical model:
R = 1,000x
For a model to be useful, it must be a good representation of the real situation. Therefore, it is important to
carefully construct the equations.
1) Time series methods, which look only at the historical pattern of one variable and generate a
forecast by extrapolating the pattern using one or more of the components of the time series, and
2) Causal forecasting methods, which look for a cause-and-effect relationship between the variable
we are trying to forecast (the dependent variable) and one or more other variables (the inde-
pendent variables).
A time series may have one or more of four patterns (also called components) that influence its behavior
over time:
1) Trend
2) Cyclical
3) Seasonal
4) Irregular
In addition to these patterns of behavior, time series data can also be affected by inflation. The presence of
inflation can distort the analysis, and it may be necessary to adjust the time series or the resulting forecast to
remove this distortion.
128 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Forecasting
1) Trend Pattern
Over a long period of time, the historical data may exhibit a trend, which is a gradual shifting to a higher or
lower level. If a long-term trend exists, there will probably also be short-term fluctuations within that trend;
however, the long-term trend will be apparent. For example, sales from year to year may fluctuate but
overall, they may be going up, as is the case in the graph below.
$3,500,000
$3,000,000
$2,500,000
$2,000,000
$1,500,000
2003 2005 2007 2009 2011 2013
The long-term sales trend has been upward from 2003 to 2012, despite the dips in 2005 and 2009. According
to this trend, a reasonable sales forecast for 2013 would be $3,250,000.
Trends in a time series analysis are not always upward and linear like the above graph. Time series data can
exhibit an upward linear trend, a downward linear trend, a nonlinear (curved) trend, or no trend at all. A
scattering of points that have no relationship to one another would represent no trend.
2) Cyclical Pattern
A long-term trend line can still be established even if the sequential data fluctuates greatly from year to year
due to cyclical factors. Any recurring fluctuation that lasts longer than one year is attributable to the cyclical
component of the time series. The cyclical component is usually due to the cyclical nature of the economy.
In the next graph, we see an example of the cyclical components of a time series. The fluctuations from year
to year are greater than they were for the first graph. However, we can still discern a long-term trend
upward.
$3,500,000
$3,000,000
$2,500,000
$2,000,000
$1,500,000
2003 2005 2007 2009 2011 2013
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 129
Forecasting CIA Part 3
3) Seasonal Pattern
In order to identify trend and cyclical components of a time series, we track the annual historical movements
of the data over several years. That is, we look only at results for full years, such as total sales for the years
2003 through 2012.
However, a time series can fluctuate within the year due to seasonality in the business. Seasonal variations
are common in many businesses. For example, a flower company’s sales would be highest during the warm
summer months, whereas a retailer of skis would experience its peak sales in the wintertime. Variability in
the time series due to seasonal influences is called the seasonal component.
“Seasonal” behavior can take place within any time period that is less than a year in length. A business that
has its busiest time of day at the same time every day is said to have a within-the-day seasonal
component. As long as the pattern repeats regularly, it is a seasonal component.
4) Irregular Pattern
A time series can also vary in a random pattern, not repeating itself in any regular pattern. This is called the
irregular pattern. It is caused by short-term, nonrecurring factors, and its impact on the time series cannot
be predicted.
1) Smoothing
Just as the name implies, smoothing methods attempt to “smooth out” random fluctuations caused by the
irregular component of a time series. Smoothing methods work with a time series that has no significant
trend, cyclical or seasonal effects. They do not work well when there is a long-term upward or downward
trend or when there is cyclical variation or seasonal variation. However, when nothing affects the values
except random variations, smoothing methods can provide highly accurate, short-range forecasts such as a
forecast for the next time period.
Moving averages use the average of the most recent data in the time series. Whenever a new value
becomes available for the time series, it replaces the oldest value. For example, when using a four-week
moving average to forecast sales, to forecast sales for week five, we would average the sales for weeks one
through four. The forecast of sales for week ten would use the average sales for weeks six through nine.
A weighted moving average is a variation of the moving average method. When utilizing this method, we
use different weights for each value and compute a weighted moving average, using the most recent data in
the time series. For example, we might give more recent historical values weights that are greater than those
given to the older values. If we have four months of data, to forecast the fifth month’s value using a weighted
moving average, we would approach it in the manner outlined in the following example.
130 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Forecasting
Example: ABC Corporation wants to use a four-month weighted moving average method to forecast sales
for the month of May. Actual sales for ABC for the months of January, February, March and April are as
follows:
January $21,000,000
February 23,000,000
March 25,000,000
April 20,000,000
ABC has assigned a descending weight to each month’s values, starting with the most recent month. Each
of the month’s results is multiplied by the weight, and then these individual monthly values are added
together to determine the May forecast. The weights ABC has assigned to the four previous months are
40%, 30%, 20% and 10%. This means that the results in the most recent month (April) will have four
times the impact on the May forecast as the oldest month (January).
Weight
April $20,000,000 * 4/10 = $ 8,000,000
March 25,000,000 * 3/10 = 7,500,000
February 23,000,000 * 2/10 = 4,600,000
January 21,000,000 * 1/10 = 2,100,000
$22,200,000
Note that the total of all the weights equals 10/10, or 1.
The weighted moving average is the total, $22,200,000, and this is the expected result for the month of
May.
Exponential smoothing is a special type of weighted moving average. With exponential smoothing, we
forecast a value for the next period by calculating a weighted average of two numbers only:
Exponential smoothing takes the forecast developed for the current period and adjusts it up or down based on
what actually occurred in that period. The actual value is multiplied by the weight put on it and this is added
to the forecasted value multiplied by its weight. This becomes the forecast for the next period.
The amount of weight put on the actual value is called alpha (α), or the smoothing constant. It will always
be between 0 and 1. The amount of weight put on the forecasted value will be (1 - α). The total weight put on
both values will always equal 1.
The value used for the smoothing constant will influence the accuracy of the forecast. If alpha is set to 1,
the forecast for the next period will be based completely upon the actual value from the current period, with
no weight given to the forecasted value from the current period. If alpha is set to 0, the actual value from the
current period will be completely ignored and all the weight will be put on the forecasted value. Neither of
these will provide much information for the future. That is why alpha will always be between 0 and 1. Usually
alpha will be between 0 and .4.
We will discuss how alpha is determined and why its value is between 0 and .4, but first we will look at the
calculation of a forecasted value for the coming month, using the current month’s actual and forecasted
values. We are using the same actual data used to calculate a forecast based on a weighted moving average
in the previous example. However, forecasted amounts that have been calculated using exponential
smoothing are added to the table.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 131
Forecasting CIA Part 3
Example: In January, ABC Corporation began using exponential smoothing to forecast sales for each
month. Actual and forecasted sales, in millions, for ABC for the months of January, February, March and
April are as follows. Forecasted sales for January through April have been calculated using exponential
smoothing and an alpha of .1.
Actual (Y) Forecasted* (F)
January $21.0 N/A
February 23.0 $21.0
March 25.0 21.2
April 20.0 21.6
*Forecasted by means of exponential smoothing.
To calculate a sales forecast for the month of May using exponential smoothing, use only the actual sales
for the month of April and the forecasted sales (forecasted using exponential smoothing) for the
month of April.
As you may have noticed, not just any forecast can be used in this calculation. For exponential smoothing
to work, the forecasted value used can only be one that was calculated using exponential smoothing.
When exponential smoothing to calculate the next period’s forecast is first instituted, more weight is
automatically given to the very earliest period’s results. This heavy weighting will decrease period by period
as several periods pass and more history builds up. Ultimately, the greatest weight will be on the most
current period’s results with the weight descending as the results go back in time. (This can be proven
mathematically but is outside the scope of the exam and so is not presented.) At all times, the sum of the
weights for all the periods will be 1.0.
One of the advantages of exponential smoothing is that it does not require a lot of historical data. Therefore,
it is an inexpensive method to use when multiple forecasts need to be made every period. If using a moving
average or a weighted moving average method, we would have to apply several different historical values,
but exponential smoothing requires only the current period’s actual and forecasted values. Thus, data storage
requirements are minimized.
Exponential smoothing is a simple concept, yet it is quite powerful because of its weighting process.
On the other hand, a disadvantage of exponential smoothing is that its forecast will lag behind as the trend
increases or decreases over time. And it does not account for dynamic changes that occur in reality. Its
forecasts will require constant updating in order to respond to new information.
Furthermore, in exponential smoothing, the choice of α is important, because it influences the accuracy of the
resulting forecast. A desirable value for α is one that minimizes the forecasting error over time. The
forecasting error is calculated by taking the historical difference between the actual and the forecasted values
using exponential smoothing. That difference, or error, for each period is then squared to eliminate negative
amounts, and the squared error amounts for each period are averaged. This average is called the Mean
Squared Error or MSE. Our goal is to find a value for α that will minimize the MSE.
132 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Forecasting
Note: Detailed information about the calculation of MSE is outside the scope of the exam and is therefore
not included here. You only need to know that the MSE is the measure of the error in the exponential
smoothing, and that it should be minimized.
Generally, as alpha increases, the forecasting error decreases, up to an alpha of .4. Beyond an alpha of .4,
not much improvement usually results. For that reason, alpha is usually between 0 and .4.
However, if the actual values fluctuate substantially and randomly, we prefer a lower value for α,
because we do not want to adjust forecasts too much in response to random variations. In this case a larger
alpha will create a greater MSE and a less accurate forecast because a larger alpha will cause more weight
to be put on the random variations.
For this reason, exponential smoothing as a forecasting technique is most useful when the time series is
stable, without many fluctuations.
As additional time series data is collected, the smoothing constant α can be adjusted for future forecasts at
any time.
Note: Smoothing methods are useful for a stable time series that has no significant trend, cyclical, or
seasonal effects.
Trend projection can be done by using the high-low point method. However, this method is not very
accurate, because it uses only two points (the highest and lowest results during the time period) to develop a
trend line for forecasting. A more accurate method of forecasting using trend projection is simple regression
analysis, which forecasts values using information from all available observations.
Both the high-low points method and simple linear regression analysis rely on two assumptions:
• Variations in the dependent variable (i.e., what we are forecasting) are explained by variations in
one single independent variable (i.e., time, if a time series is what we are forecasting).
• The relationship between the independent variable (time or something else) and the dependent
variable (sales or whatever we are forecasting based on the value of the independent variable) is
linear. A linear relationship is one that will graph as a straight line.
The line of best fit, as determined by simple linear regression, is a formalization of the way we would fit a
line just by looking at it. We use a ruler to move it until we think we have minimized the differences
between the points and the line. Similar to fitting a line visually, the goal is to take each of the differences
between the individual values and the point on the regression (trend) line for that time period – called a
deviation –square each deviation, then calculate the total of all the squares of the deviations, and have the
result be as low as it can get. When this is the case, the total of the squares of the deviations is “minimized,”
and the trend line is the “line of best fit.” That line can then be used for forecasting using extrapolation.
To use regression analysis, first graph the values of the time series and review the results. If the long-term
trend appears to be linear, use simple regression analysis to determine the trend value.
Before performing regression analysis, we should perform correlation analysis to determine the strength
of the linear relationship between the value of x and the value of y in order to determine whether trend
projection would be meaningful. Correlation analysis measures the relationship between two or more
variables. This measurement shows how closely connected the variables are and the extent to which a change
in one variable will result in a change in the other.
The coefficient of correlation, represented by the letter R or r, is a numerical measure that measures both
the direction (positive or negative) and the strength of the linear association.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 133
Forecasting CIA Part 3
The coefficient of correlation, r, can be used to determine whether trend projection would be meaningful.
• A high correlation coefficient, r, (i.e., a number close to either +1 or −1) would indicate that simple
linear regression analysis would be useful as a way of making a projection using a trend line.
• A low correlation coefficient, r, (close to 0) would indicate that a forecast made using a trend line
would not be very meaningful.
The coefficient of correlation, r, can be calculated in Excel by entering the X values in one column (say
Column A, rows 1-10), the Y values in another column (say Column B, Rows 1-10), and entering the following
formula in a blank cell:
=CORREL(A1:A10,B1:B10)
If we call the predicted value of y obtained from the fitted line “ŷ,” then the prediction equation, or the
equation of a linear regression line, is:
ŷ = a + b(x)
Where:
ŷ= the predicted value of y on the regression line corresponding to each value of x
a= the y intercept, or the value of y when x is 0
b= the slope of the line
x= the value of x on the x axis that corresponds to the value of y on the trend line.
Note: This formula may be written in different ways (e.g., ŷ = ax + b), but x will always represent the
independent variable and y is the constant. The coefficient of the independent variable, or the
variable coefficient, is whatever term is next to the x in the formula. That term represents the amount
of increase in y for each unit of increase in x, or the slope of the line.
The constant coefficient is a and it represents the y intercept because this is the value of y when x is
zero.
The symbol over “y” is called a “hat”, and thus, it is read as “y-hat”, which means that we are looking at
the predicted value, not the actual value.
Here is the chart again, illustrating a regression analysis. We have made a couple of changes so that the
trend line, the equation of the trend line, and the coefficient of determination, R2 or r2, (more on that later)
can be calculated on the computer. We have expressed sales in thousands and changed the years along the X
-axis to Year 1, Year 2, etc., to enable computer calculation.
134 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Forecasting
The numbers below are the historical sales amounts that have been graphed on the graph that follows (000
omitted). These were input into Excel, and Excel calculated the regression equation and the other values for
the regression.
y = 94.976x + 2203.5
R² = 0.8984
$3,500
$3,000
$2,500
$2,000
$1,500
0 1 2 3 4 5 6 7 8 9 10 11
The coefficient of correlation, r, as calculated in Excel, is .94786. It is a positive number because the trend
line is upward sloping. If the trend line were downward sloping, the coefficient of correlation, r, would be a
negative number. A value close to 1 (or -1) – .94786 is – indicates that there is a close correlation between
the values of x and the values of y on this graph, and you can see this when you look at the graph. Thus, in
this case, regression analysis would be a good method of forecasting sales for coming years.
The equation of the trend line, as calculated on the graph above, is:
y = 94.976x + 2,203.5
This means that the trend line starts at 2,203.5, and each value on the trend line increases 94.976 over the
previous year’s trend line value. Thus for each year, the trend of sales has increased by $94,976.00.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 135
Forecasting CIA Part 3
Forecasted sales for 2013, according to the regression equation, are predicted to be:
y = 94.976x + 2,203.5
This is consistent with the point on the y axis where we see the extension of the trend line when it is lined up
with 11 on the x axis.
Question 77: As part of a risk analysis, an auditor wants to forecast the percentage growth in next
month’s sales for a particular plant using the past 30 months’ sales results. Significant changes in the
organization affecting sales volumes were made within the last 9 months. The most effective analysis
technique to use would be:
b) Exponential smoothing
c) Queuing theory
(CIA adapted)
Question 78: A division uses a regression in which monthly advertising expenditures are used to predict
monthly product sales (both in millions of dollars). The results show a regression coefficient for the
independent variable equal to 0.8. This coefficient value indicates that
b) When monthly advertising is at its average level, product sales will be $800,000.
c) On average, for every additional dollar in advertising, you get $0.80 in additional sales.
(CIA adapted)
Question 79: What coefficient of correlation results from the following data?
X Y
1 10
2 8
3 6
4 4
5 2
a) 0
b) -1
c) +1
(CIA Adapted)
136 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Forecasting
• The standard error of the estimate (SE) represents a confidence range that gives us a range
around the forecasted value within which we can be approximately 68% confident that the actual
value of the unknown variable will fall. The size of the standard error of the estimate must be inter-
preted in relationship to the average size of the dependent variable. If the standard error of the
estimate is around 5-10% or less of the average size of the dependent variable, we can be confident
that the regression analysis is fairly precise.
R2 is expressed as a number between 0 and 1. In a regression with a high r2, the data points will all
lie close to the trend line. In a regression with a low r2, the data points will be scattered above and
below the trend line. An r2 above .50 would indicate that the forecast yielded by simple linear re-
gression analysis should be meaningful.
In our example, r2 is .947862, or .8984. Note that if the trend line were downsloping and the coeffi-
cient of correlation were -.94786, for example, the coefficient of determination would still be .8984,
since squaring eliminates the negative value.
Causal Forecasting
Note: This is the second of two basic forecasting methods.
Causal forecasting methods are used when the value that we are forecasting can be determined to be affected
by some other value. If we can identify a cause and effect relationship between what we are forecasting
and the other value, and if that relationship is a linear one, we can use a projection of the other value to
forecast the sought-after value.
1) Changes in the value of the dependent variable can be explained by changes in the level of the
independent variable.
2) The relationship between the dependent variable and the independent variable is linear. That is, a
graph of the two variables, with the independent variable on the x-axis and the dependent variable
on the y-axis, will result in a straight line within the relevant range.
If there is only one independent variable and one dependent variable and the relationship between them is
linear, regression analysis is called simple linear regression, just as it was called in the section above.
However, it is also possible for one dependent variable (for example, sales) to be affected by more than one
independent variable (for example, advertising expenditures, size of the sales staff, competition, the economy
and any number of other possible causes). When there is more than one independent variable, the regression
analysis is called multiple regression analysis.
When we use one or more values to forecast another value that is influenced or explained by the first
value(s), this is causal forecasting. When doing causal forecasting, we can use time series data, such as
advertising expenditures over time. However, time series data is not always available. When time series data
is not available, regression analysis can still be employed to develop a causal forecast.
For example, demographic data may be used to forecast sales for a newly planned retail store. If there are
previously opened new outlets in other areas, we can use this demographic data and relate it to sales results
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 137
Forecasting CIA Part 3
in the new retail store. The size of the population, the population’s socio-economic level, age breakdown, and
other factors can be tried as independent variables. If there is a causal linear relationship, we can then use
demographic information for the new area to forecast its sales levels.
Note: In order to use regression analysis, there must be a reasonable basis to expect the dependent
variable to be caused by the independent variable. If there is no reason for a connection, any connection
found through the use of regression analysis is accidental. So we must be careful not to assume that a
linear relationship means there is a cause and effect relationship.
Note: Remember in doing correlation analysis that correlation does not prove causation. There must be a
logical cause and effect relationship in addition to a high correlation in the data.
If the coefficient of determination, or r2, is low, it may mean that we are using the wrong independent
variable in our analysis.
Thus, regression analysis is an important tool for use in budgeting and cost accounting. In budgeting, it is
virtually the only way to compute fixed and variable portions of costs that contain both fixed and variable
components (mixed costs).
• Historical data is required for the variable that we are forecasting or for the variables that are causal
to this variable. If historical data is not available, regression analysis cannot be used.
• Even when historical data is available, if there has been a significant change in the conditions sur-
rounding that data, its use is questionable for predicting the future.
• In causal forecasting, the usefulness of the data generated by regression analysis depends upon the
choice of independent variable(s). If the choice of independent variable(s) is inappropriate, the re-
sults can be misleading.
• The statistical relationships that can be developed using regression analysis are valid only for the
range of data in the sample.
Question 80: In regression analysis, which of the following correlation coefficients represents the
strongest relationship between the independent and dependent variables?
a) 1.03
b) -.02
c) -.89
d) .75
(CIA adapted)
138 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Quality Management
Quality Management
Quality is the measure of whether a company’s product or service satisfies the customer’s expectation given
the price that was paid. The key to understanding quality is to first understand the customer’s expectations. A
product that seeks to differentiate itself through a lower price must still satisfy the customer expectations of
performance (quality), or the customer will not purchase the product again.
This, however, is not the case. In fact, as a company’s commitment to quality increases, productivity also
increases. There are a number of reasons for this, including:
• A reduction in the number of defective units. This in turn reduces the amount of time, material
and effort wasted on unusable output as well as time spent fixing salvageable defective units. (There
is a term called the hidden factory that refers to the time and effort spent on reworking and repair-
ing damaged units.)
• A more efficient manufacturing process. By looking at the process from a quality production
standpoint, the company may remove or change inefficient, unproductive or non-value adding activi-
ties.
• A commitment to doing it right the first time. As the culture in the company focuses on doing it
right the first time, the employees of the company can take a more conscientious approach to their
work, and this may lead to greater productivity.
No matter the cause, the relationship between quality and productivity is a positive one – the more attention
paid to quality, the higher the levels of production.
At the root of TQM is the definition of what quality is. Quality can mean different things to different people.
For a customer it is a product that meets expectations and performs as it is supposed to for a reasonable
price. For a production manager it is a product that is within the required specification. When a company is
considering quality, it must be certain to include all of these different perspectives of quality from all of the
involved parties.
Certain core principles, or critical factors, are common to all TQM systems:
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 139
Quality Management CIA Part 3
TQM is an organizational action. For it to be successful, the entire organization must strive to this end. This
leads to the continued pursuit of excellence throughout the organization.
Part of this pursuit of excellence is a focus on continuing education. Employees at all levels participate
regularly in continuing education and training in order to promote and maintain a culture of quality.
One of the unique perspectives of TQM relates to customers. In a TQM system, it is important to remember
that people within the organization are also customers. Every department, process or person is at some
point a customer and at some point a supplier.
Another feature of TQM is quality control circles. A quality control circle is a small group of employees (or
teams) who work together and meet regularly to discuss and resolve work-related problems and monitor
solutions to the problems. This form of communication is vital to a successful TQM program.
In TQM, the role of quality manager is not limited to a special department; instead every person in the
organization is responsible for finding errors and correcting any problems as soon as possible.
Question 81: The management and employees of a large household goods moving company decided to
adopt total quality management (TQM) and continuous improvement (CI). They believed that if their
company became nationally known as adhering to TQM and CI, it would result in increased profits and
market share.
(CIA adapted)
b) Management by objectives
(CIA adapted)
Cost of Quality
There are four different costs of quality that can be classified as two larger categories, which are the cost of
conformance and the costs of nonconformance. There are two categories of costs within each of these two
larger categories. These are shown below.
140 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Quality Management
Cost of Conformance
The costs of conformance are those that the company incurs to assess internal quality with the purpose of
insuring that no defective products reach the consumer.
1) Prevention Costs are the costs that are incurred in order to prevent a defect from occurring in the
first place. Prevention costs include:
• Quality training and planning costs
• Equipment maintenance costs
• Supplier training and confirmation costs
• Information systems cost
2) Appraisal Costs are the costs that are incurred in order to determine if an individual unit is defec-
tive. These are the costs of:
• Testing and inspection (including the costs of the testing equipment)
• Quality audits
• Internal quality programs
Costs of Nonconformance
Nonconformance costs are those costs that are incurred after a defective product has already been produced.
The costs of nonconformance can be broken down into two types:
1) Internal failure occurs when we detect the problem before shipment to the customer. The costs
associated with this are:
• Rework
• Scrap
• Tooling and downtime
• Expediting costs - The cost of rushing to reperform and complete an order in time because of a
failure to complete it correctly the first time.
2) External failure happens when we do not detect the defect until the product is already with the
consumer. The costs of this are:
• Warranty costs
• Product liability costs
• The loss of customer goodwill (including customer complaints)
• Environmental costs
These costs can be summarized in a cost-of-quality report. An example is shown below:
Note: For the exam, you need to make certain that you know what the four subcategories of the costs of
quality are and what individual items go into these four types of costs.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 141
Quality Management CIA Part 3
Measuring Quality
There are a number of ways to measure the costs of quality.
We can use quality cost indices to measure the cost of maintaining a certain level of quality. We can
calculate our index in the following manner because it is people who are ultimately responsible for quality:
Based on the equation above, if direct labor costs were $120,000, the quality cost index would be 31.67
[($38,000 ÷ $120,000) x 100].
In order to understand whether the number is favorable or unfavorable, it would be necessary to compare it
with something, such as a prior period or the industry average.
The manufacturing cycle efficiency ratio measures the amount of the manufacturing time that is actually
spent in value-adding production. It is calculated as:
We can also calculate the ratio of good output to total output, the percentage of defective goods shipped,
customer satisfaction, customer complaints, on-time deliveries and so on.
The customer-response time, or cycle time, is the measurement of the length of time between the order
by the customer and the receipt of the product by the customer. The components of cycle time are:
• Order receipt time - From receipt of order until we are ready to produce it.
• Order delivery time - From receipt of the order until delivery of the order.
142 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Quality Management
Monitoring Quality
If a company is to achieve total quality management, it must be able to identify significant quality problems
when they occur. Several methods are used to analyze quality problems.
These are: 1) control charts, 2) histograms, 3) Pareto diagrams, 4) cause-and-effect diagrams, and 5) Six
Sigma.
1) A control chart records observations of an operation taken at regular intervals. Quite simply, this is
sampling. It is used to determine whether all the observations fall within the specified range for the
operation. This can be applicable to anything: a machine, a workstation, an individual or a part or
process. The intervals can be measured in time, batches, production runs or any other method at-
tributable to an operation.
A process is said to be in statistical control if no sample observation falls outside the specified lim-
its, if all samples are randomly distributed with no apparent patterns, and if the number of
observations that are above and below the center of the specified range are about equal. In addition,
most of the measurements should be close to the center of the range.
If there are trends, clusters, or many measurements near the limits, the process may be out of con-
trol.
Source: Unknown
2) A histogram is a bar graph that represents the frequency of events in a set of data. Patterns that
may not be apparent when just looking at a set of numbers become clear in a histogram. A histo-
gram can pinpoint most of the problem areas as well as those that are experiencing fewer problems.
If one particular production line is experiencing most of the difficulty, a histogram detailing the types
of problems and their frequency can help determine what is most often causing the problems.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 143
Quality Management CIA Part 3
3) A Pareto diagram is a specific type of histogram. A Pareto diagram takes all the factors identified
by the histogram as causing the problem and ranks them from the highest frequency to the lowest
frequency. Usually only a few causes are accounting for most of the quality problems.
The name “Pareto” comes from Vilfredo Pareto, a nineteenth-century Italian economist, who came
up with the now well-known 80-20 observation. We know it as “20% of the population causes 80%
of the problems”; or “20% of the population is doing 80% of all the good things.” The 80-20 proposi-
tion can work both ways, but it usually seems to hold true.
After management understands what 20% of the causes account for 80% of the problems, it can fo-
cus efforts on improving the areas that are likely to have the greatest overall impact.
4) A cause-and-effect, or Ishikawa, diagram organizes causes and effects visually to sort out root
causes and identify relationships between causes. This idea was identified by Karou Ishikawa, who
discovered that it was often difficult to trace the many causes leading to a single problem, and as a
result developed a way of diagramming them. An Ishikawa diagram, which consists of a spine, ribs
and bones, looks like a fishbone, so it is also called a fishbone diagram. At the end of the horizontal
spine (circle) is the quality problem. The spine itself connects the main causes, the ribs, to the
effect, or the quality problem. Bones pointing to each rib are contributing factors to that cause.
In manufacturing, typical main causes for quality problems are the “4 Ms”: machines, materials,
methods and manpower. An Ishikawa diagram would look like this:
Quality
problem
Contributing factors
5) Six Sigma is an approach to quality that strives to virtually eliminate defects. To achieve Six Sigma,
a process must produce no more than 3.4 defects per million opportunities. “Opportunities” refers to
the number of opportunities for nonconformance or not meeting the required specifications. It is the
total number of parts, components and designs in a product, any of which could be defective. If a
product has 10,000 parts, components and designs, for example, 3.4 defects per million would
amount to 34 products out of every 1,000 that would have some defect. The goal of Six Sigma is to
improve customer satisfaction by reducing and eliminating defects, which will lead to greater profita-
bility.
144 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Organizational Behavior
Organizational Behavior
There are several topics we need to cover for organizational behavior, including: motivation theories, group
dynamics, human resource processes, the implications of different leadership styles, performance, and
organizational theory.
Motivation Theories
Motivation is what drives people to do or accomplish something. People can be motivated to reaching for a
long-term goal, such as becoming a Chief Audit Executive (CAE) of a major international corporation, or a
more short-term goal like becoming certified as an internal auditor (CIA).
The level of motivation that people have is determined by the opportunity to satisfy their needs. Therefore,
the things that the organization offers to the employees as motivation should match the benefits that the
organization will receive from the work of those employees. It is the task of the manager to make sure that
the motivators that are available to the employees are those required to achieve the necessary level of
production and motivation.
The five levels in Maslow’s hierarchy of needs (from the lowest to the highest) are:
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 145
Motivation Theories CIA Part 3
Maslow’s hierarchy of needs was the earliest motivational theory to become popular and is still one of the best
known. But more recent research has shown that peoples’ need structures are not so invariable and people do
not always move from one level to the next one quite as smoothly as the theory claims.
Furthermore, this need hierarchy is not applicable to all countries and cultures. Different things motivate
people from different countries and cultures.
Question 83: Clear Connections Inc., the largest provider of mental health services in its tri-county area,
was encountering personnel problems. Their 25 residences housed many vulnerable clients, but funding
never seemed adequate to hire quality, live-in staff. A new administrator, Deborah Romano, is deter-
mined to facilitate long-term employment of the best possible care-giving staff. Besides paying better
wages, she feels it is important that the staff be strongly motivated by the work itself. According to
Maslow's need hierarchy, the best employees would have a need for:
a) Esteem
b) Belongingness
c) Self-actualization
(CMA Adapted)
Some people have the need for achievement, the need to do things better than they have ever done it
before. They strive for personal achievement. High achievers thrive when a job calls for personal responsibil-
ity, because they seek feedback on their performance so they can determine whether they are improving.
They may find it difficult to delegate. These people frequently go into sales, because they can get immediate
feedback in the form of sales results. High achievers avoid goals that are too easy, but they also avoid goals
that are too difficult. They do better with moderately difficult tasks. High-need achievers are also preoccupied
with their work, and they hate to stop in the middle of a job. These individuals do well as entrepreneurs, but
less well as senior executives, because an executive must be able to delegate and seldom receives immediate
feedback.
The need for power is the desire to be able to control one’s environment. This includes influencing other
people as well as one’s financial, material and information resources. Good managers have a high need for
power. As managers, they also must have a low need for affiliation, because their power may alienate them
from others. And further, managers’ need for power must be combined with self-control so their need for
power will not interfere with effective interpersonal relationships.
The need for affiliation is the need for human companionship and close interpersonal relationships. People
with a high need for affiliation desire approval from others and are concerned about the feelings of others.
They strongly identify with other people and tend to think and act the way they think other people want them
to. People with a high need for affiliation go into jobs that provide them with much interpersonal contact, such
as sales and teaching.
146 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Motivation Theories
ERG Theory
According to Clayton Alderfer, a Yale psychologist who developed the ERG theory, people’s core needs are
existence (E), relatedness (R) and growth (G).
• Existence needs are those necessary for survival, and they are similar to Maslow’s physiological and
safety needs.
• Relatedness needs are similar to Maslow’s social and external esteem needs. They include the
desire for interpersonal relationships.
• Growth needs include Maslow’s internal need for self-esteem as well as his self-actualization needs.
Alderfer sees this as a need for personal development.
Like Maslow, Alderfer says that satisfaction of lower-order needs leads to the desire to satisfy high-order
needs.
However, ERG theory differs from Maslow’s approach in that Maslow says only one need is dominant at a
time, but Alderfer claims that more than one kind of need can motivate a person at the same time.
Furthermore, Alderfer says that if a higher-level need is not gratified, the desire to satisfy a lower-level need
increases.
ERG theory also contrasts with Maslow’s hierarchy of needs, because while Maslow assumes a step like
progression up the hierarchy, ERG theory says a person can be working on growth even though the other
needs for existence and relatedness have not been satisfied.
ERG theory seems to be more adaptable to cultural differences, because people in different cultures rank their
needs differently. ERG theory is widely considered to be a more valid system of the need hierarchy.
Question 84: A manager has a small team of employees, but each individual is self-motivated and could
be termed a “high achiever.” The manager has been given a particularly difficult assignment. Even for a
high achiever, the probability that one individual can complete this job by the required deadline is low.
Select the best course for the audit manager.
(CIA adapted)
Equity Theory
Equity theory says the amount of motivation employees receive from rewards is affected by their perception
of the equity, or fairness, of the rewards. Employees compare the ratio of what they have received
(outcomes) with what they perceive they have given in effort (inputs), and compare that to similar ratios for
other jobs they have had or to those of other people who work either inside or outside the same organization.
For most employees, their motivation is influenced by relative rewards as much as by absolute rewards.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 147
Motivation Theories CIA Part 3
If an employee perceives inequity, he or she will be motivated to reduce the inequity. This may manifest as
reduced effort on the job or a request for a raise, in order to adjust the ratio of outcomes to inputs. Or the
employee may adjust their perceptions of either their own outcomes or inputs, or of the outcomes or inputs of
the person with whom they are comparing themselves. Alternatively, they may seek additional avenues for
growth and development, or some may even resort to stealing from the employer. Or finally, the employee
may simply look for another position and leave.
Most research on equity theory has focused only on the ratio between pay and worker input. Research has
confirmed the theory, at least where piecework and hourly workers are concerned. Workers who are paid on a
piecework basis who perceive inequity will decrease the quality of their work in order to increase their
outcomes (pay) by producing more units of work. Workers who are paid by the hour who perceive inequity
will decrease the quality and quantity of their work.
Expectancy Theory
Although Victor Vroom (1960s) did not develop the expectancy theory, he is credited with applying the
theory to workplace motivation. The basic premise of the theory is that people’s motivation depends on how
much they want something and how likely they think it is that they will get it. Employees will put in maximum
effort if they expect that their effort will lead to rewards that will satisfy their personal goals.
Expectancy theory says that the objectives need to be clear and there needs to be specific criteria for
measuring the employee’s progress toward the objectives. Furthermore, employees need to have confidence
that their efforts will result in a satisfactory reward if their objectives are achieved. Expectancy theory
recognizes that people are different and different things satisfy different people.
Most research has failed to support the general premise of the theory. Critics feel it has limited use because
few people perceive any real relationship between their performance and rewards in their jobs. Instead of
rewarding employees for their performance, most organizations actually reward their employees for seniority,
effort, skill level and job difficulty. However, this could actually be viewed as a confirmation of the theory,
because it explains why so many people perform at low levels in their jobs.
Goal-Setting Theory
In the late 1960s, Edwin Locke proposed goal-setting theory, suggesting that goals tell an employee what
needs to be done and can be a major source of motivation for the employee. The goals need to be specific,
however. A generalized goal such as “do your best” does not work as well. Locke said that specific goals
increase performance, and challenging goals (if accepted by the employee) result in higher performance than
easy goals.
Feedback as to how the employee is doing at reaching the goal is effective. Feedback where the employee can
monitor his or her own progress is the most effective type of feedback.
Four other factors make a difference in the effect that goals have on performance:
1) How much the employee is committed to the goal and determined not to abandon it.
2) How much the employee believes in his or her own ability to meet the goal (self-efficacy).
3) Whether the goal is achievable (simple and well-known tasks have a more positive effect than
difficult tasks) and independent (rather than a group goal because independent goals have a more
positive effect).
4) The culture and the country (people in different countries respond differently to goals).
Although goals can be a potent motivating force and lead to higher performance, the goal-setting theory has
not proved to create increased job satisfaction among employees.
148 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Motivation Theories
Reinforcement Theory
The premise of reinforcement theory is that reinforcement, or consequences, control people’s behavior.
Consequences are the actions that occur after a behavior takes place. They take the form of positive
reinforcement (rewards), negative reinforcement (the removal of an unpleasant condition as a reward),
extinction (ignoring a bad behavior) and punishment.
Reinforcement theory disregards any internal motivation but says the only thing that affects what people will
do tomorrow is the external reinforcer(s) that they experienced after their actions today. Reinforcement
theory ignores all the feelings, expectations, needs, attitudes and all the other things that are known to affect
behavior.
Positive reinforcement is most effective when the rewards are given according to a variable schedule (this
means that the reward is not given every time that the behavior occurs, but only after some of the
occurrences) and are connected to the behavior that is being encouraged. Reinforcement can have a potent
influence on behavior; however, it is not the only influence.
Characteristics common to flow experiences are: a task that is challenging, requiring much skill; a task that
requires total concentration and creativity; and a task that is so consuming that the person has no thought
for anything else.
Ken Thomas developed a motivational model that extends the flow concept and relates it to intrinsic
motivation. He describes intrinsically motivated employees as those who care deeply about their work, are
always looking for ways to do it better, and are fulfilled by it. The rewards the employee receives from
intrinsic motivation come from the work itself, not external factors such as raises, praise or other rewards.
Thomas suggests that intrinsic motivation is the factor in people’s experiencing feelings of choice, compe-
tence, meaningfulness and progress in their work. These components are all interrelated with the flow
experience.
However, Thomas’s studies were all done with professional and managerial employees. It is unclear whether
lower-level employees would have the same reactions.
In his book The Human Side of Enterprise, McGregor identified two different perspectives, and said all
managers fall into one or the other classification. In his theory, every manager subscribes either to Theory X
or to Theory Y, and the classification is determined by how the manager relates to subordinates. Theory X
assumes a negative view of human behavior, while Theory Y assumes a positive view.
According to McGregor, the Theory X manager assumes that people don’t like to work and seek to avoid it,
and they therefore must be coerced and threatened with punishment to get them to work. The Theory X
manager assumes that employees have little ambition and desire formal direction because they want to avoid
responsibility, and their overriding goal is security.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 149
Motivation Theories CIA Part 3
On the other hand, McGregor advocated that the Theory Y manager assumes that people see work as a
natural part of their lives. This manager believes people can seek and accept responsibility, and are internally
motivated to strive for objectives and commitments. Furthermore, employees are perceived as bright and
innovative in solving organizational problems.
Viewing McGregor’s Theory X and Theory Y in the framework of Maslow’s hierarchy of needs, Theory X
assumes that workers are dominated by the lower-level physiological and safety needs, while Theory Y
assumes that the higher-order social, esteem, and self-actualization needs dominate. McGregor favored the
Theory Y position and proposed ideas such as participative decision-making and responsible, challenging job
assignments to improve employee motivation.
We know that people react differently to different things and look for different things from their work, so the
correct management style is largely dependent upon the company’s unique situation and the individuals who
work for it. Even the most dedicated Theory Y managers may need to be Theory X managers at times with
certain employees.
Theory Z
William G. Ouchi developed another theory called Theory Z. Ouchi analyzed organizational cultures of three
types of firms: typical U.S. firms, typical Japanese firms, and U.S. Type Z firms. Ouchi found the following:
• The cultures of typical Japanese firms and U.S. Type Z firms had similarities and they were both very
different from typical U.S. firms.
• Typical Japanese and U.S. Type Z firms try to keep their employees and lay them off only as a last
resort. Typical U.S. firms do not have the same commitment to their people and will let their manag-
ers and employees go if there is a downturn, change of ownership, or merger.
• In Japanese and U.S. Type Z companies, promotion is relatively slow, because evaluation of manag-
ers and employees is thought to take a very long time and require qualitative as well as quantitative
information. In typical U.S. firms, evaluation is done quickly and emphasizes quantitative measures,
which encourages short-term thinking on the part of managers and employees.
• Career paths in Japanese and U.S. Type Z firms are broad, spanning varied functions. Thus, people
are more like generalists. Career paths in typical U.S. firms are narrower because of the value placed
on specialization.
• Control in Japanese and U.S. Type Z firms is exercised through informal mechanisms such as an
organization’s culture, which is based on shared norms and values. Typical U.S. firms exert control
through job descriptions, delegation of authority, and policies and procedures.
• In Japanese and Type Z firms, much decision-making takes place in groups, whereas in typical U.S.
firms, individuals make the decisions.
• Japanese and Type Z firms have a concern for the personal lives of their workers and managers,
whereas in typical U.S. firms, concern for the people focuses only on the workplace.
• On the subject of group versus individual responsibility, U.S. Type Z firms were more like typical U.S.
firms. In both types, individuals take responsibility. However, in Japanese firms, the group as a whole
is responsible for decisions that the group makes.
Ouchi found that the Japanese and U.S. Type Z firms outperformed typical U.S. firms, and he argued it was
due to the differences in their cultures.
150 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Motivation Theories
Question 85: As a manager, you should be striving for a high level of job satisfaction for your staff for all
the following reasons except:
(CIA adapted)
Question 86: Which of the following is not an example of positive reinforcement of behavior?
a) Paying a bonus to employees who had no absences for any four-week period.
d) Having a lottery every month where 10% of the employees with no absences receive a $200 bonus.
(CIA adapted)
Question 87: When supervising employees, the behavior most likely to attain long-term positive results
for a manager would be to:
a) Discipline employees immediately for undesirable behaviors, using oral reprimands, written
warnings and temporary suspensions.
b) Hold weekly meetings during which employees are reminded of work procedures and are praised for
the week's accomplishments.
d) Tell employees that working overtime now will result in a better performance review in 6 months.
(CIA adapted)
Job specialization was responsible for the gains in productivity that were achieved when assembly-line
manufacturing was developed. Highly specialized jobs can result in high productivity. However, jobs that are
too highly specialized can create worker boredom and other dissatisfactions because of their extreme
monotony.
Job rotation was an early means devised to deal with worker dissatisfaction with production work that was
too specialized. Workers were systematically moved from one job to another (cross-training) in order to
lessen the boredom and keep them interested and motivated. With job rotation, there was no change in the
tasks that were to be completed by any one person in any one specific job. However, workers were
systematically rotated among the various jobs. Rotation proved to have an advantage in that the workers
each had more job skills, enabling increased flexibility in work assignments. However, job rotation did not
solve the basic problem of job boredom. Instead of working on just one boring job, the workers were working
on several boring jobs. In addition, some of the efficiencies resulting from specialization were lost. Job
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 151
Motivation Theories CIA Part 3
rotation is now used mainly for its benefits in having a more highly trained workforce but not for motivating
workers.
Job enlargement was another method developed to decrease the specialization in hopes of increasing job
satisfaction. Job enlargement involves expanding a job’s responsibilities horizontally. Instead of attaching one
piece to the item being manufactured, each employee was charged with doing a “larger” job, perhaps
attaching four pieces. The expectation was that boredom would be decreased, because each job entailed
more different, specific tasks. However, experiments with job enlargement have also been disappointing. As
long as all the tasks were simple and easy to master, simply doing more of them did very little to decrease
the monotony.
Job enrichment developed as an alternative to job rotation and job enlargement. Job enrichment is based
on Frederick Herzberg’s theory of motivation called the Dual-Structure Theory, or Two-Factor Theory.
During the late 1950s and early 1960s, Herzberg interviewed several accountants and engineers to find out
what made them feel satisfied and motivated by their jobs versus what made them feel dissatisfied and
unmotivated. Based on his interviews, Herzberg proposed that there are certain factors that can make a
person feel dissatisfied, such as low pay; but when those same factors are improved, the most that can be
said is that the person no longer feels dissatisfied. Improved pay did not move a person all the way from
dissatisfaction to satisfaction. Different factors such as achievement and recognition were required for the
person to feel satisfied.
Thus, Herzberg developed his Dual-Structure Theory. He suggested that salary, job security, relationship with
supervisors and working conditions, if inadequate, lead to job dissatisfaction. These “dissatisfiers” Herzberg
called hygiene factors. On the other hand, factors such as achievement and recognition, if present, lead to
job satisfaction. When they were not adequate, their absence can lead to feelings of no satisfaction but not
necessarily to dissatisfaction. These “satisfiers” Herzberg called motivation factors.
Herzberg developed what he called job enrichment as a technique for structuring jobs to make use of his
concepts. Job enrichment attempts to create motivation in employees not only by adding more tasks to their
jobs, but also by giving them more control over those tasks, allowing them to make more decisions as well as
do more tasks.
Many companies have used job enrichment, sometimes with positive results, and sometimes with less than
positive results. Some of the criticisms have paralleled criticism of Herzberg’s dual-structure theory. They
include criticisms of the method used by Herzberg in his research, because other studies using different
methods have gotten very different results. Other criticisms are that Herzberg’s use of accountants and
engineers in his study did not create a very representative sample of the population, and that his theory does
not take into consideration individual differences caused by factors such as age.
Question 88: If you were designing a new position in an organization, which of the following design
techniques would you use to increase the motivation of the person filling the position by adding responsi-
bility and authority?
a) Job enlargement
b) Job rotation
c) Job enrichment
d) Job significance
(CIA adapted)
152 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Group Dynamics
Question 89: Frederick Herzberg postulated a two-factor theory of human behavior that included satisfiers
and dissatisfiers. Which of the following is a dissatisfier?
b) Salary
c) Challenging work
d) Responsibility
(CIA adapted)
Group Dynamics
A group is defined as several individuals who come together to accomplish a specific task or goal. Group
dynamics is the study of the nature of these groups within the organization, which has come to be an
important area of study because the interaction of these groups within the organization goes a long ways in
explaining the organization’s apparent success or failure.
Formal Groups
Formal groups have the sanction of the organization. This means that these groups (i.e., committee, quality
circle, or task force) that exist within the organization have legitimate power, formed to help the organization
accomplish a goal, or task. Formal groups contribute to the success of the organization.
One of the characteristics of a formal group is that there is an explicitly designated leader of the group
who has the authority and responsibility to direct the other members of the group. The leader of the group
operates according to the hierarchical principle of the organization; power flows downward from the top.
Informal Groups
Informal groups differ from formal groups in that they arise within an organization based on some other
reason than on the presumption of achieving some specific goal or task. Often these groups come about in a
spontaneous manner and may be created around a workplace issue (interest group) or an activity outside the
workplace (friendship group).
The leader of an informal group is not designated but emerges because of some personal characteristic that
the person possesses. It might be because the person is the most knowledgeable, or the most outspoken, or
for some other reason.
• They arise as a result of their proximity, personality, and needs of the individual.
• Virtually all employees (including managers) belong to some kindof informal group.
• They are often small and complex. People tend to be more satisfied in smaller groups.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 153
Group Dynamics CIA Part 3
Even though informal groups are not officially sanctioned by organizations, they do provide some benefit to
the organization. These benefits may include:
• Providing another channel of communication via the grapevine. A grapevine is an informal means of
communication that is found in all organizations.
• Aid in training, perpetuate cultural values, and provide social satisfaction on and off the job.
But, these informal groups also may cause problems for the organization, such as:
• Pressuring other group members into accepting something that may go against company objectives.
Attraction to Groups
The degree to which members of the group desire to remain in the group(s) will depend on the attractiveness
and cohesiveness of the group(s).
• Attractiveness of the group is described as one that has a favorable view from the outside.
• Cohesiveness of the group is one in which the members adhere to the group norms and resist
outside pressure.
A group is considered to be attractive and cohesive when it has the ability to recruit and maintain its
membership.
On the other hand, elements that diminish the group’s attractiveness and cohesiveness are:
154 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Group Dynamics
Roles
Roles are the expectations regarding behavior of a group member in specific positions. Roles will determine
what a person must, must not, or may do in a position. In discussion about roles, you need to keep in mind
that the role a person is expected to play or assume will depend on the situation, but people in the same
position should behave similarly.
Role conflict can occur when there is inconsistency between the perceived role and role behavior. For
example, a conflict arises when an individual must handle conflicting demands from different sources while
performing the tasks associated with the same role.
• Decreased commitment.
Norms
Norms tend to be more generalized than roles. Norms are the standards (degrees of acceptability or
unacceptability) for conduct that help individuals judge what is good or bad in a given social setting. Norms
are culturally derived and vary from one culture to another. In addition, norms are usually unwritten, yet
have a strong influence on individual behavior. Norms go above and beyond formal rules and written policies.
In order for behavior to be accepted, a majority of the group must support the norms. However, there could
be instances where members might violate group norms. If a majority of the members do not adhere to the
norms, then these norms will eventually change and will no longer serve as a standard for evaluating
behavior. But, members who do not conform to the norms are punished by being excluded, ignored, or
possibly ostracized from the group. Ostracism is the ultimate sanction by the group as the group
terminates all contact with that person.
There are both benefits and costs to conformity. The primary benefit is that it provides some basis of
predicting behavior of standardization in the performance of assigned tasks, or behavior.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 155
Group Dynamics CIA Part 3
On the other hand, the cost of conformity, in extreme cases, can lead to tolerating illegal or unethical
conduct. For example, failure to question unscrupulous business practices (e.g., Enron, WorldCom, Tyco, etc.)
led to many people in the US losing their jobs and/or pensions.
A mode of thinking (blind conformity) that people engage in when they are deeply involved in a
cohesive in-group, when the members’ strivings for unanimity override their motivation to realistically
appraise alternative courses of action.
• Excessive optimism.
• Unquestioned belief in the inherent morality of the group.
• Collective rationalization of group’s decisions.
• Shared stereotypes of those outside the group, particularly opponents.
• Self-censorship where members withhold criticism.
• Illusion of unanimity.
• Intolerance to dissent.
• Self-appointed “mindguards” protect the group from negative information.
• Avoid using groups as rubberstamps for decisions already made by senior management.
• Urge group members to think independently.
• Bring in outside experts, and invite the group to meet off-site so that changes in settings and sur-
roundings are a stimulant.
• Consider the ramifications of different actions (devil’s advocate).
• Take time to consider possible effects and consequences of alternative courses of action.
Question 90: Which of the following can be a limiting factor associated with group decision-making?
(IIA adapted)
a) There is a tendency to conform to the majority’s will and to ignore relevant individual input that is
at variance with group opinion.
(IIA adapted)
156 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Group Dynamics
Question 92: An audit manager allowed a work group to make a decision about whether to adopt a new
work procedure. In allowing the group to make the decision, the manager should be aware that groups
tend to make
b) Faster decisions than do individuals because groups have more expertise than any one person.
d) Riskier decisions than individuals, and individual responsibility for the groups’ decision are lessened.
(IIA adapted)
As expected, the end of the group development stage is referred to as the mature group. This group is the
most effective and productive of the stages.
According to L.N Jewell and H.J. Reitz, the characteristics of a mature group are:
• Group decisions are made through rational discussion with no attempt to force unanimity.
There have been several models describing the stages of group development, but we will discuss the theory
developed by Jewell and Reitz. They described six stages of group development:
1) Orientation Stage. This is the least effective, mature and efficient stage. Uncertainty about most
everything is high.
2) Conflict and change stage. In this stage, subgroups struggle for control, and often, roles are
undefined. If these conflicts cannot be resolved, this might be the final stage.
3) Cohesion stage. During this stage, a consensus on leadership, structure, and procedures is
reached.
4) Delusion stage. During this stage, the members might gain a false sense that all issues have been
resolved and that the group has reached maturity.
5) Disillusion stage. This stage is marked by a decrease in the group’s cohesiveness and commit-
ment. Members start to realize that their expectations are not being met.
6) Acceptance stage. Groups that start to evolve into this stage tend to be more effective and effi-
cient. In some cases, a trusted and influential group member steps forward and moves the group
from conflict to cohesion, making the group more effective and efficient.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 157
Group Dynamics CIA Part 3
Question 93: According to Jewell and Reitz, a mature group would have all of the following characteristics
except:
b) Group decisions are made through rational discussion with no attempt to force unanimity.
(HOCK)
Organizational Politics
Andrew Dubrin defined organizational politics as “the pursuit of self-interest at work in the face of real or
imagined opposition.” The emphasis on self-interest is what distinguishes this form from social influence.
Similar to organizational politics is impression management, which is “the process by which people attempt
to control or manipulate the reactions of others to images of themselves or their ideas.” Both organizational
politics and impression management try to get others to see us in a certain manner.
Politics is a fact of life in organizations, so managers have to accept that power relations exist and is a part of
organizational life. The function of the manager is to find a workable balance between the employees’ self-
interest and the organization’s interest. If balance can be found, then the pursuit of self-interest may serve
the organization’s interest. On the other hand, if balance is not found, then this self-interest can erode or
defeat the organization’s interest.
An example of organizational politics (politicking) is when employees intentionally filter or distort information
flowing up to top management, thereby putting themselves in the best possible light.
Organizational culture plays a big part in determining the amount of politicking that occurs in the organiza-
tion. The effects of politicking can:
• Be an irritant to employees.
• The higher the level of management, the greater the amount of politics.
• Marketing people tend to be the most political. Production people are considered the least political.
Anyone who has worked in an organization understands what blatant politicking is. Dubrin identified six
common political tactics. These include:
1) Posturing is when an employee tries to make a good impression by staying one step ahead of the
competition (one-upmanship) or taking credit for others’ work.
3) Making the boss look good is an attempt to get recognized by the manager and by those who
control the manager’s career path.
158 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Human Resource Processes
4) Collecting and using social IOUs is exchanging reciprocal political favors by making someone look
good or covering up their mistake.
5) Creating power and loyalty cliques is based on the belief that it is better to face superiors as a
cohesive group rather than as an individual.
6) Engaging in destructive competition is where an individual will sabotage the work of others
through character assassination.
Top management knows that it cannot eliminate politicking, but it should try to manage it to keep it
constructive and within reasonable bounds. To manage organizational politicking, Dubrin suggested the
following:
• Strive to integrate individual and organizational goals through meaningful work and career planning.
• Practice job rotation to encourage broader perspectives and understanding others’ problems.
Question 94: In which situations would organizational politics most likely have a significant impact?
b) When the budget allows for generous salary increases for all employees.
(IIA adapted)
• Developing charts showing planned succession of personnel for all levels in the organization.
• Preparing an inventory of the skills and abilities needed by people in order to move within the organ-
ization.
• Developing plans, assessing needs, and implementing plans so that the organization can meet its
objectives.
When developing your human resource plan, it needs to be flexible enough to meet your short-term staffing
needs, while at the same time being able to adapt to changing conditions in the business and environment
over the longer term. In other words, human resource planning is a never-ending continuous process.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 159
Human Resource Processes CIA Part 3
Employee Recruitment
For new positions, employees can be recruited either from within the organization, or from outside the
organization.
If the employee is to be recruited from within, there are several ways this can be done.
• Job posting – This is where the job is posted within the company and employees have an oppor-
tunity to apply. Job postings are usually posted in an area that has a lot of traffic, such as the
cafeteria, or posted in some kind of company publication (e.g. newsletter). It is also possible that
employees may refer someone else for the position, such as a friend, colleague, etc.
• Review of database – Organizations generally have a database of the skills and qualifications of its
employees. It is possible that this database could reveal a highly qualified employee who is well suit-
ed for the position.
If the employee is recruited from outside, the most common methods to recruit are:
• Use of employment agencies – There are both public and private employment agencies.
• Referrals from current employees – As mentioned above, current employees may refer someone
else for the position, such as a friend, relative, colleague, etc.
• Other organizations – These might include colleges, universities, and professional organizations.
• Other – Might include Internet job references/resume services, temporary job agencies, etc.
Both inside and outside recruiting have advantages and disadvantages. Promoting from within can have a
positive motivational effect on the employees, is generally less expensive, and it is usually easier to identify
proven performers.
On the other hand, the main reason for recruiting outside is that an external candidate could bring new ideas
to the organization and may have more up-to-date training or education.
Employee Selection
The goal of employee selection is to match the abilities and experience of an individual with the requirements
of the job.
Job Analysis
The first step in the process of employee selection is to perform job analysis. Job analysis includes assessing
the requirements for the job, determining how the job relates to other jobs, and determining what
knowledge, abilities and experience are necessary for someone to be able to perform the job effectively.
• By observing employees working, either by watching them in person or reviewing videos of them
working on the job,
• By interviewing selected incumbents of the job and combining the results of the interviews into the
job analysis,
• By asking incumbents to log their activities each day, recording the amount of time spent on each
activity, and
• By having incumbents complete questionnaires, selecting items from a list of possible tasks that they
perform in their jobs.
160 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Human Resource Processes
Information gathered by means of one or more of these methods is then used to develop a job description.
The job description is a formal, written statement of what a person in this position does, and how and why it
is done. The job description gives content to the job, its environment, and the conditions of employment.
A job specification is also developed by means of the job analysis. The job specification states the minimum
acceptable qualifications that an employee in that position must possess to perform the job successfully. It
identifies the education, knowledge, abilities and experience requirements.
Note: Job descriptions identify characteristics of the job itself. Job specifications identify characteris-
tics of the successful job incumbent.
The job description and job specification are used to guide the selection process. The job description can
be used to describe the job to candidates, and the job specification focuses those who are doing the selection
on the qualifications to look for in candidates.
Selection Devices
Devices used in employee selection have the goal of obtaining information about the job applicant in order to
determine whether a candidate’s skills, knowledge, abilities and experience fit the requirements for the job.
Interviews are most useful for assessing an applicant’s applied mental skills, interpersonal skills and
personal characteristics, such as conscientiousness. If these qualities are related to job performance, as they
are for an executive position, an interview is a valid selection device. For other types of positions, interviews
are less helpful, but that has not prevented the interview from becoming very widely used. However, the fact
is that interviews generally lead the interviewer to select the person who has the most polished job-seeking
techniques, even though that person may not be the best candidate for the position.
An interview may also be used to assess whether an applicant would fit into the organization’s culture, in
addition to seeking information on the candidate’s job-specific qualifications.
Sawyer’s Internal Auditing (5th edition, pp. 883-884) lays out some of the questions that would be
appropriate to ask experienced and inexperienced internal auditing candidates.
What were some of the assignments you carried What kinds of assignments would you like best?
out?
How did you approach them? Why do you think you’d like this position?
What kind of reports did you write? How did you hear about this position?
How have you kept up with your education? What are your outside interests?
Why do you want to make a change? What are your personal goals?
Written tests may be used to test intelligence, aptitude, ability, interest and integrity. Ability tests have
proved to be helpful in predicting good employees for semi-skilled and unskilled jobs. When cognitive ability is
required, intelligence tests are good predictors. Integrity tests are also used to evaluate traits such as
honesty, dependability and conscientiousness.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 161
Human Resource Processes CIA Part 3
Performance-simulation tests are ways of finding out whether an applicant can do a job successfully by
having the person perform the job in a simulated environment.
Work sampling tests are hands-on simulations. Work sampling tests are well suited to routine jobs, such as
assembly-line jobs. Some companies have a simulated assembly line that they have their candidates work on.
Assessment centers are used for testing of managerial personnel. In assessment centers, candidates go
through several exercises simulating real problems they could face in the position. Executives, supervisors
and psychologists evaluate the candidates’ performance. Assessment centers have been very effective at
predicting job performance in managerial positions.
If testing is done, the same test must be given to all applicants for a position and must have no racial,
religious, gender or national origin bias.
For other employers, a significant part of the workforce is made up of “long-term temporary” employees who
may never be offered regular full-time employee status. The advantage to this arrangement for an employer
is the ability to end the arrangement at any time without having any repercussions such as increased
unemployment taxes. Also, such workers may be paid a lower salary and do not receive the full package of
benefits. The downside of temporary and part-time workers is that they have less loyalty to the company, and
the company receives less long-term benefits from training provided to them.
Professional Employer Organizations (PEOs) provide employee leasing services to companies who
contract to use their services. A PEO serves as the actual employer of record for all the company’s employees,
both managerial and staff.
The PEO writes the paychecks to pay the employees, provides all of the employee benefits, and pays all the
employer’s payroll taxes for employees who work on site at the contracting company. The contracting
company makes the hiring decisions and supervises the employees, just as if the employees were their own
employees. However, instead of paying salaries and providing benefits to the employees, the contracting
company pays the PEO for all the costs, plus the PEO’s fee.
The primary market served by PEOs is that of smaller employers, who may not have the in-house expertise to
manage the human resources function. The PEO serves as the company’s human resources department,
ensuring that all labor laws and other regulations are followed. Unlike temporary employees, employees who
are leased under a contract with a PEO are regular employees, although they are employees of the PEO, not
of the contracting company.
However, the services of a PEO can be quite expensive. In some cases, an employer will find that they could
form and staff a small human resources department for the fee that a PEO would charge.
Employee Training
In addition to an orientation, an employee will need initial and ongoing training. Training is how the
organization prepares its staff to accomplish the tasks set before them. Ongoing training is important because
162 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Human Resource Processes
technology is always changing, the organization’s needs are always changing, and their employees’ skills can
quickly become obsolete.
Training methods are classified as formal/informal and on-the-job/off-the-job. The majority of training is
informal, and consists of employees helping each other learn the job.
On-the-job training may involve apprenticeships, understudy arrangements, formal mentoring, and job
rotation. To avoid disruption in the workplace caused by these training programs, however, many organiza-
tions pay for off-the-job training for their employees. Off-the-job training consists of classroom lectures,
seminars, and self-study and Internet courses.
Training courses may involve leadership or interpersonal relations courses, training in the use of equipment or
software programs, business ethics, problem-solving skills and other related skills. As the use of teams
expands, team members need increased knowledge regarding how the organization operates, and training
can provide that. In addition, organizations are increasingly finding that they need to provide basic literacy
and math training to their employees.
Large companies have formal training departments. A smaller company that contracts with a PEO will have
access to ongoing training opportunities for its leased employees through the PEO. There are also multiple
training companies available that will offer programs to companies and their employees, either on-site or off-
site.
Career Development
Organizations increasingly regard employee development as an obligation to help employees maintain their
marketability through learning opportunities. They accomplish this by:
• Communicating the organization’s goals and long-term strategies. If employees understand the
organization’s plans, they are better able to develop their own personal plan to be a part of that
long-term strategy,
• Offering tuition reimbursement to help employees keep their knowledge up to date, and
Employees have a responsibility to manage their own careers, as well. It is important to keep skills and
knowledge up-to-date and remain flexible.
Note: Employee development is not undertaken to provide lifetime employment at the company or regular
promotions to employees in this company.
Performance Evaluation
The employee evaluation process is an important part of the manager’s job, and these evaluations are
important to the manager, the employee and the employer. When performed properly, the evaluation process
is an instrument that promotes the growth of a person. The documentation of an evaluation must be
complete, accurate and consistent, and it is important that employees be given notice of evaluations and also
an opportunity to discuss them with the person who has done the evaluation, and to respond.
Management uses performance evaluations, as well, for human resource decisions such as merit pay
increases, promotions, transfers and terminations. New employees who are performing poorly can be
identified. Performance evaluations can be used to identify training and development needs because they can
identify inadequate job skills that might be improved. If an employee participates in a training or develop-
ment program, the effectiveness of that program can be measured from that employee’s performance
evaluation. Evaluations also provide feedback to employees, so that they can understand how superiors view
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 163
Human Resource Processes CIA Part 3
their performance. The evaluation process should be used to help employees direct their activities towards
efforts that will help the organization and aid their personal growth.
In the expectancy theory of motivation, people need to believe that if they exert effort, it will lead to a
favorable performance evaluation that will result in a reward, such as a merit increase. Using the expectancy
theory, we would say that for employees to be motivated, they need clear objectives with specific criteria for
measuring their progress toward the objectives. Furthermore, the employees must have confidence that their
efforts will result in a satisfactory reward once their objectives have been achieved. If these conditions are
met, employees will perform well. If they are not met, employees will likely perform below their potential.
• Behavior-oriented - Some jobs do not really offer the opportunity to achieve outcomes. This could
be the case where an employee is in a support position or for a person whose efforts are part of a
group effort. These employees can be evaluated on their behaviors, such as meeting deadlines, help-
ing other employees, or volunteering for extra work. These are subjective factors, but if they
contribute to the overall goals of the organization, they are appropriate criteria.
• Trait-oriented - Some organizations evaluate their employees according to their traits, or charac-
teristics, even though this is not the only, or even best, criteria for hiring employees. Examples of
traits that are often used are: “good attitude,” “self-confidence” or “dependability.”
• Goal-oriented – This approach measures how the employee attains the objectives and goals set by
management.
• Employee-oriented – The employee-oriented approach would focus on who did the job.
Sometimes an employee is asked to evaluate his or her own performance. Self-evaluation tends to decrease
an employee’s defensive attitude toward a performance appraisal, although it usually results in an inflated
appraisal. For that reason, self-evaluations are better suited for developmental purposes than for evaluative
purposes.
Another source for an evaluation of an employee’s performance is his or her subordinates. Subordinates can
provide accurate information about a manager’s behavior, because they see it all the time. The downside of
this is that the subordinates may have a fear of reprisal from a boss who has been given an unfavorable
evaluation.
The most recent approach to performance evaluation is called a 360-degree evaluation. This type of
evaluation asks for feedback from all the people the employee may interact with during a day’s (or longer)
time. Most organizations collect 5 to 10 appraisals per employee to be evaluated. This type of appraisal works
well in organizations that have teams with high employee involvement.
164 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Human Resource Processes
• The halo effect occurs when the manager draws an evaluation of a person on the basis of one
characteristic, such as personality or communication skills. If an employee is very competent but is
not strong on the one trait the manager values, that manager would not evaluate that employee
very highly. Alternatively, an employee who is highly skilled in that one area would be evaluated
highly, even though he or she might actually not be performing the job very well.
• A central tendency error occurs when the manager rates all employees about the same.
• If the evaluator allows the employee’s most recent performance to outweigh the overall performance
over the whole period to be evaluated, this creates the recency effect.
• Employee evaluations are not equitable across an organization if some managers apply different
(lower or higher) standards to their employees than other managers apply to their employees. Dif-
fering standards among managers may become a problem when employees are unfairly rated
lower or higher simply because the evaluator has standards that differ vastly from those of other
evaluators in the same organization.
• Rater bias is the process of evaluating a person’s on-the-job performance according to how much
the manager likes the person.
• Contrast error can creep in if the evaluator allows the employee’s evaluation to be influenced by
evaluations done recently for other employees. Another employee’s evaluation may be a “tough act
to follow,” resulting in a lower evaluation than is deserved, or vice-versa.
• If a manager judges all the people he or she evaluates on the basis of their traits on a scale from
“most” to “least,” it can lead to a forced normal distribution. This is where the manager puts
most of the people in the middle of the scale and a few at the extremes. When this occurs, the em-
ployees are not being fairly evaluated on the basis of their individual performances but rather in
comparison with the others, and forced into a “normal distribution.” This is like grading on a curve.
It is important that employee compensation is in line with market rates in the area so that employees will feel
fairly compensated.
• Base pay. Base pay can be tied to performance evaluation, so that merit increases reflect good
performance.
• Incentive pay. This can include:
o Piecework programs.
o Gain-sharing programs, which reward employees for cost reduction ideas.
o Bonus systems based on financial performance of the organization or one unit.
o Long-term compensation, which provides additional income for managers based on factors such
as stock price or earnings per share.
o Merit pay systems, which base increases on performance.
o Profit-sharing plans, which distribute a portion of the firm’s profits to employees.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 165
Human Resource Processes CIA Part 3
o Employee stock option plans that permit employees to purchase company stock at a below-
market price.
o Incentive pay can be based on either individual performance or group performance.
• Benefits. Typical benefits are payment for time off such as vacation, sick leave, holidays and per-
sonal days, employer’s portion of social security contributions, unemployment compensation,
disability insurance, workers’ compensation benefits, life insurance, medical insurance and pension
plans. Benefits developed originally as a way to increase employees’ pay during times when wage
controls were in effect. Benefits have grown in importance and now can amount to 30 - 40% of a
company’s payroll expense. Since employees do not see the cost of their benefits to the company
when they see their paychecks, it is important that they realize how much their total compensation
package is worth. This can be communicated in individual, annual letters from management, outlin-
ing for each employee what his or her total compensation has been for the past year.
• Flexible benefits, or “cafeteria plans.” This is a flexible reward system that lets employees
choose the combination of benefits that is most appropriate for them. A set amount is designated
per employee, and the employee can choose how to allocate it. Younger workers might prefer a tui-
tion reimbursement plan, workers with children might choose child care, and older workers might
choose additional retirement program contributions.
• Perquisites or “Perks.” These are special privileges, usually limited to top managers. They include
things like use of a company car, company apartment, a country club membership or a cell phone.
Perquisites add to their recipients’ status and may increase job satisfaction. At one time, these perks
were paid for by the company but were not included as taxable income to the manager, which in-
creased their value. However, the IRS has changed the rules and made some perks taxable.
• Awards. Example of awards include an “Employee of the Month” award with not only recognition but
also perhaps a special parking space reserved for that employee for the month, or awards for perfect
attendance, for quality work (“zero defects”), or extra effort on a special project. Award programs
can improve performance, if they are structured so that employees receive special recognition for
good performance.
• Expatriate compensation. When employees are transferred to overseas locations, the cost of
living may be significantly different from that of their former location. The employer will design the
employee’s compensation package so that the employee’s lifestyle in the new location will be compa-
rable to that of their old location.
166 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Management Skills and Leadership Styles
A manager may be a leader as well as a manager, but not all managers are leaders. In fact, a person may
even be a leader without having any managerial authority, if that person is respected by peers and relied on
for direction. So leadership can be formal or informal.
• Formal leadership is the process of influencing others to pursue the organization’s objectives.
• Informal leadership is the process of influencing others to pursue unofficial objectives that may or
may not serve the organization.
Leadership is important for creating and directing change and for helping an organization get through difficult
times. Management is important for creating the coordinated effort and systematic results required during
stable times.
Both leaders and managers are required to achieve planned, orderly change. Furthermore, both leaders and
managers are required to establish the culture of the organization in terms of its ethical and moral climate.
Studies on Leadership
There are three main theoretical frameworks that have dominated leadership research since the 1930s. These
include the trait approach (1930s and 40s), the behavioral approach (1940s and 50s), and the
contingency approach (1960s and 70s). There is also a fourth theoretical framework called a transforma-
tional leader that we will review as well.
1) Intelligence
2) Scholarship
5) Socioeconomic status
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 167
Management Skills and Leadership Styles CIA Part 3
Another modern trait profile is based on leaders with emotional intelligence (EI). EI is the ability to
monitor and control one’s emotions and behavior in complex social settings. Daniel Goleman 12 believes the
following leadership traits are associated with EI:
• Self-awareness is to know oneself. Only when someone is aware of their strengths and weaknesses
can they maximize their potential.
• Self-management refers to methods, skills, and strategies by which individuals can effectively
direct their own activities toward the achievement of objectives.
• Social awareness is being able to understand the actions and emotions of others.
• Relationship management is an ability to use one's own emotions and the emotions of others to
manage relationships to a successful outcome.
Other researchers have been exploring gender, ethnic and cultural differences in leadership styles. For
instance, there is evidence that there are differences between the way women lead and the way men lead.
Or, culture determines whether emphasis is placed on sales growth and profits, or on group cohesiveness.
Kurt Lewin and others at the University of Iowa did one of the earliest known behavioral studies. They
identified three leadership behaviors, and these are still quoted today as the basic leadership styles:
1) Autocratic, a leadership style where the leader relies on his or her legitimate power or position
authority. The leader gives detailed instructions for attainment of goals and provides praise and criti-
cism. This leads to the subordinates being dependent upon the leader’s presence if they are to be
productive, and to potentially negative reactions from the group when they feel under constant pres-
sure to produce. When the leader is absent, production slacks off.
2) Democratic, in which the leader gives an overview of the task to be accomplished and encourages
the group to participate in developing procedures to get it done. The leader provides feedback and
consultation but still makes the final decisions. Members grow in self-confidence and in their respect
for other members of the group. There is more emphasis on team effort and cooperation among
group members, resulting in a higher level of satisfaction among the members. Productivity contin-
ues even in the leader’s absence.
3) Laissez-faire, a French term meaning noninterference, in which the leader provides information to
the group but no feedback unless asked, gives the group members complete freedom. The group
members experience a lack of clear goals and a lack of clarity on how to achieve their goals. They do
not know what is expected of them, there is no sense of unity in the group, and production lags be-
cause of the lack of direction.
The assumption in this research was that these three basic leadership styles are fixed for an individual, and a
particular leader will always relate to all of his or her followers according to one of the styles.
Another study by the University of Michigan in the late 1940s came up with two types of leadership behavior:
a leader is either task or job-centered, or employee-centered. The job-centered leader supervises the work
of subordinates closely and explains work procedures carefully. He or she is primarily concerned with their job
performance.
12
Daniel Goleman is the best-selling author of several books that describe Emotional Intelligence.
168 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Management Skills and Leadership Styles
On the other hand, the employee-centered leader concentrates on emphasizing interpersonal relations and
on building effective work groups. The leader’s primary concern is with performance, but he or she
accomplishes that by attending to the human aspects of the group.
The University of Michigan researchers presumed that a leader was one or the other at any given time and
could not be both job-centered and employee-centered at the same time. Their findings suggested that
employee-centered behavior was more likely to result in higher performance of the group and higher job
satisfaction among its members.
Contingency theories of leadership concern transactional leaders. Transactional leaders motivate followers
by clarifying their tasks and roles for them.
Fiedler’s system asked a leader to complete a questionnaire describing the person – from among all the
people ever encountered – that he or she had least enjoyed working with. Fiedler believed that the results
reflected differences in the leader’s personality traits and dictated the person’s leadership style. If the leader
described the least-preferred coworker in relatively favorable terms, then the leader was relationship-
oriented. If the leader described the least-preferred coworker in relatively unfavorable terms, then the
leader was task-oriented.
Like researchers before him, Fiedler assumed that leadership styles are fixed, and proposed that there are
particular situations where a task-oriented leader is needed and others where a relationship-oriented leader is
required. Accordingly, task-oriented leaders would perform better in situations of either high or low control,
while relationship-oriented leaders would perform better in moderate control situations.
Fiedler suggested that if the leader’s style did not match what the situation called for, either the situation
would have to be changed or the leader would have to be replaced in order for good performance to be
achieved.
There is evidence to support at least parts of Fiedler’s model. However, his findings with respect to the LPC
theory and the practical use of the model are problematic and controversial.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 169
Management Skills and Leadership Styles CIA Part 3
1) A directive leader lets subordinates know what is expected of them, gives specific guidance on
accomplishing tasks, schedules the work, and sets standards of performance.
3) A participative leader consults with subordinates and considers their suggestions in making a
decision.
4) An achievement-oriented leader sets challenging goals for subordinates and expects them to
perform at their maximum level.
The Path-Goal Theory says that the appropriate leadership style depends upon the situation. This sets
Path-Goal Theory apart from earlier theories. It assumes that the leader can be flexible and need not behave
in the same manner at all times, but may behave differently in different situations.
The two situations that the Path-Goal Theory recognizes as influencing how the leader’s behavior affects
subordinate satisfaction are:
1) The personal characteristics of the subordinate, such as locus of control, experience and per-
ceived ability.
Locus of control refers to whether people believe they have control over what happens to them, or
whether they believe that what happens to them is outside their control. People who attribute things
that happen to their own behavior are considered to be happier with a participative leader, because
that leader makes them feel that their actions can make a difference. If people attribute things to
factors outside their control, they will be more satisfied with a directive leader, since they consider
their actions to be of no consequence anyway.
And if employees perceive their own abilities to be high, they will feel less need for a directive lead-
er; whereas if they perceive their own ability to be low, they will prefer a directive leader who will
show them how to do the job.
2) The characteristics of the environment, which are outside the subordinate’s control, such as the
task structure, the authority system and the work group.
The Path-Goal Theory says that the leader’s behavior will motivate subordinates if it helps them deal
with the uncertainties related to the things that are outside their control.
However, if the task structure is high, directive leadership is not necessary and is less effective. And
if the work group itself gives each employee plenty of social support, a supportive leader will not
have much to offer.
The researchers who developed the path-goal theory did not see it as a final answer, but only a framework for
understanding how a leader’s behavior and situations can influence subordinates’ performance. In general,
evidence has supported the proposition that employee performance and satisfaction are improved if their
leader compensates for things that are lacking in either the employee or the work setting. If a leader over-
manages an employee who can handle his or her tasks without interference, that leader will probably be
ineffective because the employee will consider the directive behavior inappropriate and insulting.
170 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Management Skills and Leadership Styles
Vroom’s Decision-Tree Approach, like Path-Goal Theory, attempts to determine an appropriate leadership
style for various situations and assumes a leader may use different leadership styles. However, it limits itself
to the question of subordinate participation in decision-making, and how much participation is appropriate
under various circumstances. For each decision, the leader evaluates several characteristics of the decision
and determines the decision style that reflects the proper amount of subordinate participation.
Vroom proposes two different decision trees for use: one to use when the primary consideration is to make an
effective decision as quickly as possible, and the other to use when the primary focus of the effort is
developing the decision-making capabilities of others. After choosing which decision tree to use, the leader
evaluates a series of eight factors (the factors themselves are outside the scope of the exam) to determine
how much participative decision-making is appropriate and decides among five alternatives:
2) Autocratic II – The leader obtains additional information from group members, and then makes the
decision alone.
3) Consultative I – The leader shares problem with group members individually, and asks for infor-
mation and evaluation. Group members do not meet collectively, and the leader makes the decision
alone.
4) Consultative II – The leader shares problem with group members collectively, but makes decision
alone, which may or may not reflect the group’s opinion.
5) Group – The leader meets with group to discuss the situation. The leader focuses and directs dis-
cussion, but does not impose his or her will. The group makes the final decision.
Not surprisingly, Vroom’s approach is quite complex. Therefore, Vroom has developed expert software to
guide managers in assessing the situation and making a decision regarding the appropriate level of employee
participation in the decision.
Transformational Leadership
The contingency theories of leadership reviewed above concern transactional leadership, which is focused
on guiding subordinates in the direction of a goal by clarifying task requirements and roles.
Another type of leader is called a transformational leader. These leaders inspire people to follow them –
even if doing so goes against their own interests – for the good of the organization. These leaders are able to
inspire their followers to put forth extra effort to achieve group goals.
• Charisma. The transformational leader instills a sense of mission and pride in followers while gain-
ing their respect and trust.
• Inspiration. The transformational leader communicates high expectations and important purposes.
• Intellectual stimulation. The transformational leader promotes intellect and rationality for problem
solving.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 171
Management Skills and Leadership Styles CIA Part 3
Transformational leaders are overwhelmingly considered to be more effective than transactional leaders.
Transformational leadership generally results in lower turnover rates among employees, higher productivity,
and greater employee satisfaction.
Mentoring
Mentoring refers to someone who develops another person (protégé) through tutoring, coaching, and
guidance. Usually, but not necessarily, the mentor / protégé pair will be of the same sex.
A mentor has knowledge and experience in an area and shares it with the person being mentored. For
example, a senior internal auditor might mentor a student intern or a new internal audit employee.
According to Kathy Kram, 13 mentors provide two primary types of behaviors or roles:
1) Mentors serve as a career enhancement function, which involves coaching, sponsoring advance-
ment, providing challenging tasks, protecting the protégé from adverse forces, and fostering positive
visibility.
2) Mentors provide psychological support, which may involve personal support, friendship, counsel-
ing, acceptance, and role modeling.
Mentoring has many positive efforts for the organization and career outcomes. Research indicates that
mentored individuals have a higher level of mobility on the job, recognition, promotion, and financial
compensation. In regards to benefits to the organization, mentoring can be a tool for socializing new
employees, for increasing organizational commitment, and for reducing unwanted turnover.
Question 95: If a supervisor uses a supportive management approach, evidenced by positive feelings and
concern for subordinates, a problem might result because:
c) This approach depends on people who want to work, grow and achieve.
(CIA adapted)
Question 96: Some behavioral models stress employee participation as a key to motivation. A limitation
of the participative approach is:
d) Irresolvable conflicts arise when a mature, capable, creative person joins a structured, demanding
and limiting organization.
(CIA adapted)
13
Kathy E. Kram is professor of Organizational Behavior at the Boston University School of Management.
172 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Team Building
Team Building
Team building is the process of establishing and developing a greater sense of trust and collaboration
between team members. The need for team building increases as modern societies become more fluid and
dynamic. Some of the factors that contribute to this increased need are advances in communication, the
global market, and the ever-increasing specialization and division of labor.
Joining a new group and expecting to get along immediately can be somewhat difficult. Thus, it becomes
important for organizations to establish team-building methods so employees can better adapt to the new
requirements.
Participative Management
One of the more common means of motivating individuals is through participative management. Participative
management gives employees greater involvement and control in the workplace. Employee are able to
participate in the decision-making process by participating in activities such as setting goals, determining
work schedules, and making suggestions. These methods are intended to treat the ideas and suggestions of
the employees with respect and consideration.
The primary forms of participative management are quality circles, self-managed teams, and open-book
management.
1) Quality circles are small groups of employees who work together and meet regularly to discuss
problems they are having and recommend solutions. Quality circles focus on problems relating to
quality, such as how to reduce rework and defective products. Quality circles are limited in their
scope. They do not make decisions about how the work should be done; they can only make recom-
mendations. Quality circles are relatively permanent teams.
2) Self-managed work teams are teams that are charged with doing the daily work. They tend to be
permanent. A team has the authority to decide how its work will be done in terms of planning,
scheduling and assigning tasks to members. It takes action on any problems that develop, makes
operating decisions, and works directly with suppliers and customers. Some self-managed teams
even select their own members, and the members evaluate one another’s performance and discipline
those who cause problems. The entire team is responsible for the results of their work. The efforts of
all the team members can result in a level of performance that is greater than the sum of their indi-
vidual efforts. Though self-managed work teams can be successful in some situations, they do not
work very well in cultures with strong respect for hierarchical authority.
3) Open book management (OBM) is when employees are given all relevant financial information
about the company, so that the employees can feel more empowered. This information can include,
but is not limited to, revenue, expenses, profit, cost of goods sold, and cash flow.
Raj Aggarwal and Betty Simkins developed an OBM model referred to as STEP (share, teach, em-
power and pay).
• Step Three - Empower the employees so they are responsible for the numbers under their con-
trol.
• Step Four - Pay the employees a fair amount based on performance. Methods of compensation
might include bonuses, stock options, and/or profit-sharing.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 173
Teams and Work Groups CIA Part 3
The difference between a work group and a work team (also referred to simply as a team) is that a team
consists of work group members who are working together toward a common goal. The members of a team
are chosen for the complementary skills that they bring to the team. Their performance as a team may be
greater than the sum of their individual work, and they are accountable both individually and as a team for
their performance. This accountability is to one another, not merely to a manager. A mature team is
autonomous, directing and self-managing. The team comes together to pursue a goal, and that goal becomes
the team’s focus.
• A team can outperform an individual when the task facing it requires multiple skills, diversity of
experience and good judgment.
• Reduced errors, reduced absenteeism and reduced on-the-job injuries can result in significant cost
reductions.
• Teams facilitate employee participation and increase employee motivation because they provide a
sense of self-worth and self-fulfillment.
• Teams give employees the opportunity to grow and gain respect by making their own decisions
about their work, which ultimately provides a feeling of making a difference in the organization.
• Use of teams can eliminate layers of middle management, flattening the organization, reducing
managerial costs and bringing employees more in touch with top management.
Costs of teams are usually related to the costs of changing the business to a team-based organization.
• Managers accustomed to traditional hierarchical management may feel threatened by the fact that
the team is taking over their duties of directing the work.
• Some staff personnel may also feel threatened as more of the work formerly done by them is turned
over to the teams. This can be addressed by assigning technical staff personnel to one or more
teams.
• It takes time for a team to become mature and effective. If management becomes impatient with
the process, the teams may be disbanded and the organization returned to its original form, often
with significant losses for all concerned. All the hard work of the team members is lost, and employ-
ee confidence in management will suffer.
174 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Teams and Work Groups
Types of Teams
Some teams are formal, created by management. Some teams are informal, evolving naturally in organiza-
tions that permit participative management. The major types of teams are:
• Problem-solving teams are temporary teams formed to work on a specific problem in the work-
place. After the problem is solved, the team is disbanded and the team members return to their
regular jobs. Problem-solving teams are often cross-functional, i.e., they consist of members from
different functional areas of the organization and are selected for their expertise. Problem-solving
teams do not make decisions but only make recommendations.
• Cross-functional teams are formed of employees from different work areas who may work togeth-
er on a single client’s account, and may be permanent. A team working together for one client can
improve communications and tracking of jobs for that client, leading to more satisfied clients.
• Management teams are made up of managers from several areas that work together to support
and coordinate the activities of work teams. These are relatively permanent teams. Their primary job
is to coach and counsel the work teams in order to support them in their task of being self-managing
and making their own decisions. Management teams also coordinate the activities of work teams
that are dependent upon each other.
• Product development teams are a combination of work teams and problem-solving teams. They
are formed to create new products or services to meet customers’ needs. They are similar to prob-
lem-solving teams in that the team may be disbanded when the product has been developed and is
in production. Use of a team to develop a new product can cut product development times, which is
an important edge in a competitive economy.
• Virtual teams are made up of members who may be located all over the world. They share files via
the Internet and email and may meet via teleconferencing and videoconferencing. Virtual teams may
be used as product development teams, with a team on one side of the world working on the re-
search and at the end of their day updating the team on the other side of the world that is just
starting its day. The result is that research goes on around the clock, dramatically cutting the time
necessary to bring a new product to market.
Team Effectiveness
What makes teams effective? Teams are considered effective when they accomplish goals, have innovative
ideas, have the ability to adapt to change, have a high level of team commitment, and are highly rated by
senior management. Accordingly, team effectiveness is determined by the following interdependent factors.
These factors need to be addressed on a continuous basis.
• Leadership. Teams must be able to agree on who will do what, how decisions will be made, how
conflicts will be resolved, how schedules will be set, and various other organizational matters. Team
leadership is necessary in order to accomplish this. Team members may fulfill the leadership roles,
or management may provide the leadership.
• Abilities of members. A team needs people with technical expertise, people with problem-solving
and decision-making skills, and people with good interpersonal skills who can take the lead in con-
sensus-building. These skills in the right mix are essential. However, it is possible for a team to
develop these skills in its members, if all of the skills are not present when the team is formed.
• Team performance. Team start-up can take several months to a year, or more. During that time,
performance often declines due to initial confusion and lack of direction. However, as time passes,
internal leaders arise and the work becomes focused. Team members become more competent and
more deeply committed to each other and to the success of the team, and performance levels usual-
ly recover and rise above the previous level of performance.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 175
Teams and Work Groups CIA Part 3
• Top management support. The change to a team approach must start at the top of the organiza-
tion and must have top management’s full support. Top management must make the decision to
institute a team-based organization because they recognize it as a good business decision. This is a
major cultural shift, and it cannot be made quickly. Top management must take the lead in com-
municating the reasons for the change and enlist the support of the entire organization. Top
management must then support the effort during the difficult start-up period. Organizational support
systems for the teams must be in place if the teams are to have any chance of succeeding. Support
systems for teams include efficient inventory ordering and scheduling, better hiring and selection
systems, improved information systems and appropriate compensation systems. Management sup-
port includes assistance with decision-making when needed and coordination of teams that are
interdependent upon one another.
Trust is another key element to team effectiveness. Trust is defined as “reciprocal faith in others’ intentions
and behavior.” 14 The primary responsibility of creating a climate of trust in the organization lies with
management. Trust is the key to establishing productive interpersonal relationships and encourages self-
control, reduces the need for direct supervision, and expands managerial control.
Question 97: Which of the following is key to any plan to empower teams?
(IIA adapted)
Question 98: Which of the following is not an appropriate approach to team building?
d) Selecting team members based on how they are likely to relate to each other.
(IIA adapted)
14
Kreitner R. & Kinicki A., Organizational Behavior, 5th edition, pg. 422.
176 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Conflict Management
Question 99: Which one of the following statements about quality circles is false?
b) Part of the quality circle concept includes teaching participants communication skills, quality
strategies, and problem analysis techniques.
d) The quality circle has the final control over implementation of recommended solutions.
(IIA adapted)
Conflict Management
Conflict is “a process in which one party perceives that its interests are being opposed or negatively affected
by another party.” 15 The word perceives reminds us that sometimes the source of conflict is not always real,
and sometimes is only imagined by one of the parties. Therefore, managers need to be aware of the
dynamics of conflict and know how to handle it effectively.
In dealing with conflict, the two broad types of conflict are: cooperative and competitive.
1) Competitive conflict occurs when parties are pursuing directly opposite (win-lose) goals. Competi-
tive conflict is considered destructive, and ultimately the parties part ways. If this type of conflict
occurs within a company, it is particularly damaging to the company and must be handled quickly
and completely.
Conflict Triggers
A conflict trigger is simply any situation or factor that increases the likelihood of conflict. But, as we
mentioned above, conflict should be allowed to exist if it is cooperative conflict, and eliminated if competitive.
Conflict may be triggered by the following situations: 16
• Management places unreasonable standards, rules, policies, or procedures that employees consider
unfair.
• There is power and status differential causing one individual to have questionable influence over
another.
15
Ibid., pg. 447.
16
Kreitner, Robert, Management, 8th edition.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 177
Conflict Management CIA Part 3
Resolving Conflicts
Conflicts may be resolved in a number of different ways:
• Problem solving is a process that confronts the problem and removes its causes. This is a very
good method, but takes longer to perform than some of the other methods.
• Smoothing is a short-term avoidance process whereby the parties are asked by management to
forget about their differences for the short term. However, this does not solve the problem.
• Forcing occurs when the superior position in the conflict uses its position to solve the conflict. This
is sometimes necessary in the short-term, but there needs to be a better treatment of the underly-
ing problem in the long-run.
• Superordinate goals are those goals that are above the goals of the individual or the department.
In the short term, management may appeal for the “common good” and ask the parties in the con-
flict to forget about the conflict for the greater benefit of the entire company.
• In a compromise, both parties make concessions. The parties both gain something and lose some-
thing, but the source of the conflict may not have been dealt with.
• Expanding resources is a possible solution only when there is a conflict as a result of insufficient
resources and it is possible to expand the resources available in the situation.
• Avoidance (withdrawing) involves either withdrawing from the problem or suppressing the issue.
This does not address the problem and, at best, will provide only a short-term solution. This ap-
proach might be appropriate when the manager perceives the problem to be minor. It might also be
appropriate if there is no chance of solving the problem, or disruption would be too costly.
• Changing the human element attempts to change the behavior of the individuals involved. This
may take too long to accomplish and is usually not a short-term option.
• Diffusion is the process of trying to solve the smaller, less critical issues first in order to build a
feeling of success and cooperation before dealing with the larger issues.
• The public media unfortunately at times becomes the venue in which the conflict is played out.
Sometimes this happens because one of the parties makes the issue public. This is a risky option be-
cause public opinion may not always be as expected, but the pressure of the media attention may
force people to solve their differences.
The interactionist theory views conflict as possibly beneficial. Conflict is good if it improves performance
and helps the organization achieve its objectives. Occasionally conflict serves to “clear the air” and to help
people get rid of frustrations and anger that they have not voiced. Afterwards, people feel better and more
ready to work. Given this, sometimes the intentional stimulation of conflict may be desirable.
178 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Conflict Management
Question 100: One division of a large manufacturing company has traditionally performed much better
than any of the other divisions. The management team of this division has risen through the ranks
together and exhibits no signs of conflict. Recently, earnings of the division have begun to decline, and
market share has eroded. Senior management of the parent company has asked the director of internal
audit whether the introduction of conflict by bringing in outside managers might help resolve the
deteriorating situation. The most appropriate response would be that:
b) All conflict can be beneficially controlled and should be encouraged in this situation.
c) The management team has been together for a long time and should be allowed to work through its
problems.
d) Varying the management team could introduce new ideas and be beneficial to the division, and
some conflict is not a problem.
(IIA Adapted)
Question 101: Upon completing an audit of a major operation of the company, the auditor is certain that
a proposed recommendation should be made in the audit report. However, the auditor also understands
that the recommendation will result in conflict between the auditee department and the accounting
department. The organization is not bureaucratic and encourages the development of informal relation-
ships across departments. Which of the following statements is correct regarding the nature of conflict in
organizations?
a) Conflict is more likely to be functional in a bureaucratic organization than in a less formal (organic-
type) organization.
b) Conflict reduces the likelihood that an acceptable solution can be implemented in highly structured
organizations; thus, the auditor should consider revising the recommendation in order to avoid con-
flict.
c) Conflict should be viewed as a healthy way to facilitate growth in an organization; thus, the auditor
should accept conflict that may result from normal audit recommendations.
d) Conflict is healthy unless it clearly points out differences in the goals and objectives of the
organization's operating units.
(IIA Adapted)
Question 102: The behavioral science literature identifies diffusion as an effective approach to resolving
conflict. An auditor effectively using diffusion in working with a confrontational auditee would:
a) Set aside critical issues temporarily and try to reach agreement on less controversial issues first.
(IIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 179
Conflict Management CIA Part 3
Question 103: Two managers have been informed that their units will be relocated to a new site. The
units are to share space at the new office location. The managers have been arguing for several weeks
over the allocation of space and the location of offices. This disagreement is threatening the relocation
schedule and disrupting other projects. The managers' supervisor has now become involved in the conflict
and must try to minimize the potential for hurt feelings while resolving the problem quickly. Identify the
supervisor's best approach for this situation.
b) Design a floor plan and tell the managers who occupies what space.
c) Remind the managers that the company needs their cooperation in this effort so that costs can be
reduced.
d) Tell the managers not to worry, and that problems like this have a way of working themselves out.
(IIA Adapted)
Question 104: To effectively market the internal auditing function to management, auditors must
recognize that their roles may result in varying degrees of conflict. Conflict triggers must be understood
and managed so that a dysfunctional situation does not develop. Select the answer that is not a conflict
trigger.
a) Communication breakdowns
b) Superordinate goals
c) Personality clashes
d) Status differentials
(IIA Adapted)
Question 105: Two managers have been arguing about the distribution of money for capital investment
projects affecting their respective production units. All of the projects are worthwhile and significantly
exceed the organization's required rate of return. The approach that would create a win-win solution for
the managers under these circumstances would be to:
a) Smooth the differences of the two managers by emphasizing their common interests.
b) Alter the attitudes and behaviors of the managers so that agreement can be reached.
d) Expand the resources available so that both managers’ projects can be funded.
(IIA Adapted)
180 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Negotiation
Negotiation
Robert Kreitner defines negotiation as “a decision-making process among interdependent parties with
different preferences.” In order words, it involves examining the facts of the situation and then bargaining to
resolve issues, if possible.
Negotiation is something that takes place every day and touches on every facet of life, occurring in private
(between spouses or other family members), business, non-profit organizations, government branches, legal
proceedings, and among nations.
Approaches to Negotiations
The two main approaches to negotiating are distributive bargaining and integrative bargaining.
1) Distributive bargaining occurs when there is a zero-sum situation. This means that there is a
limited amount that can be discussed and someone will get it and the other party will not. It is very
unlikely that a true win-win situation will come out of a zero-sum situation. Each party will create a
desired result and a minimum acceptable result. If these two ranges overlap, then there is a chance
of a successful negotiation. If the minimum that one party will accept is more than the other party
will give up, it will be very difficult to come to an agreement.
2) Integrative bargaining occurs when there is a possibility for both sides to win. This is the classic
win-win situation and occurs when the parties have shared interests, there is not a limit on re-
sources and the parties have, or are hoping to develop, a long-term relationship. This is the
preferred type of bargaining within organizations.
• Two-party negotiations occur when there is a buyer and a seller. An example is when a person
buys a new car, or a person sells his or her car to a used car dealer.
• Three-party negotiations are more complicated and involve an agent, or broker. For example, a
person buys or sells stock through a stockbroker.
Effective Negotiations
It seems to make sense that the point of negotiations is to reach an agreement with the other party rather
than to achieve victory. If the other side plays “hard” or “bullies” than this will probably cause resentment for
future bargaining. Instead, the idea should be for the parties to meet their needs and establish trust.
• Adopting a win-win attitude. This is considered to be a cooperative attitude where both parties
are seeking mutual benefit and satisfaction. Adopting a win-win attitude is to understand that mutual
beneficial agreement addresses both parties’ interest.
The other side of this win-win attitude is a win-lose attitude. This attitude is based on the assump-
tion is that one person’s gain is another person’s loss. This approach is competitive and is prevalent
in some cultures. This approach is what is known as a zero-sum game.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 181
Negotiation CIA Part 3
Thus, in its simplest terms, if the terms of the agreement are better than your BATNA, then you
should accept the offer. If the agreement is not better than your BATNA, then you should renegoti-
ate.
• Identifying the Bargaining Zone. Any negotiation will be useless if both parties involved have no
common ground on which to maneuver during bargaining. BATNA is useful in helping to identify the
bargaining zone.
Example: Suppose you had a written offer from Broncos Used Cars to buy your car (a 2005 PT Cruiser,
fully loaded) for $10,250 dollars. Your BATNA when dealing with other potential purchasers would be
$10,250 since you can get $10,250 for your car even without reaching an agreement with such alternative
purchaser.
Now suppose you think you can get more than $10,250 through advertising over the Internet. The car is
considered a classic and is fully loaded with features that are not typically found on Cruisers. You ask
$13,000 dollars, or best offer.
A buyer wishes to purchase your car for $10,000, with a BATNA of $12,000 dollars.
Thus, negotiation is feasible because a bargaining zone exists (buyer’s BATNA of $12,000 – your BATNA of
$10,250). But, if your BATNA were $12,500, then negotiations would not be feasible.
Overcoming Resistance
Encountering resistance during negotiations is not unusual, and in some cases, should be expected. If there is
resistance then there are certain steps that can be taken to overcome the situation. These steps include:
• Stop the negotiations and try to address each other’s concerns in private.
• Do a background check to get better idea of the other party’s views on the issue.
1) Clarify interests. Before you can begin you must know what you want and what the other party
may want out of the negotiation. Thus, you are seeking common ground.
17
BATNA is a term coined by Roger Fisher and William Ury in their 1981 bestseller, Getting to Yes: Negotiating Without
Giving In.
182 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Negotiation
2) Identify options and their marketplace values. Every negotiation has elements of value that can
be traded off to arrive at a satisfactory deal. These elements can be either tangible or intangible,
e.g., property, money, behavior, rights, risks.
3) Create at least two or more “deal packages.” The use of multiple deal opportunities is what
differentiates AVN from other negotiating methods. Instead of creating only one offer and then trying
to get the other side to accept (as in win-lose negotiating), you create two or three possible deals.
Each deal should have its own special appeal. After these special deals are created, they then have
to be analyzed.
4) Sell the deals and ask the other side to select one. This is probably the most critical step to a
successful AVN process. You may understand the deal packages that you have created, but the other
party may not. In this case, it may be necessary for you to describe the range of possibilities and in-
clude the reasons why the deals are structured differently. You may have to discuss each of the deal
packages separately to get the other side to feel more comfortable. When this has been done and
you both agree that there is at least one mutually acceptable deal, it is time to move on to the next
step.
5) Perfect the chosen deal. This is the final step in the process. This step entails more than just
dotting the “i’s” and crossing the “t’s.” This is a chance to make sure that “all of the bases” are cov-
ered and you have a written agreement that all parties can live with.
AVN is based on openness, flexibility, and mutual search for the successful exchange of value. It allows
you to build stronger relationships that will be beneficial in future negotiations.
Principled Negotiation
Principled Negotiation is another win-win approach described by Fisher and Ury in their book, Getting to Yes.
This approach focuses on basic interests, mutually satisfying options, and fair standards. Its goal is to reach a
lasting agreement, rather than traditional positional (win-lose) bargaining.
• Separating the people from the problem. People tend to become personally involved with the
issues and can lose objectivity. Thus, it’s necessary to separate the people from the issues allowing
the parties to address the issues without damaging their relationship. Doing this may also help them
get a clearer view of the problems.
• Focusing on interests rather than positions. Good agreements focus on the parties’ interests
rather than their positions. It’s been found that when a problem is defined in terms of the parties’
underlying interests, it is often possible to find a solution that satisfies all parties’ interest.
• Generating options for mutual gain. A distinct failing is when parties decide prematurely on an
option and fail to consider alternatives. In these cases, Fisher and Ury suggest getting together in an
informal atmosphere and brainstorming for all possible solutions to the problem. Only after a variety
of options have been made should the group turn to evaluating the ideas. Evaluation would start
with the most promising idea.
• Insisting on using objective criteria. Objective criteria should be used to resolve differences
when interests are directly opposed. If differences are allowed, they can spark a battle of wills that
can destroy the relationship, and they are also inefficient and are not likely to produce a wise
agreement. Decisions based on reasonable standards make it easier for the parties to agree and pre-
serve the relationship. Therefore, the first step is developing objective criteria. These criteria should
be legitimate and practical, e.g., scientific findings, professional standards, or legal precedent are
possible sources of objective criteria.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 183
Negotiation CIA Part 3
• Mediation is an intervention between the parties by a neutral party with the intent of facilitating an
agreement. The mediator will offer solutions, assist in communications, and present the arguments
to each side.
• Arbitration is a situation in which a third party (either chosen by the parties or appointed under
some authority) decides the situation. This decision is binding to the parties.
• Consultation occurs when an expert in conflict resolution is engaged in an attempt to improve the
communications between the parties.
Question 106: A construction manager is using a distributive-bargaining approach in negotiating the price
of lumber with a supplier. The construction manager will:
a) Concede to the supplier’s asking price in order to maintain a positive working relationship.
c) Attempt to get agreement on a price within the settlement range (that is, within both the manag-
er’s and supplier’s aspiration ranges).
d) State the resistance point (that is, the highest price acceptable) and ask the supplier to concede.
(IIA Adapted)
Question 107: Two internal auditors have been assigned projects of equal priority and the same due date.
Unfortunately, support services are limited. The auditors have been directed to negotiate between
themselves for the available services. This type of negotiation is called:
a) Distributive
b) Integrative
c) Attitudinal structuring
d) Intraorganizational
(IIA Adapted)
Question 108: What is a primary disadvantage of forcing another party to accept terms in a negotiation?
(IIA Adapted)
184 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Negotiation
Question 109: The method of principled negotiation is based on which of the following principles?
a) I and II only.
(IIA Adapted)
Question 110: There are many types of third-party negotiations available to parties facing disagreement.
If the goal is to be certain that settlement is reached, a negotiator with authority to make a decision
should be selected. The best negotiator to select, given this goal, would be a(n)
a) Mediator
b) Arbitrator
c) Consultant
d) Conciliator
(IIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 185
Change Management CIA Part 3
Change Management
As desirable as it may be for a company to exist in a static business environment, all organizations will at
some point go through some kind of change. Whether miniscule or dramatic, expected or unexpected, change
in the corporate world has an impact to a company’s bottom line, and therefore companies must be prepared
to handle the stressors that will most certainly come when change occurs.
Nadler and Tushman developed a model of the different types of change that a company might undertake.
Two pairs of binaries (anticipatory/reactive and incremental/strategic) are aligned to form four quadrants, and
each quadrant expresses a specific combination of factors that describe corporate change:
Anticipatory Reactive
Note: Different companies can be organized through a network corporation, which is a long-term,
strategic relationship that exists without specific legal ties to each other.
A strategic partnership is an association of companies that accomplish a specific goal, such as the
alliance between two auto companies to produce a new vehicle.
In order for management to implement change with minimal disruptions, any resistance to change needs to
be acknowledged and appropriately addressed. The following is a basic list of proactive and participative
methods to address concerns about change:
• Communicate to all affected parties the nature, extent, and reasons for the changes.
• Anticipate and address the perceived impact of the change on the economic, social, and psychologi-
cal needs of employees (since employees tend to react to the perceived rather than the real impact
of change).
186 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Change Management
Lewin’s force field analysis is a more detailed model for understanding change, resistance to change, and
ways to address that resistance:
Internationalization and
global markets Pay reductions
Social transformations
Loss of power and/or
status
Increased competition
Breaking up of existing
teams
Lewin suggests that, instead of taking on the resisting forces head-on, management should aim to weaken
resistance to change.
Lewin offers a three-step process to describe the method that companies might employ to manage change
and resistance to change:
• Unfreeze. Management “unfreezes” the current situation by explaining to affected parties the
reasons for the change preparing them for the transition.
• Move. Management makes the change or changes, which can involve a relatively long period of
retraining and restructuring.
• Refreeze. Management allows a period of calm where things “refreeze” or becomes more stable in
the new environment (and during the “refreeze” care should be taken to prevent conditions from re-
verting to pre-change conditions).
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 187
Project Management CIA Part 3
Project Management
Project management entails the process of planning, managing and controlling large projects that are
composed of many different jobs performed by many different departments and people. When projects are
very large and complex, the manager needs a system for keeping track of all the information and coordinat-
ing the various activities in order to complete the entire project on time.
Many activities in a project are dependent upon the completion of other activities, and they cannot begin until
the other activities have been completed. Some activities are critical because they must be completed exactly
as scheduled to avoid slowing down the whole project, whereas other activities are non-critical and may be
delayed for a while before they will cause a slowing of the entire project.
Proper scheduling can make the difference between completing the project on time and within budget, or
missing deadlines and having cost over-runs. In addition, proper scheduling can help foresee and avoid
potential difficulties in the completion of a project, thus reducing total time required and related costs. Thus,
in order for organizations to be competitive, they must reduce project time.
A project is a temporary endeavor undertaken to achieve some specified aim or objective, such as
creating some unique product or service. It is important to understand that even though projects are
temporary, they help organizations achieve longer-term objectives. The planning, execution and monitoring of
major projects sometimes involves setting up a special temporary organization, consisting of project teams
and one or more work teams.
• Planning is organizing facilities and equipment, personnel and task assignments, and scheduling.
• Termination is when the project is released to the end user and project resources are redistributed.
• Products are schedule-driven and results-oriented. These are more important than adhering to a
process.
• Achieving overall objectives (the big picture) and adhering to the little details are of equal
importance.
• Project managers know very well the motivational power of having a deadline. Deadlines shape
individual and team objectives.
In the following we discuss some of the more common project management techniques, including Gantt
Charts, flowcharting and PERT/CPM.
188 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Project Management
Gantt Charts
In a Gantt chart, a project is divided into parts that are called activities or tasks. These tasks are then plotted
on a chart that has tasks listed on the left side and time across the bottom. The tasks are then placed into the
time frame during which they need to be completed.
Gantt Chart
As you can see, the Gantt chart does an excellent job of showing when different steps need to be completed,
and they may be color coded in order to show who is to do something or when they are completed (as shown
here). Gantt charts are easy to complete and also provide a quick way to see whether or not the project is on
schedule.
In the example above, the evaluation stage is ahead of schedule. The report writing stage, however, is behind
schedule because it should have been completed by the current report date, but is not.
• They do not show the interconnection between the different steps of the project.
Flowcharting
Flowcharting is a schematic representation of a process. This schematic representation is a way to help users
better visualize the content, or find faults in the process. Flowcharts are useful to a variety of different
purposes. For example, flowcharting can be used in computer programming for determining program logic, or
in TQM for simplifying work processes, or helping internal auditors better understand an organization’s
internal controls.
Flowcharting is also a method for sequencing activities and decisions. It arranges events in the order of their
actual or desired occurrence. This can help eliminate wasted steps and activities.
There are a variety of symbols used in flowcharting. The more common symbols are:
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 189
Project Management CIA Part 3
PERT/CPM
Program Evaluation and Review Technique (PERT) and Critical Path Method (CPM) have the same general
purpose, in that they both address the same issues. The two techniques were developed independently in the
late 1950s. PERT was developed by the U.S. Navy primarily to handle projects where the time required for
each activity was uncertain.
CPM was developed for use in industrial projects where the time requirements for each activity were known.
CPM was developed in 1957 for use by DuPont and was first applied in 1958 to the construction of a new
chemical plant. When it was developed, the focus of CPM was on providing managers with options to reduce
activity times by adding more resources at greater cost. In 1959, the method was applied to a maintenance
shutdown at the DuPont works in Louisville, Kentucky, and as a result, unproductive time was reduced from
125 hours to 93 hours. CPM introduces the concept of trade-offs between time and cost for the various
project activities.
Computer applications for PERT and CPM have combined the two approaches, using the best features of both.
Therefore, a distinction between the two techniques is no longer needed, and they are referred to as
PERT/CPM.
PERT/CPM involves graphical representations of the project, called the project network. The project’s
beginning, end and each activity are represented by nodes on the network. Lines, or arcs, connect the
nodes and show the relationships between and among them. The project network helps the manager visualize
the activity relationships and assists in carrying out the PERT/CPM computations.
Once we have the form of the project network, we can estimate the time required by each activity, the set of
critical activities, and the time required for the whole project. Each activity, represented by a node, is
assigned a time that will be required for its completion.
After acquiring the expected times for each activity, we can determine which path is the critical path. A path
through the network is a series of connected nodes that go all the way from the beginning to the end of the
project. A network may have many paths, and all of the paths must be completed in order to complete the
project. The critical path is the path that requires the most time because if activities on that path are
delayed for any reason, the entire project will be delayed. Activities on the critical path are called critical
activities for the project.
Some activities may have slack time. Slack is the amount of time that an activity can be delayed without
putting the whole project behind schedule. Paths that are not designated as critical paths are paths with slack
time. Slack represents unused resources that can be diverted to the critical path.
The expected time to complete the entire project is the sum of the expected times for each of the activities on
the critical path.
190 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Project Management
Let’s start with an example. This is a very brief PERT/CPM diagram, but it will demonstrate the issues related
to PERT/CPM.
4 8
2 2
S A C E F
3 5
2 6
Immediate
Activity Time (Days) Predecessor
SA 2
AB 4 SA
AC 3 SA
BE 8 AB
CD 2 AC
CE 5 AC
DF 6 CD
EF 2 CE
In the chart above, the critical path is SABEF because this has the longest completion time – 16 hours.
Activity CE is not part of the critical path and therefore has slack time. Path SACEF takes only 12 hours. This
means that activity CE (or any other activity in this path) could be increased in time by 4 hours and the
project as a whole could still be completed on time.
The company can use this information and may be able to reallocate resources from one of the paths with
slack to the critical path, reducing the time for the critical path. However, it is important to remember that
there will always be a critical path. If the company reduces the time for activity BE to 4 hours, the time for
path SABEF becomes only 12 hours, and path SACDF then becomes the critical path with a time of 13 hours.
Start Times, Finish Times, Slack Times and the Critical Path
An important part of determining the critical path is determining start times, finish times and slack time for
each individual activity in a project. This appears difficult, but it is really just common sense. It is beneficial to
put in the effort to understand how it works.
In determining start times, we need to know the earliest and latest possible start times for each activity.
We determine the earliest start time by counting from the left side of the diagram. We determine the latest
start time by counting from the right side.
For finish times, we need the same thing: the earliest and latest possible finish times for each activity.
Once these are known, we will know where there is slack time and we will know the critical path(s).
In the example, the earliest possible start time for activity CE is 5 hours. This is because it takes at least 5
hours to get to this point in the process. The latest start time for CE is 9 hours, because once CE is started it
will take 7 hours to complete. Since the whole project can be done in 16 hours, we need to start CE at hour 9
at the latest in order to be able to finish in 16 hours. This gives a 4-hour window in which to start activity CE,
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 191
Project Management CIA Part 3
meaning that the workers on this activity can be used elsewhere until the 9th hour, when they must be ready
to start activity CE.
To determine an expected time for an activity when its time is uncertain, we need three time estimates: its
optimistic time, most probable time, and pessimistic time. To calculate the expected completion time
for an individual activity using these three time estimates, we use the following formula:
Network planning using three time estimates for each activity is called a probabilistic technique, or
stochastic technique, because it allows for uncertainty. This is in contrast to deterministic techniques, or
techniques that use only one time estimate for each activity.
Large differences between the pessimistic and the optimistic times indicate a high degree of uncertainty about
the time required for an activity. Using the assumption that one standard deviation is approximately 1/6th of
the difference between the most extreme values of a probability distribution, we can determine the standard
deviation (σ) of an individual activity as follows:
The variance of an individual activity is the square of the standard deviation, or σ2.
When activity times are uncertain, the manager must remember that the calculation of the critical path will
determine only the expected time to complete the project. The actual time required to complete the
project may be quite different. Activities with larger variances have a greater degree of uncertainty.
Therefore, the progress of any activity with a large variance should be closely monitored even if, based on its
expected time, the activity does not appear to be a critical activity on the critical path.
The standard deviation of the completion time of the critical path is calculated by taking the square
root of the sum of the variances of all of the individual activities in the path. Remember that the variance of
an activity is the square of the standard deviation of the activity.
192 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Project Management
If a project needs to be completed in less time, the critical path must be shortened. This can be done either
by using the existing resources in the company in a different manner (moving them from jobs with slack time
to the critical path) or bringing in additional resources. Which choice a company makes will depend upon the
skills of the resources in the company and whether or not they will be able to perform the needed tasks in the
critical path.
Putting additional resources to work on specific activities to shorten the time to complete a project is called
crashing. In order to decide where to crash, we need to know the least amount of crashing that is needed to
get the project completed within the timeframe. We then determine what activities will cost the least to crash
per unit of shortened project time.
The activities on the critical path are prime candidates for crashing. However, if we crash those activities too
much, then they might be shortened too much, making another path critical and wasting some of the
additional resources for which we are paying extra. So the entire network needs to be examined and the
crashing needs to be carefully planned.
In the earlier example, it is clear that activity BE could be shortened by as much as 3 hours without causing
another path to become critical. So if we have 2 people assigned to the job now, and those people can do the
job in 8 hours, how many people would we need to do the job in 5 hours?
Logic tells us that we would need almost twice as many people to do job BE in only 5 hours.
If it would cost an additional $450 to hire those people, and if that would shorten our overall project by 3
hours, we can then calculate the cost per day to shorten the project.
We will go through the network like this and determine the most cost-effective place or places to crash the
project to gain the maximum possible shortening of the overall project with the minimum cost.
For a small network, a trial-and-error approach can be used to determine this. However, with a large,
complex project, linear programming with a computer is used.
Other ways of shortening a total project’s length include: moving an activity that is on the critical path to a
parallel path instead, transferring resources from activities with slack to the activities on the critical path, if
possible, or eliminating or substituting less time-consuming activities for activities that are not essential.
Benefits of PERT/CPM
PERT/CPM is useful in the following ways:
• It can be used to assign existing resources to a project in the most effective manner.
• It can be used to calculate costs to shorten the time required for a project.
• Sensitivity analysis can be used with PERT/CPM as a way of determining the probability of finishing a
project on time.
• PERT is extremely complicated, and when costs are included in the analysis, scheduling complexity
is increased. Furthermore, CPM does not deal with the influence of indirect costs and contractual in-
centives. It assumes that time and costs are linearly related, which may not be the case.
• It can lead to overly optimistic estimates. It can be misleading to look only at the critical path
because paths that are near-critical and that have large variances may become critical. PERT/CPM
does not account for these activities.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 193
Project Management CIA Part 3
• In addition, PERT/CPM considers the various activities to be independent from each other,
with the time required to complete one activity not affecting the completion times of activities that
follow it. Thus, in a PERT/CPM analysis, we assume that the expected length of a project (or a se-
quence of independent activities) is simply the sum of their separate expected lengths. This
assumption may not be correct because in practice many activities have dependencies.
• Finally, if PERT/CPM is used to shorten the time required for a project by eliminating or substituting
activities, it can result in a degrading of the requirements and poor quality of work.
Question 111: California Building Corporation uses the Critical Path Method to monitor construction jobs.
The company is currently 2 weeks behind schedule on Job #181, which is subject to a $10,500-per-week
completion penalty. Path ABCFGHI has a normal completion time of 20 weeks, and critical path ADEFGHI
has a normal completion time of 22 weeks. The following activities can be crashed.
California Building desires to reduce the normal completion time of Job #181 and report the highest
possible income for the year. California Building should crash:
b) Activity EF 2 weeks.
d) Activity DE 2 weeks.
(CMA adapted)
Question 112: In a PERT network, the optimistic time for a particular activity is 9 weeks, and the
pessimistic time is 21 weeks. Which one of the following is the best estimate of the standard deviation for
the activity?
a) 2
b) 6
c) 9
d) 12
(CMA adapted)
194 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Project Management
The following information is for the next two Questions: The PERT network diagram and corre-
sponding activity cost chart for a manufacturing project at Networks, Inc. is presented below. The
numbers in the diagram are the expected times (in days) to perform each activity in the project.
5 6.5
1
A B E
4.5 7
.5
5.5 7.5
Normal Crash
Activity Cost Time (days) Cost
AB $3,000 3.50 $4,000
AC 5,000 4.50 5,250
AD 4,000 4.00 4,750
BE 6,000 5.00 7,000
CE 8,000 5.00 9,200
DE 6,000 6.50 6,750
BC 2,500 .50 3,500
BD 2,000 .25 2,500
a) 12.0 days
b) 13.0 days
c) 11.5 days
d) 11.0 days
Question 114: In order to keep costs at a minimum and decrease the completion time by 1 1/2 days,
Networks, Inc. should crash activity(ies):
a) AD and AB
b) DE
c) AD
d) AB and CE
(CMA adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 195
Project Management CIA Part 3
Question 115: A PERT network has only two activities on its critical path. These activities have standard
deviations of 6 and 8, respectively. The standard deviation of the project completion time is:
a) 7
b) 10
c) 14
d) 48
(CMA adapted)
Question 116: When making a cost/time trade-off in PERT analysis, the first activity that should be
crashed is the activity:
(CMA adapted)
Question 117: In Program Evaluation Review Technique (PERT), slack refers to the:
b) Difference between the latest starting time and earliest finishing time.
c) Path that has the largest amount of time associated with it.
d) Number of days an activity can be delayed without forcing a delay for the entire project.
(CMA adapted)
Goal-setting theory suggests that employees’ performance increases when they have specific and challenging
goals to reach and receive feedback on their progress at attaining those goals.
MBO emphasizes taking overall organizational objectives and expressing them as specific objectives for
groups and individuals. The goals are said to cascade down through the organization. Although the goals
originate at the overall organizational level, lower-level managers participate in setting their own goals. MBO
emphasizes “bottom up” as well as “top down” goal setting. The objectives of employees at each level are
linked to the objectives of the next level.
2) Participative decision-making, where the manager and employee jointly agree on the goals and on
how achievement of them will be measured.
3) An explicit time period in which to complete the goals, typically 3 months, 6 months or 1 year.
4) Continuous feedback on progress toward the employee’s goals, supplemented by periodic managerial
evaluations. Thus, the employee is not assumed to be self-motivated to reach his or her goals.
196 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section E Project Management
The implication in MBO is that the goals must be achievable. This is consistent with goal-setting theory, which
states that as long as the goal is achievable, MBO is most effective when the goals are challenging enough to
require some effort.
There is only one area in which the MBO process deviates from goal-setting theory, and that is in the
participative goal setting. Goal-setting theory advocates assigning goals to subordinates, while MBO specifies
that the subordinate should participate in setting his or her own goals, as long as they are in line with the
goals of the organization. A major observed benefit to having the subordinate participate in the goal-setting
process is that the resulting goals are likely to be more challenging.
Implementing MBO
MBO is a widely used technique because it is usually successful at improving performance and achieving
organizational objectives. However, for MBO to be successful it requires:
In addition, cultural differences may make MBO inappropriate in certain organizations. For instance, MBO
does not work well with the Japanese culture’s focus on long-term goals and minimizing risk.
Question 118: Which network model algorithm identifies the set of connecting branches having the
shortest combined length?
a) Shortest-path algorithm
b) Longest-path algorithm
(HOCK)
Question 119: Which of the following requirements are necessary in order for MBO to be successful.
a) I and II only
(HOCK)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 197
Section F – Information Technology and Business Continuity CIA Part 3
Almost all of Section F is covered at the awareness level, with one exception (noted below). The main topics
in this section include:
• A review of the process of planning, analyzing, designing, and implementing a computer system
(Note: this topic is covered at proficiency level)
Questions related to these topics are likely to be of one of two types: 1) definitional or a basic application of
terms or 2) application to a particular situation in which you need to identify the best or worst evidence or
procedure from the choices.
While the first type of questions is relatively straightforward, the second type requires some practice and
patience. In order to prepare for the second type of question, you will need to go through the past Exam
questions and become familiar with the way the questions are asked and the correct answers. Some
questions are written in such as way as to imply more than one correct answer. For such questions, there is
almost always a short phrase that limits the scope of the question to a particular area, topic, or problem, and
that phrase will signal the correct answer. You will need to learn how to identify these signal phrases.
As a word of caution, the terminology in this section may be slightly different from the vocabulary you use at
work. This discrepancy occurs because internal auditing is, by its nature, an internal activity and therefore it
is impractical to establish standardized terms across various industries and companies. For this reason,
although you should internalize these terms for the exams, you are not at all obligated to change your
vocabulary at work.
This section accounts for 15–25% of the exam; therefore, it is significant enough that you do need to spend
adequate time understanding the concepts of IT and business continuity. We recommend you read through
the material, make sure you understand the general concepts, and use ExamSuccess to become familiar with
what has been asked in the past.
198 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Information Technology (IT)
Because computers apply the same steps to similar transactions, there should be no chance for clerical
(human) errors in processing transactions. However, if there is a mistake in the program itself, there will be
an error in every transaction that is processed using that defective program. (And if a clerical error is made in
input, it will of course result in an output error.)
Potential for fraud is always present in organizations and is a serious problem, even without computer
processing of data. The automatic processing of data, the volume of the data processed, and the complexity
of the processing are aspects of computer processing that can increase both the risk of loss and the potential
dollar loss from exposures that naturally exist. The concentration of data storage creates exposure as well
because a problem with the storage in one place may affect large amounts of data. The potential for fraud is
further increased in a computer system because programs are used for data processing. Fraud can be
committed within the program without proper controls over the program itself, and this type of fraud may go
undetected for a long period of time.
Further complicating the situation is that because of the nature of computer systems, paper audit trails may
exist for only a short period of time. This is because support documents may be periodically deleted. The
existence of an audit trail means that an amount appearing in a general ledger account can be verified by
evidence supporting all of the individual transactions that go into the total. The audit trail must include all of
the documentary evidence for the transaction and the control techniques that the transaction was subjected
to in order to provide assurance that the transaction was properly authorized and properly processed. When
an audit trail is absent, the reliability of an accounting information system is questionable.
There is also a positive side to computer systems. Computer systems can provide large amounts of
information to management in a very short period of time. This will enable management to keep closer
control over the results of the company. Computers are also able to process and manipulate large amounts of
information without error (assuming, of course, that the program is correct).
Despite the fact that information systems present unique situations and challenges, it is important to
remember that there are the same internal control goals for an information system as there are for the
overall organizational internal controls. These are:
• Promoting effectiveness and efficiency of operations in order to achieve the company’s objectives.
• Maintaining the reliability of financial reporting through checking the accuracy and reliability of
accounting data.
• Assuring compliance with all laws and regulations that the company is subject to, as well as adher-
ence to managerial policies.
• Safeguarding assets.
When audit trails are absent and hard copy source documents are not available, an auditor must look to the
system for information. This information should include some kind of assurances that normal transactions are
being processed properly, and that there is a system in place to detect abnormal transactions and reject
them, place them in a suspense file, and bring them before management for review.
The internal auditors may employ an “event concept,” which means performing a review of the entire system
at a particular point in order to determine the effectiveness of all the controls while “events” enter the system
and flow through it. If the internal auditors will have to rely on the system itself as a basis for determining the
validity of its output, they have to be able to analyze the system and its controls. Thus, they must be able to
evaluate data processing systems themselves or else recruit people who can.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 199
Information Technology (IT) CIA Part 3
Because the system itself becomes so important, changes to the way data is processed and changes in the
system’s operating environment are also critical to an auditor.
In addition, as a result of technology, major changes have taken place recently in the way companies do
business. These have created new challenges for internal auditors. The rise of e-commerce, virtual
organizations, broadband and wireless communications, reliance on data encryption, and open systems are
only a few examples. The interconnectedness of business means that businesses are more vulnerable to
threats from the outside.
This means that management must do a risk assessment to find out what their risks are and how serious
those risks are. The internal audit staff should assist in this risk assessment. Then, management must decide
which risks are acceptable and which risks can be mitigated, and do cost-benefit analyses to decide which
controls mitigate the risks most effectively. Existing controls need to be examined to determine whether they
are effective or whether they require compensating controls.
Classification of Controls
Controls within a computer system are broken down into two types: general controls, which relate to the
environment, and application controls, which are specific to individual applications. Application controls are
designed to prevent, detect and correct errors and irregularities in transactions during the input, processing
and output stages. Both types of controls are essential because the possibility of accident, error, and loss of
data exists whenever data is stored, processed, rejected and reentered, copied from one medium to another,
or transmitted from one location to another.
General Controls
General controls relate to the general environment in which transaction processing takes place and are
designed to ensure that the company’s control environment is stable and well-managed. A stable and well-
managed control environment strengthens the effectiveness of the company’s application controls. General
controls include controls over the development, modification and maintenance of computer programs.
• Organization and operation of the computer facilities, including provision for the segregation
of duties within the data processing function as well as segregation of the data processing function
from other operations.
• General operating procedures, including written procedures and manuals. Operating procedures
also specify the process to follow in system development and system changes in order to provide
reasonable assurance that development of, and changes to, computer programs are authorized,
tested and approved prior to the use of the program.
• Equipment and hardware controls, including controls installed in computers that can identify
incorrect data handling or improper operation of the equipment.
• Access controls to equipment and data, such as controls over physical access to the computer
system and over logical access to the data that are adequate to protect the equipment and data files
from damage or theft.
200 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Information Technology (IT)
Responsibilities of different jobs within the IT department should be separated from one another. An
individual with unlimited access to a computer, its programs and its data could execute fraud and conceal it.
Therefore, effective separation of duties should be instituted by separating the authority over and responsibil-
ity for the different IT functions.
Although designing and implementing segregation of duties controls makes it difficult for one employee to
commit fraud, remember that segregation of duties is not perfect insurance against fraud because two
employees could collude to override the controls.
The various positions within a computer system and the responsibilities of each are:
• The Database Administrator (DBA) has responsibility for developing and maintaining the data-
base and for establishing proper controls over the database. The DBA controls access to various files,
making program changes and making source code details available only to those who need to know.
• Systems analysts are responsible for reviewing the current system to make sure that it is meeting
the needs of the organization, and when it is not will provide the design specifications to the pro-
grammers of the new system. Systems analysts should not do programming, nor should they have
access to hardware, software or data files.
• Programmers are the individuals who write, test and document the systems. They are able to
modify programs, data files and controls, but should not have access to the computers and programs
that are in actual use for processing. For instance, if a bank programmer were allowed access to ac-
tual live data, he or she could delete their own loan balance while conducting a test. Furthermore,
systems programmers should not do application programming, and vice versa. If installation of a
new accounts payable system were combined with operating system maintenance responsibilities,
for instance, a programmer could both perpetrate and conceal a fraud.
• Computer (console) operators perform the actual operation of the computers for processing data.
They should not have programming functions and should not be able to program. Their responsibili-
ties should be rotated so no one operator is always overseeing the running of the same application.
The most critical separation of duties is between programmers and computer operators.
• Data conversion operators perform tasks of converting and transmitting data (e.g., convert the
source data to magnetic disk or tape for long-term storage).
• Librarians maintain the documentation, programs and data files. They should have no access to
equipment. Librarians should restrict access to the data files and programs to authorized personnel
at scheduled times. Furthermore, the librarians maintain records of all usage and those records
should be reviewed regularly by the data control group for evidence of unauthorized use.
• The data control group receives user input, logs it, monitors the processing of the data, reconciles
input and output, distributes output to authorized users and checks to see that errors are corrected.
They also maintain registers of computer access codes and coordinate security controls with other
computer personnel. They must keep the computer accounts and access authorizations current at all
times. They should be organizationally independent of computer operations.
• For transaction authorization, users should submit a signed form with each batch of input data to
verify that the data has been authorized and that the proper batch control totals have been pre-
pared. Data control group personnel should verify the signatures and batch control totals before
submitting the input for processing. This would prevent a payroll clerk, for example, from submitting
an unauthorized pay increase.
• The end users need to have access only to the final output that is produced.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 201
Information Technology (IT) CIA Part 3
• Users (not the IT Department) should initiate and authorize all systems changes, and a formal
written authorization should be required.
• An error log is maintained and referred to the operators for correction. The data control group
follows up on errors, but does not correct them.
Some organizational controls can be evaluated by the auditor only by observation, such as whether
documented segregation of duties is actually taking place, whether certain departments are physically
separated, whether access to the library is adequately controlled, and whether access to the computer room
is limited to authorized personnel.
• Job descriptions should exist for all jobs so that there is no doubt about who is responsible for what.
This is the basis for specific authorizations and prohibitions on who should not perform certain du-
ties. These authorizations and prohibitions are then the basis for logical security, such as password
controls.
• Personnel should be adequately trained in their jobs, and assigned duties should be rotated periodi-
cally for key processing functions.
• Everyone should take a vacation each year and be physically absent from the premises during that
time.
• Physical safeguards should be established over forms such as negotiable instruments and over
sensitive output devices such as signature cartridges. Sequential numbers on individual forms should
be printed in advance so missing forms can be detected.
• The system development and system change processes should be documented in order to provide
reasonable assurance that development of, and changes to, computer programs are authorized,
tested, and approved prior to the use of the program.
The auditors need to determine whether the control group is accountable for data from the time it is received
until it is distributed as output to users. Auditors need to review job rotation schedules as well as vacation
records.
202 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Information Technology (IT)
Equipment Controls
• A defined backup procedure should be in place, and the usability of the backups should be verified
regularly.
• Transaction trails should be available for tracing the contents of any individual transaction record
backward or forward, and between output, processing, and source. Records of all changes to files
should be maintained.
• Statistics on data input and other types of source errors should be accumulated and reviewed to
determine remedial efforts needed to reduce errors.
Logical Security
Logical security consists of access and ability to use the equipment and data. Controls over access to data
determine the company’s vulnerability to manipulation of equipment and assets, whether accidentally or
deliberately fraudulent.
Logical access controls are used to identify authorized users and control the actions that they can perform.
User IDs and passwords are the most common way of authenticating users. Security software can be used to
encrypt passwords so that they cannot be read, to require a change of password after a certain period of
time, and to require passwords to conform to a certain structure. Procedures should be established for issuing,
suspending and closing user accounts, and access rights should be reviewed periodically.
Logical security also includes Internet security, firewalls, virus protection procedures and cryptographic
techniques such as encryption of messages and digital signatures. Dial-up connections and other system
entry ports should be prevented from accessing computer resources.
The auditor should evaluate the effectiveness of the logical data security system. Does it provide assurance
that only authorized users have access to data? Is the level of access for each person appropriate to that
person’s need? Is there a complete audit trail whenever data is modified? Finally, is unauthorized access
denied and the attempt reported?
Physical Security
Physical security includes both physical access control and security of the equipment and premises.
Physical access control takes place both within the data center and outside of it. Outside the data center,
for example, certain activities such as changes to employee pay rates can be restricted to terminals physically
located in the payroll department, in addition to requiring password authorization. This would prevent a
person with access to a password but without access to the premises from changing pay rates.
Physical access to the data center should be limited to authorized persons. This can be accomplished through
card access, where a magnetically encoded card is inserted into a reader, and access is either granted or
denied. The card access also provides an audit trail, with date, time, and identity of the person who entered
recorded. Within the data center, physical access can be selectively assigned by establishing zones. For
example, a computer operator might be authorized to enter the computer room but would not be authorized
to enter the tape vault. Zoning can also be used to limit access to certain days of the week and certain times
of the day.
Biometric access systems can be used where the physical security needs to be rigorous. Biometric access
systems use physical characteristics, such as blood vessel patterns on the retina, handprints, and/or voice to
authenticate people for access. There is a low error rate with such systems, but the systems do occasionally
make errors, so these are usually combined with other controls.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 203
Information Technology (IT) CIA Part 3
Dual access and dual control can be established to require two independent, simultaneous actions before
processing is permitted.
Visitors should be escorted by an IT member when they enter the computer facilities, and a visitor’s log
should be kept and reviewed regularly.
Physical security involves the physical security of equipment and the premises. Fire prevention safeguards
such as a fire alarm system connected to a security center that is manned 24 hours a day, 7 days a week, or
to the fire department, should be installed. The fire alarm system should be tested and fire drills should be
conducted regularly. Smoke detectors should also be placed throughout the building, and a fire suppression
system should be installed.
An alternate power source should be available in case of power loss or brownout. The power source may be
long term, such as a generator that could power the center for a long period of time, or it may be a short
term battery-operated system that would provide enough time to accomplish an orderly shutdown of the
computer system. A large, critical system would require a generator, whereas a short-term solution would be
adequate for a less critical system.
A surge protector should be used on every computer, including PCs, along with a small UPS (uninterruptible
power supply). The UPS gives the operator time to save work in the event of a short power outage. The surge
protector protects the system from voltage spikes that can damage it, such as those that occur during an
electrical storm.
Media library contents should be protected. Responsibilities for storage media library management should be
assigned to specific employees. The file management system should include security considerations. Files
should include backups of current data that can be used in case of a disaster, as well as archive files for
permanent storage. Controls are required so that the files are labeled and stored correctly. Contents of the
media library should be inventoried systematically, so that any discrepancies can be remedied and the
integrity of magnetic media is maintained. Policies and procedures should be established for archiving.
Backup tapes that have become too worn out to use or hard disks that have outlived their usefulness should
be erased before being discarded.
Servers and associated peripherals should be kept in a separate, secure room. Particularly when servers are
located outside of the data center, servers and routers may be found installed in unsecured storage closets.
This is very poor practice, because they can be subject to damage by cleaning people who store their cleaning
supplies in the same closets.
Servers and equipment inside the data center should be kept in rooms with bars on the windows and blinds or
reflective film used on the windows for heat blocking as well as physical protection. There should be a system
in place to monitor hardware components to prevent them being removed from the premises. Offsite backup
tapes should be stored in a secure location.
The auditor’s role is to evaluate the effectiveness of the existing controls and security. For instance, the
internal auditor should review password administration, the levels of authority assigned and the appropriate-
ness of each person’s authority.
In the area of storage, the auditor should find out how stored magnetic media are labeled (externally as well
as internally), whether there is a tape or disk management or file management system, whether magnetic
media are stored appropriately and copies kept off-site as well as on-site, and whether temperature and
humidity in the storage area are monitored and controlled. It is important for the internal auditor to
determine whether adequate file naming standards have been established, because inadequate file naming
standards can result in accidental deletion of files.
If weaknesses are found in any of the controls, the auditor must state in the report what exposures result
from the inadequate controls.
204 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Information Technology (IT)
Question 120: The most critical aspect of separation of duties within information systems is between:
(CMA adapted)
Application Controls
Application controls are controls that are specific to individual applications. They are designed to prevent,
detect and correct errors in transactions as they flow through the input, processing and output stages of
work. Thus, they are broken down into three main categories: input controls, processing controls and output
controls.
1) Input controls should provide reasonable assurance that the data entered into the system has
proper authorization, has been converted to machine-sensible form, and has been identified. Input
controls can also provide some assurance that data (including data sent over communications lines)
has not been lost, suppressed, added or changed in some manner.
In a batch processing environment, there are various controls that can be used to make sure that
data is not lost as it moves from station to station before it reaches the computer. This is more diffi-
cult with a real-time system, because real-time systems do not lend themselves to batch controls.
However, unbatched transactions can be checked.
a. Edit checks are the programs that check the validity and accuracy of input data, such as
checking whether each field has the proper numeric, alphabetic, or alphanumeric format and
whether the information in the transaction is reasonable. There are a number of input controls
that can be built into software applications:
• Error listing. This is simply the process of developing a list of all errors from a run of the da-
ta as well as any uncorrected errors from pervious runs. From this information we can
determine what changes need to be made to the system.
• Field checks. This is a check to make sure that an input field contains the correct type of
characters (number or letters). For example, a field check will not allow numbers to be input
into a field for a person’s name.
• Financial totals. This is a total of the amount of money included in a set of records.
• Hash total. This is a total of numbers such as the account numbers that are included in a set
of records or the employee numbers of people who are included in a payroll calculation. This
number can then be compared after processing or transmission in order to test the complete-
ness of the process.
• Limit and range checks. This is simply a maximum or minimum number for a record. For
example, the number of days worked in a week cannot exceed 7.
• Preformatting. As indicated by the name, this is the system of having a computer screen
appear like a paper form on the screen into which the proper information needs to be placed
into the proper place.
• Reasonableness (or compatibility) test. This tests the logical correctness of information.
For example, does the product code that is input for a sale match one of the codes of the
products available for sale.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 205
Information Technology (IT) CIA Part 3
• Self-checking digits. This is the process of applying an algorithm to an input field and then
applying the same algorithm to the code already entered to compare them.
• Sequence checks. This checks to make sure that the records are reported or stored in the
correct order (most likely alphabetical or numerical).
• Sign checks. This checks that numbers are correctly positive or negative.
• Validity checks. This compares the input information with a list of correct information (such
as personnel numbers) to make sure that the information being entered is valid.
• Overflow test. This makes sure that if an extra digit or letter is entered into a field, the op-
erator is informed and able to correct the input.
• Check digits. A check digit is a number that is a part of an account or other type of number.
The check digit is a function of the other digits within the number, determined by a mathe-
matical algorithm. It can be used to determine whether a number, such as an account
number, has been keyed incorrectly. Check digits are used with credit card numbers and oth-
er account numbers, and they are especially helpful in detecting transposition errors. If the
number is not keyed correctly, the operator will get an error message such as “invalid ac-
count number.”
• Error correction. Error corrections often result in other errors. Before corrections are made,
the error reports should be analyzed and the required action determined. The process should
include updating all files that are involved and readjustment of all balances affected.
b. Key verification is the requirement of inputting information again and comparing the two in-
puts. An example would be entering your new password twice into a computer system.
c. A redundancy check is the process of sending additional sets of data to confirm the original da-
ta sent.
d. An echo check is the process of sending the received data back to the sending computer to
compare with what was sent to make sure that it is the same as what was received.
e. Completeness checks of transmission of data determine whether all necessary information has
been sent.
f. Some transactions may be initiated automatically, such as automatic stock reorders or pay-
ments to suppliers. Under normal circumstances, there are controls built into the system.
However, situations can arise that were not anticipated when the controls were designed, and
these can lead to difficulties.
Internal auditors should recognize that input errors are the most common error, and they should
dedicate a significant amount of effort to reviewing input controls. To determine what program con-
trols such as online edits are included in the system, auditors can interview the programmers, review
program abstracts, examine edit reports, or even review the code.
Auditors can observe balancing procedures, examine documents for authorizations and approvals,
and determine whether key verification or some other means of verification of data entry is being
used for critical data.
206 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Information Technology (IT)
2) Processing controls provide some reasonable assurance that processing has been properly com-
pleted as intended, without programming errors or clerical errors, and in a timely manner. There are
a number of tests of processing that are set out below. Processing controls also include physical se-
curity of the equipment. Access to the computer should be permitted only to people who are
authorized to operate the equipment, and operators should be given access only to information they
need to set up and operate the equipment. Programs should be controlled and accessible only to the
computer operators. Programmers should not have uncontrolled access to the computers, data files,
or records.
a. Posting check. Compares the contents of the record before and after updating.
b. Cross-footing. This compares the sum of the individual components to the total figure.
c. Zero-balance check. This is used when a total sum should be 0. All of the numbers are added
together and this is compared to 0.
d. Run-to-run control totals. During a process, critical information is checked to ensure that it
is correct to that point. This allows for the earlier identification of a mistake.
e. Internal header and trailer labels. Properly labeling the data ensures that only the correct
data is processed.
f. Concurrency controls. This is the process of managing the situation when two or more pro-
grams are trying to access the same information at the same time.
g. Key integrity checks. Keys are the characteristics of records that allow them to be sorted. A
key integrity check makes sure that the keys are not changed during data processing.
In reviewing processing controls, the auditor should assess whether the application is processing in-
put data in an accurate and timely manner, as intended by management, and with no unauthorized
data modifications. This includes:
• Determining whether duties are properly segregated or if not, if compensating controls exist.
• Determining whether transactions are retained so data files can be reconstructed, if necessary.
• Determining whether transaction trails are adequate to trace data back to the point of origin, and
whether the date, terminal ID and responsible person are shown on transaction trails.
• Observing processing and determining what controls exist to make sure that processing options
are set correctly.
• Determining what procedures are followed to reprocess transactions that are in error.
• If a suspense file is used, determining whether suspense items are being cleared in a timely
manner.
• Reviewing operators’ run instructions so that if an operator is unfamiliar with the jobs, they will
be able to complete the necessary tasks.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 207
Information Technology (IT) CIA Part 3
3) Output controls provide some reasonable assurance that the processing result (e.g., account
listings or displays, reports, files, invoices or disbursement checks) is accurate and that only author-
ized personnel receive the output. Controls should be in place to make sure that the output
information is sent to the right people, that it is accurate and is sent in a timely manner and that the
proper reports are retained for the appropriate time period. The output of the system is supervised
by the data control group.
One type of output control is forms control, such as physical control over company checks. Checks
should be kept under lock and key, and only authorized persons should be permitted access. In addi-
tion, because checks are prenumbered, the preprinted check number on the form must match the
computer-generated number that is also printed on the check. The preprinted numbers on the
checks are sequential, and the computer-generated numbers also are sequential. If the starting
computer-generated number does not match the first check in the stack, it must be investigated be-
cause it could mean that one or more checks are missing. Any other prenumbered forms should be
controlled in the same manner as checks.
Output control also concerns report distribution. For example, a payroll register with all the em-
ployees’ social security numbers and pay rates is confidential information and thus its distribution
must be restricted. There should be an authorized distribution list, and only enough copies of the
report to permit one report to be distributed to each person on the list should be processed. For a
confidential report, it is preferable to have a representative pick the report up personally and sign for
it. If this is not possible, a bonded employee can be used to hand deliver the reports. Random
checks on this distribution should be made by the employee’s supervisor.
Note: Confidential reports should be shredded when they are no longer needed.
Output control also includes the handling of exceptions when transactions are rejected. If the trans-
action is correct, the problem could be an equipment malfunction or operator error. Error logs should
be sent to the proper people for investigation and correction.
• Determine whether output is supervised by a data control group. The control group (or the user)
should balance and reconcile the output.
• Determine whether reports are relevant, timely, reliable, and sorted properly.
• Determine whether an up to date distribution list is maintained for all reports, whether there is
an output log, if reports are being lost or misrouted, and if a user control group has a checklist to
determine whether all reports have been received.
• Determine whether it is possible to create extra copies of reports without having to rerun the en-
tire process.
• Determine whether dual-custody controls are being used to protect negotiable documents such
as checks and stock certificates and sensitive outputs such as payroll listings.
• Review retention policies for outputs such as hard copy reports. Auditors should also determine
whether reports are being properly disposed of (shredded).
208 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Information Technology (IT)
Question 121: Electronic data processing control procedures are classified as general controls or
application controls. The primary objective of application controls in a computer environment is to:
b) Maintain the accuracy of the inputs, files and outputs for specific applications.
d) Plan for the protection of the facilities and backup for the systems.
(CMA Adapted)
Question 122: Payroll master file updates are sent from a remote terminal to a mainframe program on a
real-time system. A control that works to ensure accuracy of the transmission is a(n):
a) Echo check.
b) Protection ring.
c) Hash total.
(CIA Adapted)
Question 123: When assessing application controls, which one of the following input controls or edit
checks is most likely to be used to detect a data input error in a customer account number?
a) Limit check.
b) Validity check.
c) Control total.
d) Hash total.
(CIA Adapted)
Question 124: Omen Company is a manufacturer of men’s shirts. It distributes weekly sales reports to
each manager. The quantity 2Z5 appeared in the quantity sold column for one of the items on the weekly
sales report for one of the sales managers. The most likely explanation is that:
c) The printer has malfunctioned and the “Z” should have been a decimal point.
d) The program did not contain a data checking routine for input data.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 209
Control Frameworks CIA Part 3
Question 125: Which the following statements accurately describes the impact that automation has on the
controls normally present in a manual system?
a) Transaction trails are more extensive in a computer-based system than in a manual system
because there is always a one-for-one correspondence between data entry and output.
c) Controls must be more explicit in a computer-based system because many processing points that
present opportunities for human judgment in a manual system are eliminated.
(CIA Adapted)
Control Frameworks
Information system (IS) internal control frameworks are based upon two documents:
1) The report of the Committee of Sponsoring Organizations, Internal Control – Integrated Framework
(COSO), and
2) Control Objectives for Information and Related Technology (COBIT), authored by the IT Governance
Institute and published by the Information Systems Audit and Control Association (ISACA).
In Internal Control – Integrated Framework, internal control is defined as a process designed to provide
reasonable assurance that the company’s objectives will be achieved in the areas of effectiveness and
efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
According to that document, the internal control system is the responsibility of the company’s board of
directors, management and other personnel. It should consist of five interrelated components:
2) Risk assessment,
3) Control activities,
Control Objectives for Information and Related Technology defines control, as “the policies, procedures,
practices, and organizational structures designed to provide reasonable assurance that business objectives
will be achieved and that undesired events would be prevented or detected and corrected.” 19 “COBIT is a tool
that allows mangers to communicate and bridge the gap with respect to control requirements, technical
issues, and business risk.” 20 The COBIT control framework links the goals of the business with the goals of IT
so that IT resources are able to provide the information that the enterprise needs to achieve its objectives.
COBIT has become an IT governance tool that helps assist management with implementing adequate controls
over IT processes.
18
Internal Control − Integrated Framework, copyright 1992, 1994 by the Committee of Sponsoring Organizations of the
Treadway Commission, two volume edition 1994, Vol. 1, pp. 3-5.
19
Control Objectives for Information and Related Technology (COBIT) 3rd Edition, copyright 2000, IT Governance Institute,
www.itgi.org.
20
COBIT 3rd Edition, pg. 7.
210 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Control Frameworks
Common exposures to loss include competitive disadvantage, deficient revenues, loss of assets, inaccurate
accounting, business interruption, statutory sanctions, erroneous management decisions, fraud and
embezzlement, and excessive costs. These are exposures to loss that result from a failure to implement
proper internal controls.
The ultimate responsibility for internal control lies with management and the board.
Further, controls should be subjected to cost/benefit analysis. This means that management should not spend
more on controls than the amount expected to be received in benefits from the controls. This is a matter of
judgment on the part of management to determine what is required to attain reasonable assurance that
the control objectives will be met without spending more than can possibly be gained.
Even though COSO and COBIT are both based on the internal control of information systems, COBIT is
specifically focused on IT controls, whereas COSO provides entity-wide control guidance.
COBIT was designed with three distinct audiences in mind. These targeted audiences are:
1) Management. Managers need to be able to balance risk and control investments in the often-
volatile IT environment.
2) Users. The system’s users need assurance about the security of, and controls over, internal and
third party IT services.
3) Information Systems Auditors. IT auditors must be able to substantiate their opinions conveyed
to management and others about the state of internal controls.
The best way that we will be able to better understand COBIT is to view it as a three-dimensional framework
(shown on the next page). As you can see, the three parts of the framework are Information Criteria, IT
Processes and IT Resources.
1) Information Criteria are the minimum standards necessary to meet the business goals. Infor-
mation Criteria has three parts, consisting of:
• Fiduciary requirements include the effectiveness and efficiency of operations, reliability of in-
formation, and compliance with laws and information.
2) IT processes are required in order to ensure that the information is properly gathered and meets
the Information Criteria. The IT processes are organized into four stages (domains):
• The Planning and Organization stage concerns integration of the IT processes into the organi-
zation and communication of overall business objectives. It covers how IT can be used in a
company to help achieve the company’s goals and objectives as well as the organizational form
that IT should take in order to maximize its benefits.
• The Acquisition and Implementation stage is where solutions are acquired or developed and
eventually implemented. It covers identifying the requirements for IT, acquiring the technology,
and implementing it. It also provides guidance for developing and adopting a maintenance pro-
gram in order to prolong the life of the IT system.
• The Delivery and Support stage will include training of staff, maintaining security, and control-
ling the actual delivery of services such as the execution of the applications within the IT system.
• The Monitoring stage includes getting feedback so that management is able to assess the IT
needs of the company and whether or not the current IT system still meets the business objec-
tives for which it was designed. It also involves assessing controls.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 211
Control Frameworks CIA Part 3
3) IT Resources are required for information to be obtained. The required resources will include:
• People - Staff needs to have the proper skills, awareness and productivity to plan, organize, ac-
quire, deliver, support and monitor information systems and services.
• Technology – This covers the hardware, operating systems, database management systems,
networking, etc.
• Facilities – These are the resources necessary to house and support the information system.
• Data – Data can be of any form, i.e., external or internal, structured or unstructured, graphics,
sound, etc.
The four stages (domains) mentioned in Item 2 above contain a total of 34 IT processes. The purpose of the
IT processes is laid out by 318 specific, detailed control objectives. A detailed listing of the 34 IT
processes is presented in Appendix A.
It is not necessary to memorize these 34 IT processes, or the 318 detailed control objectives. It is only
necessary to know that COBIT exists to help management achieve its business objectives.
COBIT Components
Information Criteria
Domains
Application Systems
IT Processes
Processes
Technology
Facilities
Data
People
Activities
212 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Control Frameworks
a) It is a tool that allows management to communicate and bridge the gap with respect to control
requirements, technical issues, and business risk.
(HOCK)
Question 127: COSO and COBIT are concerned with providing reasonable assurance that company
objectives will be achieved. What is the primary difference between the two control systems?
b) COBIT focuses on entity-wide internal controls, whereas COSO is focused specifically on the control
of international transactions.
c) COSO addresses internal controls on an entity-wide basis, whereas COBIT focuses specifically on IT
controls.
(HOCK)
Under the CIO, Information Operations are further divided into departments based on the size of the
business. As an example, here is one way that the IT functions might be divided:
• Operations – responsible for the day-to-day functions such as data entry, computer and network
setup and configuration, and the internal help desk.
• Systems Development – responsible for planning and development of new IT systems, beginning
with the initial analysis through programming and testing.
• Security – responsible for ensuring that all information systems are secure, including contingency
planning and disaster recovery.
• Data and Databases – responsible for overseeing the company’s databases and policies, including
who has access to the data.
• Technical Support – responsible for providing support to all of the Information Operations, includ-
ing user training.
The most important consideration when auditing the functional areas of a business’s Information Operations is
to be sure that the segregation of duties is appropriate and that all general and application controls are in
place and effective. The auditor must understand the IT environment, the division of the departments, and
the roles of the key individuals in the departments. The auditor also needs to know what functions, if any, are
outsourced. While reputable vendors most likely will not need to be audited, it may be helpful for the auditor
to understand how the outsourced functions operate and connect with the business.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 213
Systems Development CIA Part 3
Systems Development
When an entire business processing system is designed from the ground up, this is called business
reengineering. In developing a new computer system, positive results are more frequently obtained when
the systems development process is structured, documented, and controlled. Following such a process
decreases the chances of an expensive mistake by creating a system that does not function as needed to
support the business.
Therefore, the systems approach to problem-solving is used in the development of large, highly structured
application systems. Using the systems approach to develop an information system solution involves a
process called the systems development life-cycle approach (SDLC, or systems approach), which is
based on the assumption that any information system has a limited life because of the ever-changing needs
of an organization and changes in technology. A new lifecycle begins when it is identified that the current
system is no longer adequate. The systems development life cycle involves planning, analysis, design and
implementation and provides a framework for planning and controlling the detailed activities involved in
systems development.
General characteristics of the systems approach include: (1) development by a project team, which
usually includes systems analysts, programmers, accountants and representatives of the end users, and (2)
an information systems steering committee that works with the project team. This committee should
be comprised of senior level managers that provide high level planning and establish priorities. The
information systems steering committee should have at least one auditor to ensure that the new system will
have adequate controls and will be auditable. The internal auditor also needs to make sure that the
development follows the organization’s procedures for systems development.
The steps that are involved in the process are broken down differently depending on the exact methodology,
but the main steps are:
Project Definition:
Statement of Objectives
Systems Investigation and Feasibility Study
Project Initiation:
Systems Analysis
Systems Design
Systems Implementation
Systems Evaluation
1) Statement of Objectives. A proposal is prepared, including the need for the new system, the
support for it within the organization and timing issues in terms of need and employee availability.
2) Systems Investigation and Feasibility. A study determines whether a new or improved system is
a feasible solution. The study should include an analysis of the existing system to determine whether
a new system is really needed, or whether the existing system can be fixed. Control deficiencies in
the existing system identified in previous audits should also be considered. Three feasibility stud-
ies are needed:
a. Technical feasibility — Answers the questions, “Is the necessary hardware available, and is
the necessary software available? If not, can it be developed in the required time?”
214 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Systems Development
i. The cost-benefit analysis must include both tangible and intangible costs and benefits.
If costs and benefits can be quantified, they are considered tangible. If they cannot be
quantified, they are considered intangible.
ii. Tangible costs are the costs of hardware, software, salaries and other costs necessary to
develop the new system.
iii. Tangible benefits include increased sales and profits, lower maintenance and operating
costs, lower personnel costs, increased profitability or decreased investment in inventory.
iv. Intangible costs could include loss of customer goodwill or employee morale created by
problems arising from the new system.
v. Intangible benefits involve better customer service, improved employee morale or bet-
ter information availability for management.
A financial evaluation of the new system is a necessary tool for determining whether the bene-
fits outweigh the costs of the new system. The methods to financially evaluate a system will be
the same as with any capital investment project. These investment evaluation methods are:
• Payback period – The payback period is the length of time it takes for the project to recov-
er its initial project investment. A project would be considered acceptable if its expected
payback is within a certain period of time (e.g. four years). If the payback were longer than
four years, then the project would not be considered acceptable.
• Return on Investment (ROI) – The ROI of the project is simply measuring the return on
investment during the project’s life. The equation is:
• Net Present Value (NPV) – The project’s cash inflows and cash outflows are discounted
to their present value to reflect the time value of money. If the NPV is equal to or greater
than zero, then the project should be considered viable and accepted. Otherwise, the project
would most likely be rejected.
• Internal Rate of Return (IRR) – This is the discount rate at which the NPV of an invest-
ment will be equal to 0. An IT project would be considered viable if the IRR exceeds a target
minimum rate of return (greater than the organization’s cost of capital).
c. Operational feasibility asks, “Will the proposed system work?” For example, are manage-
ment, employees, customers and suppliers willing to operate, use and support the new system?
If the software is too difficult to use, it may prevent people from using it and/or create many
errors in its use.
Note: The internal auditors’ part in the feasibility study should be one of being mindful of the organiza-
tion’s objectives. They should make sure that the study is done by a group of representatives of all
departments that will be affected, and that at least one member is an expert in hardware and software
capabilities. Specifications for the new system should include projections of future growth in volume.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 215
Systems Development CIA Part 3
a. First, an organizational analysis or a systems survey is done to learn about the organiza-
tion, its management, employees, business, the other systems it interacts with, and its current
information system. The analyst must first understand the existing system and its strengths and
weaknesses before any changes can be proposed. This will involve personnel at all levels in the
organization and it is imperative that the employees support the project, otherwise the study will
not be effective.
b. Second, we identify the users’ information requirements and functional requirements. In-
formation requirements relate to the decisions that are made by users, their needs in terms of
inputs and outputs, database needs and characteristics of the system’s operation. Functional re-
quirements are those not tied to the hardware, software, network, data and people resources.
Functional requirements may include user interface requirements for data entry, processing re-
quirements such as automatic calculations, storage requirements such as databases for fast
retrieval, and control requirements such as error messages in data entry.
c. Identification of the system requirements to fulfill the information needs of the user is com-
pleted, i.e., how it will accomplish the users’ needs.
d. Evaluation of alternative designs for the proposed system using cost-benefit analysis.
e. The final step of the systems analysis is preparation of a systems analysis report, which doc-
uments the system specifications and the conceptual design of the proposed system.
4) Systems Design and Development. This involves translating the conceptual design of the system
into the physical design of the system. Phases in systems design and development include:
a. Detailed design specifications are developed, working backwards from the desired outputs to the
required inputs. This is top-down design, starting at the top level of output goals and working
down to the necessary details that will enable the system to meet those goals.
b. The processing requirements are assessed. The question is considered, “What processes will be
necessary to convert the available inputs into the desired outputs?” This involves determining
the workflow, what and where programs and controls are needed and what are the necessary
hardware, backups, security measures and data communications.
c. The storage component needs to be evaluated, as well, i.e., how much use of stored data is re-
quired and how much data must be created and stored for future use. The database is designed
and data dictionaries that document the specific contents of a database (fields and field descrip-
tions) are written.
d. Preparation of the systems design report is done next. The systems design report includes eve-
rything that is necessary to implement the proposed system: input requirements, processing
specifications, output requirements, control provisions and cost estimates.
e. Documentation is the process of writing all of the manuals, forms and other materials that will
be needed by the users and maintenance IT staff. Control over the documentation process is as
important as the documentation itself, in order to ensure that the documentation is completed
adequately.
g. The final step is the program development. This is the process of coding the program(s) to
meet the required specifications.
216 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Systems Development
The modular, or structured programming, approach to designing the system may be used.
Structured programming involves developing design standards for the way the programmers
should use the programming language and stylistic guidelines as well as how the programs
should fit together. Using structured programming, each module can be coded by different peo-
ple, which leads to increased security because more than one person knows the entire
program. It also enables completion of the program in less time, because different people can
be working on different parts of the program simultaneously. Furthermore, structured pro-
gramming makes it easier to upgrade and adapt the parts of the program at a later time.
5) Systems Implementation. This involves acquisition of resources for the new system and its initial
operation. The new system is implemented, data files are converted, end users are trained and fol-
low-up occurs to determine whether previous weaknesses have been eliminated and whether or not
any new problems have arisen.
Controls that should be a part of any system conversion include things such as record counts, re-
viewing reports, hash totals, and reconciliations.
The system conversion can be done on a parallel basis, on a phased basis, by a direct conversion
(plunge) to the newly developed system, or by a pilot operation.
a. In a parallel operation, both the old and the new systems are run together for a period of time
to make certain that the new system is functioning properly. This method is the least risky but
requires the most effort, because double work has to be done. If a parallel conversion is not
done, the need for review during the first few days of the implementation is even more critical.
b. In a phased or modular, conversion, only parts of a new application or only a few locations at
a time are converted, allowing the implementation to take place gradually. The full conversion
takes additional time because of the need to implement the new system in each location.
c. Similar to a phased or modular conversion is a pilot conversion, where the new system is test-
ed in just one department or work site before full implementation.
d. A plunge (direct conversion) is accomplished by simply changing over from one system to
another and starting to use the new system exclusively. This is the most risky conversion
method.
e. One of the most important parts of the conversion is the training of the users in the new sys-
tem, which should be approached with the goal of reducing the users’ resistance to the new
system. The implementation of new methods of working result in a learning curve, which
means that users will make mistakes as they are adjusting to and learning the new system. As
experience is gained, these errors usually diminish. However, the learning curve can point out
areas where a system can be improved.
f. As they are learning how to use the new system, users will also be testing the new system to
make sure that it will meet their needs. The end users, along with information systems person-
nel, will perform troubleshooting on the new system to identify problems and work out
solutions for the problems.
6) Systems Evaluation and Maintenance. A post-implementation review will be conducted to ensure
that the new system meets the objectives established for it. A maintenance process is utilized to cor-
rect errors. In addition to continual monitoring, the system will be audited to make sure it continues
to operate properly.
Maintenance also includes modifying the system as necessary to adapt to changing needs. Modifica-
tions of the system should be subjected to controls, as well. All modifications should be authorized
by management, should be made in accordance with the same systems development procedures
used to develop the system, and should be tested fully and approved by the user as well as the IT
management. A full systems test should be performed in order to ensure that the changes work as
planned and that they do not cause unintended results.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 217
Systems Development CIA Part 3
Question 128: The processing of monitoring, evaluating, and modifying a system as needed is referred to
as systems:
a) Analysis
b) Feasibility study
c) Maintenance
d) Implementation
(CMA adapted)
Question 129: Which of the following should be emphasized before designing any system elements in a
top-down approach to new systems development?
(CIA Adapted)
Question 130: An insurance firm that follows the systems development life-cycle (SDLC) concept for all
major information system projects is preparing to start a feasibility study for a proposed underwriting
system. Some of the primary factors that the feasibility study should include are:
c) Possible vendors for the system and their reputation for quality.
(CIA Adapted)
Question 131: A new information system application is requested by a firm’s management. It will be
designed, programmed, and implemented in-house. Upon cutover, results will be provided to the
appropriate users. With this sequence of events, what strategy should be used for determining the
requirements of the new application?
a) Determine the amount of uncertainty associated with developing such an application and its
potential for success.
b) Make an evaluation of the costs and benefits expected from the application.
c) Evaluate the degree of the structured, unstructured and semi-structured decisions resulting from
the application.
d) Interview the users, evaluate existing applications, and develop a prototype of the proposed
application.
(CMA Adapted)
218 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Systems Development
a) Programming
b) Conceptual design
c) Analysis
d) Implementation
(CMA Adapted)
Question 133: The analysis tool for the systems analyst and steering committee to use in selecting the
best systems option is:
a) User selection
b) Cost-benefit analysis
d) Systems design
(CMA Adapted)
Question 134: A possible alternative to parallel operations when converting to a new system is:
a) A pilot operation.
b) To perform a walkthrough.
(CMA Adapted)
Question 135: An MIS manager has only enough resources to install either a new payroll system or a new
data security system, but not both. Which of the following actions is most appropriate?
(CISA adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 219
Systems Development CIA Part 3
To demonstrate the difference between an object and a class, consider a very simple view of the IIA
registration system. The class Member defines the properties and actions available to any member of the IIA.
The properties of the Member class might include various information such as name, address, birth date,
education level completed, exams passed, certificates granted, etc. The Member class would also have
various operations available on it, such as changing address, marking exams as passed, marking that a
member has received his or her certificate, etc. So, each IIA member would be an object of the Member
class. There may be tens of thousands of Member objects, but only one Member class that defines what it
means to be an IIA member.
A complex system could have hundreds of classes and millions or billions of objects. For example, a trucking
company might have a class Warehouse and class Truck. Perhaps this company has 5 warehouses and 37
trucks, so their system would have 5 Warehouse objects and 37 Truck objects. The Warehouse class might
have operations to load and unload a truck, clock workers in and out (Employees could be yet another class),
receive cargo from an adjacent rail line (the Train class, perhaps), etc. The Truck class would have
information such as what cargo is loaded, operations to load and unload cargo, indicate that the truck is
moving to another warehouse, etc.
The above example shows both how OOAD can help to think of a problem in terms of real-world information
and scenarios, and then how the program can be designed in terms of the real world objects and their
interactions. Another benefit of OOAD is that classes developed for one application can be re-used in another.
For example, if the trucking company expands to use ocean ports in addition to warehouses, they will be able
to re-use the Warehouse class because a port and a warehouse have many things in common. This is called
inheritance when new classes are made by starting with the features of another class, called the parent
class. Thus, future software development can benefit greatly from OOAD done during previous projects.
Some popular object-oriented programming languages include C++, C#, Java, Objective-C, Perl, PHP,
Python, Ruby and VB.NET. Even some older languages such as COBOL and Pascal have been reworked to
include object-oriented features.
Prototyping is an iterative process. Initially, user requirements are estimated and implemented in a
prototype, which is then tried out by the users. As a result, user requirements may be modified or new
requirements may be recognized, and the program is revised to incorporate the new or modified require-
ments. The process continues until the users are satisfied.
220 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Systems Development
Advantages of prototyping:
• It is useful when it is difficult to know in advance what the user requirements are.
• It allows users to try a system before extensive development costs are incurred.
• A system might be accepted as final before it is actually finished, and thus the program may lack
important testing, documentation and controls when put into service.
• A process that entails frequent changes is difficult to manage and control. It might never be fin-
ished, because users continue to request minor changes.
Advantages of RAD:
• When used in conjunction with prototyping, RAD enjoys the same benefits as prototyping.
• Systems can be built more rapidly by reusing existing software components than designing every-
thing from scratch.
Disadvantages of RAD:
• When used in conjunction with prototyping, RAD suffers the same drawbacks as prototyping.
• Choosing the wrong RAD tools may slow development or lead to systems that cannot be completed
without a costly conversion to a different RAD framework.
Question 136: A systems development approach used to quickly produce a model of user interfaces, user
interactions with the system and process logic is called:
a) Neural networking
b) Prototyping
c) Reengineering
d) Application generation
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 221
Systems Development CIA Part 3
The documentation of programs (and the computer system as a whole) should be in a limited and controlled
access area. There should also be a set standard for the coding, modification and flowcharting procedures.
The auditors consider documentation to be an important internal control activity. The different types of
documentation are:
• System documentation includes narrative descriptions, flowcharts, input and output forms, file and
record layouts, controls, the authorizations of any changes and backup procedures.
• Program documentation includes the description of the programs, program flowcharts, program
listings of source code, input and output forms, change requests, operator instructions and controls.
• Operating documentation provides the information about the actual performance of the program.
• Procedural documentation provides information about the master plan and the handling of files.
• User documentation includes all of the necessary information for a user to use the program.
Any changes to existing programs or systems must be strictly controlled (change controls) and all changes
should be required to be authorized by the appropriate personnel. When a system or program is changed, the
changes should not be made to the actual program that is being used, but rather to a copy. Only the librarian
should have the authority to move the program with its changes into the processing environment. Security
software should be used to “lock out” programmers from the production library. Any changes must also be
properly reflected in all of the related documentation.
A history, or an audit trail, of all program changes should be maintained, and individuals who have
authorized, initiated, and implemented the changes should be listed in the audit trail. Without the proper
signatures, the librarian should not implement a change.
Detailed listings of each line of source code that has been changed should also be available. When a program
does not function correctly, it is frequently due to a recent change. The prior version of the changed code
should be retained so that the cause of an error can be quickly identified.
Updates to vendor-supplied packages can cause problems if the organization has done any customizing of the
program. Installation of a new release will cause the organization’s custom changes to be lost, so these “in-
house” changes must be identified so they can be reinstalled on top of each new upgrade release. If a good
audit trail of program changes does not exist, it will be very difficult to do this.
Another concern with vendor update releases when in-house changes have been made is that these changes
may need to be not only reinstalled, but completely rewritten. The changes made to the prior release of the
program might not work properly with the vendor’s new release.
222 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Systems Development
When changes are being tested, they should be tested not only by using correct information, but also by
using incorrect information to make sure that the program will detect any errors and has the necessary
controls.
• Test data should test all branches of the program, including the program’s edit capabilities. The
edit function includes sequence checks, valid field tests, reasonableness checks and other
tests of the input data. The expected results would then be calculated and compared with the actual
performance. These results should include both accurate output and error messages.
• Unauthorized changes can be detected by comparing the code of the program (code comparison)
to the master copy.
The auditor needs to be aware that programs are written in source code, which is the language that the
programmer uses for coding the program, and they also exist in object code, which is the machine language
that the processor can understand. The source code file is converted to object code by means of a program
called a compiler, and the object code, not the source code, is what actually runs on the computer. This is
important because although in theory the source code and the object code should correspond, the
computer does not require them to correspond. It would be possible for a knowledgeable person to
make a copy of the source code, rewrite portions of the instructions, compile the modified source code into a
new object code file for use by the computer, and then destroy the modified source code file, leaving the
authorized source code file unchanged. The result is that the executable object code – the actual instructions
used by the computer – will not match the authorized source code. This is a weakness that can be used to
commit computer fraud if controls over the compiling and cataloging activities are not adequate. Despite the
strongest internal controls over day-to-day operations in user departments, a fraudulent change to a program
could divert company funds to an individual, and the fraud could continue for some time without being
detected.
However, computer fraud is not the primary reason for having strong controls over program changes. Lack of
proper testing and implementation errors are responsible for more losses over time than is computer fraud.
The internal auditor must determine whether program changes have been properly authorized, tested and
implemented. Internal auditors should perform tests such as the following:
• Examine change authorization documents to determine whether changes were properly authorized.
• Determine whether controls are adequate over program and job control language libraries.
• Compare the executable versions (the object code) of programs from one period to the next to
detect signs of unauthorized program changes. When programs have been changed, the changes
should be traced back to the authorizing documents.
• Procedures for making emergency changes should be reviewed. Emergency changes are needed at
times because programs occasionally stop running or start producing incorrect results. The urgent
goal is to correct the situation, and usually time is not sufficient for formal approvals. In these cases,
there should be a follow-up process and subsequent review of the changes.
• Determine whether management reports are available indicating the number of emergency changes,
as well as the number of program changes that have had to be backed out due to subsequent prob-
lems.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 223
Computer Programs and Software CIA Part 3
Systems Software
Programs that manage and support the computer system are systems software, and all modern operating
systems are systems software. Systems software enables the computer to execute application programs,
monitor data communications, and control the input and output, file management, and file access.
Operating Systems
The five basic functions of an operating system are:
1) Provide a user interface that allows the user to communicate with the computer in order to load
programs and access files as well as accomplish other tasks. User interfaces can be command-
driven, menu-driven or a graphical user interface (GUI).
2) Resource management to manage the hardware and networking resources of the system.
3) File management to control the creation, deletion and access of files, and also keep track of the
physical locations of files on secondary storage devices.
4) Task management programs to manage the accomplishment of the computing tasks. Task man-
agement enables multitasking, so that several computing tasks, such as typing, playing music and
printing, can occur at the same time.
5) Utilities and support services perform housekeeping and file conversion functions such as data
backup, data recovery, virus protection, and data compression.
There are a number of operating systems in use. The most popular are:
• Microsoft Windows.
• UNIX – Originally developed by AT&T, UNIX is used for many Web and network servers. It can be
used on mainframes, servers, and personal computers.
Unless controls over the operating system’s implementation and maintenance are adequate, the system may
experience excessive downtime, processing inaccuracies, and even computer fraud.
Installation of systems software should be subject to approvals, documentation, adequate testing, and
signoff, following a process such as the System Development Life-Cycle Approach. Changes to operating
systems carry high risk because they affect the entire information system.
Application software may require modifications to the operating system to enable the application software to
work properly. If this is the case, any upgrades made to the operating system may require that the operating
system be modified again so the application software can continue to work.
224 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Systems Software
Some utility programs can bypass many security controls, because they can be used to modify both data and
programs without any audit trail, and that is a matter for the auditor’s concern. Data file utilities are
necessary, for example, if a data file becomes corrupted, but their use must be controlled because of their
power. Data file utilities can be used in a fraudulent manner to change data directly in the data file, without
any processing taking place and no record of any transaction having been performed. Access to these utilities
should be limited to systems programmers, and each use of them should be authorized and documented.
Internal auditors should ascertain whether change control procedures for the operating system are adequate,
and whether operating system changes are documented, approved, and installed at low-risk times (such as
after business hours). The auditor should find out whether operating system releases are kept up to date,
whether powerful utilities are restricted and their use documented, and whether systems programmers have
application responsibilities. The auditor should also ask whether the company is paying any annual
maintenance fees on software that is no longer being used, and whether an appropriate process is being
followed when new system software is required.
• Availability of a report writer that users can use to develop their own reports.
• Upgrade releases must be kept “in sync.” If different versions of different modules are being used,
the systems may not interact properly.
• Today’s software applications are large and complex, and inevitably will have bugs and/or security
vulnerabilities that need to be patched. The upgrade process must be carefully managed to ensure
that new vulnerabilities are not introduced during an upgrade. Applications like web browsers require
special attention, because they connect to outside systems and are at the greatest risk of being
compromised. Unnecessary features and plug-ins (e.g. Java, ActiveX, Flash, etc.) should be disabled
to prevent exploits of those features. E-mail programs also need to be carefully managed to ensure
that they are providing adequate protection against spam, viruses and phishing attacks and do not
contain any vulnerabilities that could compromise the entire system.
• Custom changes of vendor source code can create future problems if they are not properly con-
trolled. The internal auditor should review change controls to make sure that all custom changes are
properly identified. Not doing so can result in postponement of needed upgrades because of the
problem of identifying and reinstalling all of the custom changes.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 225
Systems Software CIA Part 3
Software Piracy
Software piracy is a form of software theft involving the unauthorized copying and use of software. Software
is intellectual property that is protected by copyright law and end user licensing agreements. In most cases,
the purchase of a software application is not a purchase of the software itself but the purchase of a license to
use it. Therefore, software cannot be legally transferred from one user to another. Recently, software
developers have begun securing their copyrights by requiring “activation” of the software by the end user. A
unique serial number is assigned to each copy of the software, and once a particular serial number has been
activated, it cannot be activated again on another computer until one of the existing installations is de-
activated.
Shareware is software that is made available to users for a small fee and is often distributed over the
Internet. Most shareware programs allow you to try them for a certain period of time before requiring you to
purchase them, or limit you to using just certain features until you pay.
Freeware is less restrictive than retail or shareware, in that it allows for the unlimited copying and
distribution over the Internet. Many open source (meaning that the source code is available for free)
programs are distributed as freeware. The Linux operating system is one of the best-known examples of
freeware.
Auditors should be aware of the legal issues associated with software piracy and the methods to avoid legal
liability. Software licensing agreements permit users to download either a specified or an unlimited
number of copies of a software product at given locations or throughout the company. Such software licensing
agreements are often much cheaper than purchasing individual copies of software for each computer.
On a periodic basis, internal auditors should review management’s policies concerning software licensing in
order to make sure that software copyright laws are being followed. These periodic reviews can mitigate the
risk of penalties and negative publicity from the illegal use of copyrighted software. In addition, internal
auditors need to be aware that “pirated” software also increases the chance of introducing computer viruses
or errors into the organization. This is because pirated software is less likely to have been tested for viruses,
or it may have been modified, causing it to behave unexpectedly or erratically.
Controls that should be implemented to prevent the use of unlicensed software include:
End-User Computing
In the end-user computing (EUC) model, end-users are responsible for installing systems, application
software and performing software upgrades. In effect, the systems programming and development is shifted
from a centralized IS department to the various end-user departments.
• More demanding and better-educated users. Today’s systems are more user friendly and users
are increasingly becoming better educated in the use of information systems.
226 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Systems Software
• Acceptance of the computer environment. Users are more willing to accept changes in a system
if they are able to participate in its development.
• Increasing sophistication of business analysis. This supports the notion that the users are in a
better position to determine how they want the system to function.
However, in moving to the EUC model there are some potential shortfalls that the internal auditor needs to be
aware of. The IIA performed a study on the subject and indicated the following:
• The lack of effective evaluation procedures to ensure that the right system is developed.
• Enlist the participation of both the end-users and the IS department for EUC policy development.
• Create procurement guidelines that promote fast response, but ensure that products foster connec-
tivity and interoperability.
• Maintain tight data security to protect the hardware, software and data.
• Create extended audit programs for compliance and substantive testing when material financial or
operational risks are identified.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 227
Systems Software CIA Part 3
Question 137: The marketing department’s proposal was finally accepted and the marketing employees
attended a class in using the mainframe report writer. Soon, the marketing analyst found that it was
easier to download the data and allow employees to manipulate it on their own workstations than to
perform all the data manipulation with the mainframe report writer. One analyst became highly skilled at
downloading data and wrote downloading command sequences for the other employees. When the
analyst left the company for a better job, the department had problems making modifications to these
command sequences. The department’s problems are most likely due to inadequate:
a) Documentation
b) Data backup
c) Program testing
d) Anti-virus software
(CIA Adapted)
Question 138: Traditional information systems development procedures that ensure proper consideration
of controls may not be followed by users developing end-user computing (EUC) applications. Which of the
following is a prevalent risk in the development of EUC applications?
b) Management may be less capable of reacting quickly to competitive pressures due to increased
application development time.
c) Management may place the same degree of reliance on reports produced by EUC applications as it
does on reports produced under traditional systems development procedures.
d) Management may incur increased application development and maintenance costs for EUC systems
compared with traditional (mainframe) systems.
(CIA Adapted)
In a totally centralized system, all data processing is done in one processing center. Users’ terminals
function only as input devices, communicating all requests to the centralized system. With this type of
system, there is a large centralized IT staff with its associated costs. On the other hand, because of the size
of the processing department, it is possible for the company to benefit from economies of scale in its
operation.
In a totally decentralized system, each remote location processes its own data and has its own processing
staff. Under this system, the processing systems more closely match the needs of the users because they are
developed locally. However, it will cost the company more to develop and maintain systems in multiple
locations and the level of systems expertise at each location may not be as high as having a dedicated central
staff.
228 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Systems Software
In a distributed data processing system, the processing needs of the company as a whole are considered
and then a corporate decision is made as to where the processing should be done. This will generally lead to
having some processing done locally while some is maintained at the central processing facility.
Many companies plan their computer systems to be fault tolerant, i.e., to have fully functional backup
systems in order to provide fail-over (or fail-safe) capability where the system can continue to operate at
full capacity even if there is a major failure in one of its components.
Totally centralized systems and totally decentralized systems are at the two extremes. Most systems are
hybrid systems that fall somewhere in between the two extremes. Today’s intranets (discussed later) provide
centralized control with decentralized components.
Some companies have spun off their Information Systems function into a subsidiary that offers IS services to
other organizations, both related and not related. Some corporations have outsourced their IS operations,
turning over all or parts of the operation to outside contractors called systems integrators. Furthermore,
many companies outsource their software by using application service providers (ASPs) that provide and
support the software that the company uses via the Internet.
The biggest disadvantage to outsourcing IS services is that the company loses the flexibility of tailoring its
Information Systems to its specific needs. On the other hand, outsourcing is usually cheaper, faster and more
reliable because outside experts have more specific experience in designing, implementing and running such
systems. Today, system integrators and ASPs offer such a wide variety of services that most companies’
needs can be met without custom design.
(CMA Adapted)
Processing Modes
Companies use different methods to process data.
In batch mode, transactions and information are held until there is a group of transactions and then these
transactions are all processed together. This is used for transactions that may be processed at intervals of
time and include similar transactions, such as payroll. Batch processing is also used to consolidate groups of
transactions from several offices into a larger group for processing. Batch processing is the oldest method for
processing data and it is still used for processing large volumes of transactions. Batch processing offers the
most control, because manual totals of items and dollar amounts can be compared to batch totals calculated
by the computer. If the totals do not match, the error(s) can be found and corrected in the batch before the
transactions are posted and the files are updated.
Remote batch processing enables a user in one location to start a batch-processing job at another location.
The batches are created at the remote location and posted online to the computer at the other location.
Online or real-time processing connects the computer with the processing unit so that transactions are
processed as they are entered. This means that the master files are updated continuously and may be
accessed as transactions are occurring. In real-time processing, feedback from the transaction is received so
quickly that it may be used in the decision or control processes immediately. For example, most inventory
systems would be real-time systems, because knowing if an item is in stock or almost sold out might have a
real impact on the business.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 229
Systems Software CIA Part 3
However, control totaling cannot be used with real-time processing. This means although they have the
advantage of being up to date continuously, they pose a greater inherent risk. Strong controls are needed,
such as identification of the operator who performed each update, levels of password security, and restriction
of certain functions at certain terminals.
In evaluating inherent risk in a real-time system, the auditor needs to consider the risk of fraud because of
the possibility that assets or liabilities are intentionally misstated, or assets are stolen. Other inherent risks
involve the importance of the system to the company, the competitive advantage that the system provides to
the company, and how technologically advanced the system is. The greater the system’s importance to the
company’s operations, the greater the competitive advantage it confers, and the more technologically
advanced it is, the higher the inherent risk will be.
Online entry with memo posting and batch processing applications provide the advantages of an online
system with online data entry and online inquiry, but the master files are updated using batch processing,
usually after business hours. After the master files have been updated each evening, a “memo” copy of the
updated master file is created. It is this memo copy that is then used for inquiry and online updating during
the following day. After the day’s transactions have been verified, the memo file is then used to post the
day’s transactions to the master file. Banks in particular use memo posting so that bank personnel can see
each customer’s current balance and monitor cash withdrawals. However, the actual posting of the
transactions to the customers’ accounts occurs after the close of business, when the paper documents such as
checks and deposit tickets are batch processed, using traditional controls.
A timesharing system is one in which many companies (or departments or users) have access to the same
processing unit. In this type of system, each user’s transactions will be processed in turn, enabling many
users to use the same system without any downtime in the system.
Service bureaus are similar to timesharing systems because they actually perform the processing for their
clients. This is offsite processing and the user does not need to have the computer power or the personnel,
but does have to prepare the information and transport it to the service bureau. A common example of this
type of processing is payroll processing, where a company contracts with a service bureau to prepare its
payroll and submit all of its payroll tax returns.
Question 140: Misstatements in a batch computer system caused by incorrect programs or data may not
be detected immediately because:
a) Errors in some transactions may cause rejection of other transactions in the batch.
b) The identification of errors in input data typically is not part of the program.
(CPA adapted)
230 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Data Communications and Telecommunications Networks
A telecommunications network is like any means of communication: there is a sender who transmits a
message to a receiver over a channel consisting of some kind of medium. When the message is data,
transmitting it requires special hardware, software and communications technology. There are five basic
categories of components to a telecommunications network:
1) Terminals. The terminals may be networked PCs, network computers or “dumb terminals,” which
are simply keyboards/monitors with virtually no processing capabilities.
3) Telecommunications channels. These are the media over which data is transmitted and received.
They may be copper wires, coaxial cables, fiber-optic cables or wireless systems.
4) Computers. Networks can connect all sizes and types of computers. A large mainframe computer
can be the host computer for a large network, while a personal computer can act as a network serv-
er for a small network.
5) Telecommunications control software. This category includes programs that control telecommu-
nications activities, such as network operating systems for network servers, Web browsers, or
telecommunications monitors for mainframe host computers.
Network Connections
Adapters are used to connect computers to the network. An adapter is needed to connect to any network,
whether it is a cabled network or a wireless network.
Bandwidth
Bandwidth is a term that is used to classify communications speed and capacity of telecommunications
networks. Bandwidth determines the maximum transmission rate for data. Data transmission rates are
usually measured in bits per second (BPS). A bit is either a 0 or 1; bits are the lowest level language of
computers and digital communication. A single letter (a byte) is comprised of 8 bits.
There are three types of bandwidth: narrow band, medium band and broadband.
• Narrow band uses unshielded twisted-pair lines that are normally used for telephone voice
communications. Data is transmitted by means of modems.
• Medium band uses shielded twisted-pair lines. Shielded twisted pair cabling provides shielding
from electromagnetic interference. Transmission speeds are faster than narrow band.
• Broadband uses coaxial cable, microwaves, fiber optics, radio waves, infrared or satellite transmis-
sion. Transmission rates are much faster than medium band.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 231
Data Communications and Telecommunications Networks CIA Part 3
Types of Networks
A network is a system that connects computers together. These networks allow users to share resources
(hardware and software) among various users.
There are six types of networks that you should be familiar with. They are summarized in the following table
and some are discussed further in the pages that follow.
Public-switched This type of network uses the standard public telephone lines. Though this is
network probably the cheapest option, the telephone lines limit the speed of the
connection.
Value-added network These are networks that lease the public telephone lines, but then add services
(VAN) such as mailboxes, error correction and speed enhancements.
Local Area Network This is a local computer network set up within a home or office. Either each
(LAN) computer is connected to all of the other computers (a peer-to-peer
network) or through one or more servers (a client/server network).
A gateway connects networks or devices that would otherwise be incompati-
ble, such as connecting the LAN to the Internet. Ethernet is the most common
way of connecting a LAN and allows different computers to talk to each other.
Wide Area Network This is like a LAN, but spread over multiple offices that may widely separated,
(WAN) even internationally. The different locations are usually connected by high-
speed broadband connections.
Internet The three main parts of the World Wide Web are the servers that hold the
information, the clients who are viewing the information and the protocols
that enable the servers and clients to communicate with each other.
Virtual private A VPN uses the Internet to network computers in different locations. The
network (VPN) greatest risk with this type of network is the security of the information
transmitted through the VPN. Security is reliant on firewalls and other security
features of a company’s Internet and intranet connections. In addition, if the
VPN is used in an extranet between a company and its customers and/or
suppliers, the security is also reliant upon the security of the Internet
connections of the other organizations in the extranet.
232 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Data Communications and Telecommunications Networks
a) Method to offer specialized software, hardware and data handling techniques that improve
effectiveness and reduce costs.
b) System to allow computer users to meet and share ideas and information.
c) Computer system that connects computers of all sizes, workstations, terminals and other devices
within a limited proximity.
d) Electronic library containing millions of items of data that can be reviewed, retrieved and analyzed.
(CMA Adapted)
Network Properties
Networks are categorized based on three properties:
• Architecture
• Protocol
• Topology
Networks use standard protocols, standard communications hardware, and standard software interfaces
between the users and the computer systems to maintain open telecommunications.
Network Architecture
The purpose of network architectures is to promote open, flexible and efficient telecommunications
environments. Network architectures are master plans for the development of data communications networks.
• Peer-to-peer networks permit users to share files and resources such as printers and Internet
access on their own computers and access files and resources on other computers in the network. In
a peer-to-peer network, there is no server and all computers have the same ability to use all the
resources available on the network.
Advantages of a peer-to-peer network are that it is less expensive because there is no need for a
dedicated server, and it is simpler to set up by simply reconfiguring existing software. Disadvantages
of the peer-to-peer configuration are that because it is decentralized, there is no central storage of
files and applications and thus there is no access to a centralized backup routine. It also does not
provide the security that would be available on a client/server network. Due primarily to the lack of
control, use of peer-to-peer networks is usually limited to small workgroups.
Network Protocols
Protocols specify a common set of rules and signals that computers on the network use to communicate with
each other. The protocol is responsible for taking data packets from one device and sending those packets to
other devices. Common network protocols are TCP/IP, UDP, NetBeui, and Bonjour (Apple’s Zeroconf
implementation).
TCP/IP is a system of protocols used on the Internet and by intranets and extranets. Client/server networks
using TCP/IP technology are commonly called IP networks. TCP/IP has become so widely used that it is
almost equivalent to a network architecture, even though it is a protocol.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 233
Data Communications and Telecommunications Networks CIA Part 3
Question 142: When two devices in data communications system are communicating, there must be
agreement as to how both data and control information are to be packaged and interpreted. Which of the
following terms is commonly used to describe this type of agreement?
a) Asynchronous communication.
b) Synchronous communication.
c) Communication channel.
d) Communication protocol.
(CIA Adapted)
Network Topologies
Network topologies are network structures. All computer networks, regardless of their topologies, rely on
point-to-point and/or multi-point connections.
• Point-to-point connections provide a direct link between two devices, such as a computer that is
connected directly to a printer.
The most common ways to configure (connect) the computers and devices within either a wide area network
or a local area network are star, ring and bus.
• A star network connects each end user computer individually to the central host computer. All
communications go through the host. Thus, star topology is a passive topology, in that the con-
nected computers do not pass the messages on to other computers. Since all the computers in the
star are dependent on the central computer, if it fails, the whole network goes down. Advantages of
a star network are that all users have access to up-to-date data at all times, and if a computer other
than the host fails, no other computer will be affected.
• A ring network connects all the computers in the shape of a closed loop. With a ring network, there
is no central computer that contains all the data. Communications flow in one direction only around
the ring, from computer to computer. Ring topology is an active topology, which means that each
connected computer is responsible for moving data from itself on to the next computer. An ad-
vantage of a ring network is that it requires less cabling and therefore is less expensive than some
other topologies. However, it is difficult to add a computer to the network or to remove a computer
without closing down the network. Furthermore, if one computer stops working, it brings down the
whole network.
• A bus network uses one long cable, and all the network devices are connected to it using short
drop cables. The word bus means communications channel, and all computers share the same
bus. All the computers can communicate with each other directly, without having to go through the
server. A message passes other computers on its way to its destination computer.
A bus network is a passive topology, because the connected computers only listen for a signal to
determine whether the signal is for them; they do not pass the data from one computer to the next,
as they do in a ring network. Therefore, if one computer goes down it does not affect the others.
Since the early 1990s, the network configuration of choice has been the star topology. The central network
unit is either a hub or a switch. These devices act as a go-between for the devices by receiving transmission
signals from one device and sending them out to other devices.
An Ethernet network using a star topology is called a star-bus network. Each networked device is connected
point-to-point to the hub. All messages go through the central hub, and if one computer goes down, the rest
of the network can continue to operate.
234 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Data Communications and Telecommunications Networks
• A bridge connects networks of the same type. It directs the network traffic based on the destination
address of the packet that is being sent.
• A gateway connects networks of different kinds. A gateway is used to connect a local area network
to the Internet, to another local area network, or to a corporate intranet. A gateway acts as a “pro-
tocol converter” to connect the different types of networks.
• A router connects several networks. A router is used to connect several LANs across a WAN if, for
example, a company has several LANs at several different offices. A router also directs the commu-
nications traffic and can look for alternate communication routes if one link fails.
• Switches are another type of device used to link LANs and to route packets among them. Unlike a
router, however, a switch does not have any logic and serves only to transmit data.
Question 143: Using a telecommunications provider affects in-house networks. To prepare for changes
resulting from enhanced external network services, management should:
a) Optimize in-house networks to avoid bottlenecks that would limit the benefits offered by the
telecommunications provider.
b) Plan for rapid implementation of new capabilities in anticipation of ready acceptance of the new
technology.
c) Downsize the company’s disaster recovery plan to recognize the increasing role of the telecommu-
nications provider.
(CIA Adapted)
Client/Server Networking
Client/server networks have become the primary architecture of computing used in businesses. While main-
frame computers remain important for very intensive applications requiring vast amounts of speed or storage,
client/server computing is more accessible and much less expensive. Microsoft Windows 2008 Server, Mac OS
X Server, and Novell Open Enterprise Server are examples of client/server network operating systems.
In client/server network operating systems, the network centralizes functions and applications in one or more
dedicated servers. The servers are the heart of the system, providing access to resources and files while
providing security. Individual workstations, called clients, are linked by local area networks and access the
resources on the file servers by requesting the server to perform a task. The server’s job is to perform the
tasks requested by the client(s), retrieve and update data, and return responses to client requests.
The server manages shared resources such as databases, printers, Internet access and other communication
links. Software applications, such as word processing or spreadsheet programs, generally reside on the client
computers, while the databases and their related software such as accounting systems are stored on the
server(s). The benefit of a central server is simultaneous access to the shared resources. For example, a
server may control the Internet connection or central database for hundreds of clients at once.
1) The presentation component, which is what the user sees on the screen.
2) The application logic component, which refers to the logic involved in the processing done by a
specific application. Unlike a terminal connected to a mainframe computer, the client has the ability
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 235
Data Communications and Telecommunications Networks CIA Part 3
to manipulate or query the data or to process a transaction. The processing tasks in each application
are shared between the client and the server, with their division depending upon the application. Cli-
ent/server systems enabling distributed processing are called “distributed applications systems” or
“distributed logic systems.”
3) The data management component, which refers to the databases used and how they are stored
on the system. In a large client/server network, databases are copied onto several servers, enabling
fast access to their data. These are called “distributed database systems.”
• It is centralized. Resources and data security are controlled through the server.
• It is scalable. Client workstations can be added or removed fairly easily. Or, if necessary, the server
can be replaced with a larger and faster server or with multiple servers.
• It has interoperability. All of the components — client, network and server — work together.
• Thin-client systems can be installed using diskless microcomputers instead of more expensive PCs.
When thin clients are used, all the application software resides on the server and is executed on the
server. The thin client processes and transmits only user interface information like keystrokes and
mouse clicks over the network to the server. Costs to deploy and maintain a thin client/server net-
work can be significantly lower, network administration is simplified, and network security is
improved.
• Maintenance. A large network requires a staff of administrators to ensure efficient operation. Even
a small network may require the services of an on-call consultant. The need for maintenance will in-
crease the expense.
• Operations are completely dependent upon the server. If the server goes down, all operations
across the network cease.
• Distributed data. Multiple copies of the same file may be stored on various servers in the system,
making backup and recovery more difficult and causing difficulties in data synchronization.
• System maintenance is more difficult. Upgrading to a new version of an application can be more
difficult because the system usually requires consistency in these programs across servers.
• User access and security are more complex. Access privileges can vary widely among employ-
ees, and a client/server system requires proper access rights be set for all users.
Question 144: Which one of the following is not a characteristic of the client-server network model?
a) It consists of desktop computers (clients) that request data from the server.
b) It permits multiple clients to access different records in the same file simultaneously.
c) It can be configured in various ways, including ring, star and bus topologies.
d) It processes client requests to the server for an entire file of records rather than a subset of the
data.
(CMA Adapted)
236 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F The Internet
The Internet
The Internet is an international network of computers and smaller networks that are linked together
electronically. The Internet began as ARPANET, a project of The Advanced Research Projects Agency
Network of the U.S. Department of Defense. It was the world's first operational packet switching network, and
the predecessor of the global Internet. ARPANET and its successor networks have all been shut down or
transitioned to what we now know as the Internet.
Accessing the Internet involves going through a series of progressively larger networks. Individual computer
users connect to small Internet Service Providers (ISPs), and small ISPs connect to larger ISPs. The largest
ISPs maintain high-speed “backbones” for an entire nation or region through fiber-optic lines, undersea cables
and satellite links. The term "Internet backbone" now loosely refers to these high-speed “trunk”
connections of the Internet that carry vast amounts of information between the largest ISPs. As such,
there are multiple backbones. These backbones may be operated by commercial, academic or governmental
agencies. The most significant advantage of this design is that the failure of a single backbone will not cause
a major disruption; Internet communications can be automatically re-routed onto other backbones.
Because there is no central computer system or telecommunications center for the Internet, it has no
headquarters or governing body. Communications standards have been developed by international standards
groups of individual and corporate members, such as the World Wide Web Consortium. These standards are
the key to the flow of information on the Internet.
Internet addresses begin as a domain name, also called a Universal Resource Locator (URL), such as
www.google.com. When you type an Internet address into your browser, your browser communicates with a
domain name server, which translates the text-based domain address into a numeric Internet Protocol
(IP) address such as 64.233.187.99. Every device connected directly to the Internet has a unique IP
address, making it possible for you to connect to any server on the Internet. Online search engines like Yahoo
or Google enable users to locate web pages containing any information they require by clicking their way
through the hyperlinked pages of businesses, government, public interest and various other websites.
Many services besides the World Wide Web are available via the Internet. Most Internet users send and
receive e-mail. Internet e-mail messages are usually transmitted within minutes to anywhere in the world,
and can carry attachments with sounds, photos, videos or virtually any other type of file. Newsgroups and
chat rooms provide an easy way for users to communicate with many other people all over the world. Voice
over IP (VoIP) programs such as Skype allow voice calls at very low cost among Internet users.
E-commerce, of course, is also part of the online experience. Huge “eTailers” such as Amazon.com offer a
vast selection of products and have stores in many countries, including the United States, the United
Kingdom, China, Japan, Germany and France. Many so-called “Brick and Mortar” retailers also offer online
stores to reach a wider audience. You may have acquired this textbook through an E-commerce transaction
with our web site, www.hockinternational.com.
In addition to electronic commerce, business use of the Internet has grown to include online collaboration
among business partners and workgroups, customer and vendor support, marketing, sales and customer
relationship management applications. Applications have developed for engineers to hold virtual meetings and
exchange and manipulate blueprints. Manufacturing applications permit manufacturing processes to be
monitored remotely. Human resources functions have been automated, allowing employees to update their
own employee records. Automated customer service websites save the time of customer service employees
and thus their employers’ money.
Other benefits provided by the Internet to businesses include the opportunity to attract new customers
through an attractive website, reduction of selling costs because of automated processing of sales generated
online, development of web-based markets and distribution channels, and the opportunity to develop new
information-based products for distribution on the Web, such as materials published online.
In what is actually a very short period of time, the Internet has become a dominant factor in business
worldwide, and it continues to evolve very rapidly.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 237
The Internet CIA Part 3
Intranets
An intranet is a local network inside an organization that uses Internet technologies to allow those who are
part of the intranet to transmit and receive information to and from other members of the intranet. This is
often used within a company to enable its employees to access the company’s internal network without
making their information available to outside parties.
Simply, an intranet can be thought of as an internal Internet. That is to say, an intranet uses all of the same
technologies as the Internet, but it is designed to be accessed only by employees of that company and not
the Internet as a whole. Because intranets use the same technologies as the Internet, the Web browser is
commonly used to access many intranet resources.
Specifically, intranets provide an enterprise information portal that permits authorized users to:
• Use e-mail, discussion forums, online chat, whiteboard and audio- and video-conferencing for collab-
oration, meetings, training or any other purpose where in-person communication may be slow,
impossible or expensive. Online tools allow organizational groups in different floors, different build-
ings or even different countries to rapidly exchange ideas. In particular, the use of e-mail has had a
tremendous impact on the speed of business and many corporate employees in service jobs spend a
significant amount of time every day corresponding via email.
• Use corporate applications such as order processing and inventory control, and access corporate
databases. These applications may be software applications, or can be accessed using Web brows-
ers, or maybe both. Customer Relations Management (CRM) software provides a central database for
all customer information. For example, using a CRM package allows sales personnel to track conver-
sations with the same customer, even if the customer speaks to a different representative each time.
Or, after the customer places an order, the support personnel would be able to see what product(s)
that customer has purchased and provide support for the exact product purchased.
• Write, publish and share documents in a variety of formats. This can include an intranet web net-
work with internal corporate web sites set up as a service to other divisions within the company. For
example, the Human Resources Department could develop an internal web site that provides com-
monly needed forms, upcoming personnel events, vacation guidelines, etc. Or, the Accounting
Department may create an online reimbursement submission and tracking site so that employees
can quickly and easily submit expenses for reimbursement.
An intranet uses security measures such as passwords, encryption and firewalls. However, authorized users
can still access an intranet via the Internet through connections like a virtual private network. Therefore, an
intranet’s security is not perfect once it is opened up to any outside connections. Most large corporations will
have an individual or team dedicated to monitoring network security and policies.
Extranets
An extranet is an intranet within a company that also allows access by its customers and/or suppliers through
interfaces between its intranet and their intranets. Thus, extranets are interconnected intranets. Companies
may establish virtual private networks between themselves and other companies using the Internet as the
extranet link. To maintain security, the participants rely on encryption of data and firewalls. Or, to further
guard the security of their transmissions, two companies may directly set up an actual private network
between themselves, without using the Internet, by installing a dedicated line.
238 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F The Internet
Network audits need to be done on a regularly scheduled basis, and the data needs to be historically
compared. Many security events are not detectable when they occur. Historical audit data can be used to
identify when systems have been compromised, because often the operational characteristics will have
changed. Without consistent auditing and results comparison, these changes in systems are hard to detect.
Local Area Network audits are generally made with the help of network auditing software. Collecting the audit
data is handled in three phases:
• Host identification - Building databases of the active hosts connected to the network.
• Host profiling - Scanning the hosts to identify their operating system, running network services
and version information. Data is collected by running port and/or vulnerability scanners against the
list of active hosts.
• Service profiling - Monitoring inbound traffic flow to identify what network services are active.
Using the host profile, data traffic monitoring access lists can be created and installed to monitor and
detect network traffic patterns.
A primary threat to a corporate LAN is peer-to-peer software that employees may have running on their
workstations. If a user uses file sharing software to search for a file and then downloads it, this could open
the door to malware that shared files are frequently infected with. Most peer-to-peer applications run on ports
that start from port 1025 and go up. So it would also be important to design a filter to look for any outbound
connection attempts on ports from 1025 or higher, which could help detect P2P software.
Most of the network audit software available sends dummy data to the network in order to cause traffic to
increase. This test, which determines network capacity, is especially important if the business uses the
network heavily and relies on its use of the network.
Here are some other risks that exist in all telecommunications systems:
• The network can “go down,” i.e., be inoperable for a period of time.
• Transmission time may slow down, causing customer irritation and/or adversely affecting business
functions.
• Unauthorized persons can insert fraudulent information (active wiretapping) into the network.
• Costs can become excessive if equipment that is incompatible with the telecommunications network
is purchased.
• Sequencing of messages - Messages are numbered. If there is a duplicate number or a gap in the
numbers, the receiving computer detects it.
• Encryption – The data being transmitted is scrambled and can be unscrambled only with the key.
• Self-checking algorithms – Mathematical error-detecting techniques are used that send “redun-
dant” (extra) information along with the data, similar to check digits. If any error is detected, the
data is retransmitted. Cyclical redundancy checking is one type of this, and it is used frequently
to check telecommunication transmissions.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 239
System Security CIA Part 3
• Automatic dial-back – Used to keep hackers out of commercial databases. A dial-back system
accepts an incoming call and the caller enters an ID and a password. The connection is then discon-
nected, and the computer immediately calls back a prearranged telephone number to establish a
connection. The prearranged number is tied to the caller’s ID and password.
• Dedicated lines – A dedicated line provides greater security and transmission quality. It is appro-
priate for an organization that transmits significant amounts of data regularly. The cost is high, but
the benefit is greater reliability and control over data transmissions.
The depth of an auditor’s review of telecommunications controls depends on how dependent the organization
is on telecommunications. If telecommunications are only used for inquiries, hardware controls may be
adequate. However, if funds are being transferred or asset balances are being changed by means of
telecommunications, additional controls will be required.
The auditor should find out what the standards and policies are for network control. For critical applications,
have user controls been instituted? Do audit trails exist for transactions submitted over the network? Is
network monitoring software needed? Is sensitive data encrypted?
System Security
Once a company is connected to an outside network (most usually the Internet), there are a number of
additional security issues that must be properly addressed. The company must make sure that the policies
that it puts in place allow the intended and authorized users to have access to the network as needed.
However, accessibility also creates vulnerability.
Electronic eavesdropping can occur if computer users are able to observe transmissions intended for
someone else. Therefore organizations must ensure that information sent over the network is properly
protected to maintain the confidentiality of company information. Furthermore, the company must ensure
that company files cannot be accessed or changed without authorization.
At a minimum, the system should include user account management, a firewall, anti-virus protection
and encryption.
User account management is the simple process of giving people accounts and passwords. In order for this
to be as effective as possible, the company must keep these up-to-date. Inactive accounts should be
eliminated and active passwords changed frequently.
One very important consideration about system security is to remember that the level of security applied and
maintained on a system should be consistent with the level of risk in the event of a breach or failure. Not
every system needs the highest level of security. For example, a web server, which by design should contain
only public information, does not need the same level of security as an internal system that manages
personnel data. The auditor should categorize the security risk with each system and make sure that the
appropriate controls are in place based on the risk.
240 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F System Security
1) It must execute itself. A virus often places its own code in the path of the execution of another
program.
2) It must replicate itself. A virus can replace other executable files with a copy of the virus-infected
file.
A virus can be received from an infected disk, a downloaded file or an electronic bulletin board.
A Trojan horse is different from a virus. A very important distinction between Trojan horses and viruses is
that Trojan horses do not replicate themselves, whereas viruses do. The purpose of a Trojan horse is not
to spread like a virus, but to have a particular target — a particular computer — on which to run a program. A
strict definition of a Trojan horse is, “any program that does something besides what a person believes it will
do.” A Trojan horse can appear to be something desirable, but in fact it contains malicious code that, when
triggered, will cause loss or even theft of data. A typical example of a Trojan horse is a program hidden inside
of a humorous animation that opens a back door into the system. Another example of a Trojan horse is
commercial software that collects data on the person running the program and sends it back to the
originating company without warning the target.
You can get a Trojan horse only by inviting it into your computer. Two examples are by:
2) Downloading and running a file from the Internet. Many mass-mailing worms are considered Trojan
horses because they must convince someone to open them. The SubSeven server, which is software
that lets an attacker remotely control any computer it is installed on, is an example of a program
typically embedded in a Trojan horse.
A worm is a program that replicates itself from system to system without the use of any host file. The
difference between a worm and a virus is that the worm does not require the use of an infected host file,
while the virus does require the spreading of an infected host file. Worms generally exist inside of other files,
often Word or Excel documents. However, worms use the host file differently from viruses. Usually the worm
releases a document that has the “worm” macro inside the document. The entire document spreads from
computer to computer, so the entire document is, in essence, the worm.
A virus hoax is an e-mail telling you that a file on your computer is a virus when it isn’t. These e-mails often
tell you to look on your system for a file with a specific name and, if you see it, delete it because the file
contains a virus that is unrecognizable by your anti-virus program. Everyone will find that file, because it is a
system file that is needed for the computer to operate correctly. If you believe this e-mail and delete the file,
your computer may malfunction.
Note: The difference between a virus and a Trojan is that a virus replicates itself, but a Trojan does not.
The difference between a virus and a worm is that the virus requires an infected host file in order to
replicate itself, while the worm can replicate itself without a host file.
Antivirus software, regularly updated with the latest virus definitions, is the best defense against viruses,
Trojan horses and worms. Antivirus software recognizes and incapacitates viruses before they can do
damage. You must keep your antivirus software up-to-date, however, because new viruses appear constantly.
Programs that specifically defend against Trojan horses are also available.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 241
System Security CIA Part 3
Question 145: An organization installed antivirus software on all its personal computers. The software was
designed to prevent initial infections, stop replication attempts, detect infections after their occurrence,
mark affected system components and remove viruses from infected components. This major risk in
relying on antivirus software is that antivirus software may:
(CIA Adapted)
(CIA Adapted)
A very broad definition of computer crime according to the FBI National Computer Crime Squad (NCCS) is
“crimes where the computer is a major factor in committing the criminal offense.” The NCCS investigates
violations of the Federal Computer Fraud and Abuse Act (CFAA) and is concerned with all computer crimes
that cross multiple state or international boundaries. CFAA was intended to control interstate computer crime
and since the advent of the Internet, almost all computer use has become interstate and international in
scope.
The NCCS explicitly lists the following as the most serious computer crimes:
• The unauthorized use, access, modification or destruction of hardware, software, data or network.
• The unauthorized release of information.
• The unauthorized copying of software.
• Denying an end user access to his or her own hardware, software, data or network resources.
• Using or conspiring to use computer or network resources to illegally obtain information or tangible
property.
242 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F System Security
• Copyright infringement such as the illegal copying of copyrighted material, whether intellectual
property, such as computer programs or this textbook, or entertainment property such as music and
movies.
• Denial of Service (DOS) attacks in which a website is accessed repeatedly so that other, legitimate
users cannot connect to it.
• Phishing, a high-tech scam that uses spam e-mail to deceive consumers into disclosing their credit
card numbers, bank account information, Social Security numbers, passwords or other sensitive per-
sonal information.
• Installation of malware on a computer without the user’s knowledge. Malware can be a keylogger
that records every keystroke and sends it back to the hacker. Keylogging software has been used to
gather bank information, credit card information, and passwords. Other malware turns a PC into a
“zombie,” giving hackers full control over the machine. Hackers set up “botnets” — networks consist-
ing of millions of zombies — that can be made to each send out tens of thousands of spam emails or
emails infected with viruses, and the PC users don’t even know it is happening.
Using port scans, hackers can look for a particular make of computer or a particular software program,
because they know of weaknesses in those computers or programs that they can exploit. Once a hacker has
identified a vulnerable computer or software application, they can leave a back door open in the computer in
order to re-enter it at any time. If the original entry point is detected and closed, the back door functions as a
hidden, undetected way back in.
The best defense against port scans is a good firewall. A firewall serves as a barrier between the internal and
the external networks and prevents unauthorized access to the internal network. A properly configured
firewall makes a computer’s ports invisible to port scans. In addition to protecting a computer from incoming
probes, a firewall can also prevent backdoor applications, Trojan horses and other unwanted applications from
sending data from the computer. Most firewalls will usually prepare a report of Internet usage, including any
abnormal or excessive usage and attempts to gain unauthorized entry to the network. A firewall can be in the
form of software directly installed on a computer, or it can be a piece of hardware that is installed between
the computer and its connection to the Internet.
Auditors should ensure that firewalls are working properly and cannot be bypassed or disabled. Working with
the network administrators, auditors should review the firewall rules, and ensure that all rules are kept up to
date. Firewall logs can be helpful to determine if the firewall is working correctly. It is also important to
remember that firewalls have limitations; while they can prevent unauthorized access of data over the
Internet, they cannot prevent someone from removing data on a physical device like a CD or USB drive.
An organization may also use a proxy server, which is a computer and software that creates a gateway to
and from the Internet. The proxy server contains an access control list of approved web sites and handles all
web access requests, limiting access to only those sites contained in the access control list. This enables an
employer to deny its employees access to sites that are unlikely to have any productive benefits. The proxy
server also examines all incoming requests for information and tests them for authenticity. In this way, a
proxy server functions as a firewall. The proxy server can also limit the information that is stored on it to
information that the company can afford to lose. Thus, if this server is broken into, the organization’s main
servers remain functional.
A sniffer is a piece of software that grabs all of the traffic flowing into and out of a computer attached to a
network. Sniffers have legitimate as well as illegitimate uses. Intrusion Detection Systems (IDS) use sniffers
to match packets against a rule set designed to flag things that appear malicious or strange. Network
utilization and monitoring programs often use sniffers to gather data necessary for metrics and analysis.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 243
System Security CIA Part 3
Most personal computers are on Local Area Networks (LANs), meaning they share a connection with several
other computers. If a network is not switched (a switch is a device that filters and forwards packets between
segments of the LAN), traffic intended for any machine on a segment of the network is broadcast to every
machine on that segment. This means that every computer actually sees the data traveling to and from each
of its neighbors, but normally ignores it. The sniffer program tells a computer to stop ignoring all the traffic
headed to other computers and instead pay attention to that traffic. The program then begins a constant read
of all information entering the computer.
Anything transmitted in plain text over the network is vulnerable to a sniffer — passwords, web pages,
database queries and messaging, to name a few. Once traffic has been captured, hackers can quickly extract
the information they need. The users will never know their information has been compromised, because
sniffers cause no damage or disturbance to the network environment.
Tools called antisniffers are available to defend against sniffers. When a sniffer program is active on a
computer, the computer’s network interface card (NIC) is placed in a state called promiscuous mode. The
antisniffer scans networks to determine if any network interface cards are running in promiscuous mode.
Antisniffers can be run regularly to detect evidence of a sniffer on the network. A switched network is also
a deterrent, because it eliminates the broadcasting of traffic to every machine, although there are programs
that a hacker can use to get around the switched network.
The best defense against phishing is in the hands of the recipient. Recipients need to know not to respond to
any e-mail that requests personal or financial information and not to click on any link given in such an e-mail
that could take them to a spoofed website. Similarly, recipients of unexpected e-mail attachments need to
know not to open them, even if a virus scan has not identified any virus in the attachment. New viruses
appear every day and one could slip past an antivirus program, even one that is updated regularly. Thus,
employee education is a vital part of Internet security.
New e-mail authentication methods, which match the IP address of the server sending an inbound e-mail
against a list of servers authorized to send mail from the sender, may offer some defense against phishing.
Yahoo has developed a system called Domain Keys that gives e-mail providers a way to verify the domain of
each e-mail sender and to check whether messages have been altered during transit. The verified domain can
be compared with the domain used by the sender in the “From” field of the message to detect a forgery. Any
messages identified as forgeries are dropped. Other large Internet Services Providers are beginning to use the
same technology.
Another online scam is directed against companies that advertise on search engines on a “pay-per-click”
basis. Google is probably the best-known example of a search site that charges advertisers each time a visitor
clicks on the ad links. In one version of this scam, a competitor will write a software program that repeatedly
clicks on a business’s ads in order to run up its advertising charges. Ultimately, after too many clicks within a
24-hour period, the ad is pushed off the search engine site, resulting in lost business for the company along
with the inflated advertising fees.
• Password crackers, which is software that creates different combinations of letters and numbers in
order to guess passwords.
• War dialing or programs that automatically dial random telephone numbers in search of a modem
connection.
• Logic bombs or errors in the logic of computer programs that result in the destruction of computer
data or a malicious attack when specific criteria are met.
• Buffer overflow, which sends too much data to the buffer in a computer’s memory, crashing it or
enabling the hacker to gain control over it.
Some computer crime tactics involve efforts in person as well as computer activities. Tactics involving
personal effort include social engineering and dumpster diving. Social engineering involves calling up
company employees and deceiving them into divulging information such as passwords. Dumpster diving is
sifting through a company’s trash for information that can be used either to break into its computers directly
or to assist in social engineering.
244 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F System Security
However, it is not only outsiders who commit computer crimes against a company. Insiders — or company
employees — are a primary source of trouble. Employees who are planning to leave one employer and go to
work for a competitor can use their company e-mail to transmit confidential information from the current
employer to the future employer.
Insider crime can also include using the company computer for private consulting, personal financial business,
playing video games on company time or browsing pornography sites. A legitimate use of sniffers, described
earlier, is monitoring network usage to reveal evidence of improper use. Some businesses install software
that enables them not only to monitor their employees’ access to websites but also to block access to certain
websites. Improper use of the Internet and e-mail at work can get an employee fired immediately.
Encryption
The best protection against traffic interception resulting in data leaks is encryption. Encryption converts data
into a code and then a key is required to convert the code back to data. Unauthorized people can receive the
coded information, but without the proper key, cannot read it. Thus, an attacker may be able to see where
the traffic came from and where it went, but not the content.
The encryption process can be either in the hardware or in the software. There are two methods of software
encryption: secret key and public key/private key.
• In a secret key system, each sender and recipient pair has a single key that is used to encrypt and
decrypt the messages. The disadvantage to this method is that every pair of senders and receivers
must have a separate set of keys that match. If several pairs all used the same set, then anyone
having the key could decrypt anyone else’s message and it wouldn’t be a secret. This is impractical
over the Internet, because any one company could have thousands of potential customers as well as
others from whom it would need to receive messages.
• The public key/private key encryption system is a better system for companies to use. In a
public-key/private-key encryption system, each entity that needs to receive encrypted data publish-
es a public key for encrypting data while keeping a private key to itself as the only means for
decrypting that data. Anyone can encrypt and send data to the company using its published public
key, but only the company’s private key can be used to decrypt the data and only the company that
published the public key has the private key.
A company obtains a public key and the private key to go with it by applying to a Certificate Authori-
ty, which validates the company’s identity and then issues a certificate and unique public and private
keys. The certificate is used to identify a company, an employee or a server within a company. The
certificate includes the name of the entity it identifies, an expiration date, the name of the Certificate
Authority that issued the certificate, a serial number and other identification. The certificate always
includes the digital signature of the issuing Certificate Authority, which permits the certificate to
function as a “letter of introduction” from the Certificate Authority. One example of public/private
encryption keys is SSL (Secure Socket Layer), used on secure web sites.
Encryption strength is determined by the bit length of the keys, such as 256-bit or 2048-bit. Different
encryption methods have different bit lengths, so you can’t necessarily compare the bit length of two different
encryptions to say which is stronger. However, for the same encryption method, a longer key will always be
more secure (i.e. 2048-bit RSA is always stronger than 1024-bit RSA).
Auditors should ensure that encryption is actually being used everywhere that it should be and that all
encryption keys are being protected against disclosure. Encryption keys are frequently created with
passwords, so there should be guidelines in place and enforced for creating sufficiently strong passwords.
Auditors should also ensure that SSL (Secure Sockets Layer) is being used with web sites sending or
receiving sensitive information. SSL is a built-in encryption system in all modern web browsers and doesn’t
require any technical knowledge to use (the web browser automatically handles the encryption with the web
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 245
System Security CIA Part 3
site being accessed). Sniffers, discussed previously, can be used to verify that data is encrypted during
transmission.
Question 147: A controller became aware that a competitor appeared to have access to the company’s
pricing information. The internal auditor determined that the leak of information was occurring during the
electronic transmission of data from branch offices to the head office. Which of the following controls
would be the most effective in preventing the leak of information?
a) Asynchronous transmission.
b) Encryption.
d) Use of passwords.
(CIA Adapted)
Privacy
Privacy is the right to say how your personal information is collected, stored and used. Any information that
can be tied back to a specific individual is considered personal information. In the context of information
technology, privacy applies to both customers and employees. While it is necessary to collect certain
information about both customers and employees to process business transactions, it is also important for
them to feel that their privacy is respected.
While specific privacy laws vary by country, the common standards with regards to privacy include what are
known as the Fair Information Practice Codes:
• Notice: People should be told who is collecting the data, what data is being collected, how that data
will be used and how that data is being protected.
• Choice: People should be able to choose how their personal information is used, both for the imme-
diate business purpose and in the future (e.g. such as signing up for email newsletters).
• Access: People should be able to easily view and update their stored personal information.
• Security: Companies should take reasonable steps to ensure adequate controls over personal
information. This includes preventing unauthorized access, use or distribution of the information.
• Enforcement: The privacy policies must actually be enforced. A privacy policy is worthless if it is
not enforced at all levels within the company.
The auditor’s role with regards to privacy is to be sure that privacy laws, regulations and policies are
communicated and enforced. Employees need to understand how the privacy policies affect the execution of
their job and what the penalties are for non-compliance.
246 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Contingency Planning
Contingency Planning
In any computer system, it is essential that the company have plans for the backup of data and the
recovery of data, especially in the context of disaster recovery.
Several different processes and back up plans function as part of the backup and recovery plan.
• Program files, as well as data files, should be backed up regularly. Backup systems need to be very
methodical, ensuring that all backups are properly stored, labeled, and secured. At least two backup
storage media should be used to protect against failure. Types of media include hard drives, optical
discs (CD, DVD, or Blu-ray), magnetic tapes, and flash memory.
• Copies of all transaction data are stored as a transaction log as they are entered into the system.
Should the master file be destroyed during processing, computer operations will roll back to the
most recent backup; recovery takes place by reprocessing the data transaction log against the
backup copy.
• Backups should be stored at a secure, remote location, so that in the event data is destroyed due to
a physical disaster, it can be reconstructed. It would do very little good to have a backup tape in the
same room as the computer if that area were destroyed by fire. Backup data can be transmitted
electronically to the backup site through a process called electronic vaulting. The security of the
remote location needs to be evaluated periodically.
• Grandparent-parent-child processing is used because of the risk of losing data before, during or
after processing work. Files from previous periods are retained and if a file is damaged during updat-
ing, the previous files can be used to reconstruct a new current file. These files should be stored off-
premises.
• Fault-Tolerant Systems are systems designed to tolerate faults or errors. They often utilize re-
dundancy in hardware design, so that if one system fails, another one will take over. Computer
networks can be made redundant in several ways:
o With multiple processors, consensus-based protocols specify that if one processor disagrees
with the others, it should be ignored.
o With two processors, the second processor can serve as a watchdog processor. If something
happens to the primary processor, the watchdog processor takes over.
o A computer or server could have two disks and all data on the first disk is mirrored on the sec-
ond disk. This is called disk mirroring or disk shadowing. Should one disk fail, the processing
continues on the good disk.
o Rollback processing may be used to prevent any transactions being written to disk until they
are complete. If there is a power failure or another fault during processing, the program auto-
matically rolls itself back to its pre-fault state at its first opportunity.
o Duplicate circuitry is the double wiring of key hardware elements to ensure that if one circuit
malfunctions, the other will take over.
o A redundancy check is the process of sending repeated sets of data to confirm the original data
sent. Summary processing is a redundant process using a sum, which is compared with the
control total from the processing of the detailed items.
o An echo check is the process of sending the received data back to the sending computer to
compare what was actually sent to make sure that it is the same.
o In a dual read check, data is read twice during input and compared.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 247
Contingency Planning CIA Part 3
o Boundary protection is protection against unauthorized entry (read or write) to a tape, disk or
other storage device.
o Graceful degradation means that if a part of the system malfunctions, other components can
be programmed to continue the processing, although on a less efficient basis.
o Overflow check means that the data is checked and an error message activated if data is lost
through arithmetic operations that exceed the planned capacity of the receiving fields.
Question 148: Management’s enthusiasm for computer security seems to vary with changes in the
environment, particularly with occurrence of the other computer disasters. Which of the following
concepts should be addressed when making a comprehensive recommendation regarding the costs and
benefits of computer security?
III. Cost and effectiveness of the implementation and operation of computer security.
a) I only.
b) I and II only.
c) III only.
d) I, II and III.
(CIA Adapted)
Disaster Recovery
Not many firms could survive for long without computing facilities. Therefore, an organization should have a
formal disaster recovery plan to fall back on in the event of a hurricane, fire, earthquake, flood or criminal or
terrorist act. A disaster recovery plan specifies:
• Which employees will participate in disaster recovery and what their responsibilities will be. One
person should be designated in charge of disaster recovery and another should be second in com-
mand.
Arrangements for alternative facilities as a disaster recovery site and offsite storage of the company’s
databases are also part of the disaster recovery plan. An alternative facility might be a different facility owned
by the company, or it might be a facility contracted by a different company. The different locations should be
a significant distance away from the original processing site.
Disaster recovery sites may be either hot sites or cold sites. A hot site is a backup facility that has a
computer system similar to the one used regularly. The hot site must be fully operational and immediately
available, with all necessary telecommunications hookups for online processing. A cold site is a facility where
power and space are available to install processing equipment, but it is not immediately available. If an
organization uses a cold site, its disaster recovery plan must include arrangements to get computer
equipment installed there quickly.
There are also several companies that operate “mobile recovery” centers. On a contracted basis, in the event
of a disaster that destroys operations facilities, they arrive within hours in a tractor-trailer or van that is fully
equipped with their client’s platform requirements, 50 to 100 workstations and staffed with technical
personnel to assist in recovery.
248 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Contingency Planning
Personnel should be trained in emergency procedures and re-training should be done regularly to keep their
knowledge fresh. The disaster recovery plan should be tested periodically by simulating a disaster in order to
reveal any weaknesses in the plan. This test should be conducted using typical volumes, and processing times
should be recorded. The disaster recovery plan should be reviewed regularly and revised when necessary, and
the members of the disaster recovery team should each keep a current copy of the plan at home.
The internal auditor needs to determine two basic things with respect to the planning and preparation for
disaster recovery:
The auditor will need to determine how dependent the company is on its information systems, whether a
disaster recovery plan has been developed and if so, whether the plan is adequate. Does the plan include
priorities for which are the critical applications that are to be executed first and which can be omitted? Are
there backup means of transmitting data as well as plans to restore the data center itself? Disaster recovery
plans should also be tested at periodic intervals to insure that operations can be resumed in the event of a
real disaster, and corrections can be made if any problems are found. The internal auditor should observe a
simulation of a disaster and execution of the disaster recovery plan, and should help assess what parts of the
plans worked and what areas need to be improved.
Question 149: A critical aspect of a disaster recovery plan is to be able to regain operational capability as
soon as possible. To accomplish this, an organization can have an arrangement with its computer
hardware vendor to have a fully operational facility available that is configured to the user's specific
needs. This is best known as a(n):
b) Parallel system.
c) Cold site.
d) Hot site.
(CMA Adapted)
Question 150: Good planning will help an organization restore computer operations after a processing
outage. Good recovery planning should ensure that:
a) Backup/restart procedures have been built into job streams and programs.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 249
Databases CIA Part 3
Databases
A database is a series of related data files that are combined in one location in order to eliminate unnecessary
redundancy of data within a system or company. Data records are consolidated into databases that provide
data for many different application programs. Before discussing databases, however, it is useful to examine
the basic data hierarchy and how files are stored and accessed on a computer.
• A field is an item within a record (such as an address, phone number or account number).
• A key is an attribute of a record that allows the record to be sorted. The primary key is the primary
identifier for the record, and a secondary key may used to further sort the records.
Accessing Files
All data records usually contain identification fields, or keys, to identify the record. The primary key is the
main identifier. A logical record is what is stored and the physical record is where and on what medium it
is stored.
• One of the most basic ways to access data is by sequential access. Records are physically stored in a
predefined sequence according to the primary record key in each record, and they can only be ac-
cessed in that order. If there are 5,000 records in a file, and the needed record is at the end, all
4,999 other records must be accessed before reaching the last record. For this reason, sequential file
organization is not very efficient.
• An indexed file, also called an inverted file, is stored on a disk drive. It uses an index to locate
records on the disk, and the records do not have to be in any predefined sequence. Locating the rec-
ords is a two-step process. First, the index is consulted for the matching record number, which tells
the computer where the information is stored on the disk. Then, the record is loaded from the disk.
This process is faster than sequentially searching every record on the disk.
• Indexed-sequential files are sequential files stored on a disk drive that are indexed and physically
sorted on the same field. Indexed-sequential files are called ISAM files, short for indexed-sequential
access method. ISAM is a compromise between sequential and direct access files. The processing of
a batch of records can be done sequentially, while inquiries to the file can be done using the index. A
limitation of indexed-sequential files is that all of the indexes must be updated every time the files
are updated.
• Direct access files permit records to be almost instantly retrieved without the use of an index. Direct
access file systems assign each record to a location on the disk drive by using a key field in the rec-
ord. The record can be directly accessed without any searching. The main advantage is that several
master files can be updated at the same time, but the main disadvantage is that records cannot be
located without a key. For example, with direct access it would be extremely fast to locate Invoice
47154, but getting a list of all invoices would be very difficult and/or time consuming. Therefore, di-
rect access file organization is best used when activity is low and files are very large.
Volatility is the measure of the number of additions, deletions and changes to a file during a period of time.
250 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Databases
As computing power grew and computer hardware became capable of handling more and more data, flat files
became problematic. The difficulties involved finding the right file for the information desired, duplication of
the same data in different files, and no standardization of formats or files. Furthermore, because the data was
stored in flat files, anytime the file was changed or updated, the whole file had to be rewritten. Indexed
sequential files solved many of the problems with flat files.
Ultimately, the database management systems (DBMSs) that we are familiar with today were developed.
Early relational databases, like Foxpro and DB2, were run on personal computers. Database management
systems standardized storage, manipulation, and retrieval of data. Under a database management system,
data is stored in a standard format using Data Definition Language (DDL), which allows the database
administrator to define the logical structure of the database (the schema). Data is edited, updated,
manipulated and extracted using a Database Manipulation Language (DML). Finally, data is retrieved
using a Query Language, which allows the user to request information from the database. The database
management system provides all these languages in statement (i.e., command) form, and these are what
the database administrator uses to create a database. Because of its standardized format, a database can be
accessed and updated by multiple applications.
In a relational database, the most commonly used type of database, data is stored in tables rather than in
flat files. When the database is developed, specific data fields and records are defined. The database
administrator also specifies ways in which the data records and fields will be related to each other and how
they will be viewed or reported. In order to do this, the records and fields must be structured.
Entity-Relationship Modeling
The Entity-Relationship (E-R) Model is a tool used by database administrators to plan and analyze database
files and records. An entity-relationship diagram is drawn to represent the relationships between and
among the different entities in the database. An entity-relationship diagram utilizes symbols to represent
items in the database and to illustrate their relationship to one another. For instance, a rectangle represents a
database entity, and a database entity is each resource, event, or agent, such as a customer. An oval
represents an attribute, such as the customer’s telephone number. An oval with an underline represents the
primary key, such as the customer’s account number.
The three most important relationship types are (a) one-to-one, (b) one-to-many, and (c) many-to-many.
These relationship types are known as database cardinalities. They show the nature of the
relationship between the entities.
Note: Database cardinalities show the nature of a relationship between two entities in a database.
Relationships between entities can be one-to-one, one-to-many, or many-to-many.
For example, for each employee in an organization, there will probably be many paychecks issued. This is a
one-to-many relationship. The database might contain one file with employee names and employee ID
numbers, and a second file with the employee ID number of each employee and all the paychecks issued for
each employee ID number. The employee ID number in the first file serves as the primary key. In the second
file, the employee ID number serves as the foreign key that ties the two files together. The database can
locate all of the paychecks issued for one particular employee by name by using the employee ID number
attached to the person’s name in the employee file and locating all the individual paycheck records for that
employee ID number in the other file.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 251
Databases CIA Part 3
Database Structure
Databases are structured according to one of several different models. The model used will determine the
relationships among the individual records stored in the database. Different database management system
packages use different models. The five fundamental structures used in designing databases are:
• Hierarchical structure
• Network structure
• Relational structure
• Multidimensional structure
• Object-oriented structure
A hierarchical structure organizes information into regular records so that each set of records forms a
hierarchy, or tree-like structure. Records are arranged in multilevel structures consisting of a root record and
any number of subordinate levels. The entity relationships among records are one-to-many. These
databases are highly structured and were used by early mainframe DBMSs. Hierarchical databases are
suitable for data that consists of tightly coupled records, for example, customer information to purchases
made to support calls placed. Hierarchical databases accumulate redundant data, i.e., the same data in
more than one place. They can be difficult to query because data is accessed by moving progressively
downward from the root until the desired record is located.
A network structure is still used by some mainframe DBMSs. It allows many-to-many entity relation-
ships among records. A data element can be accessed by following any of several paths, because any one
can be related to any number of other data elements. For example, departmental records can be related to
more than one employee record, and employee records can be related to more than one project record.
The relational model is the most popular and widely used database structure. All data elements are stored
in the form of tables. Data from various tables is linked by means of one field, such as customer number, that
is common to all the tables. Thus, one table might contain customer numbers and customer names. Another
table would have customer numbers and customer addresses. All the necessary information about a customer
could be accessed by means of the customer number, which is common to both tables. The relational model is
used by most microcomputer DBMS packages and also by midrange and mainframe systems. Relational
databases permit complex queries to be made, and they eliminate redundant data. They are best for
situations where a lot of records are being cross-referenced and combined. For example, a relational database
could be used to make production decisions where information about inventories, part specifications,
personnel availability, costs, sales and supplies needs to be analyzed. However, if the database design is
faulty, the advantages of a relational database can be lost and the result will be less maintainable than a less
stringent model would be.
The object-oriented database model is the newest type of database structure and is conceptually similar to
object-oriented programming because the database is modeled after real-world entities. Each object has
fields that contain the information, as well as a set of actions that can be performed upon the data. Just like
in object-oriented programming, database objects can inherit properties from a parent, allowing easy reuse
and extension of existing database objects. Object-oriented databases are also designed to store more
complex data types, such as sounds, images, or even video, although the newest relational database
management systems have also added more media storage capabilities. Nevertheless, object-oriented
databases are considered one of the key technologies in our increasingly media-oriented world, especially on
the Internet. For example, Amazon.com now allows customers to post not only text reviews of products that
they have purchased, but video reviews as well.
252 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Databases
Distributed Databases
A database may be stored in more than one physical location. This is most often done to enhance database
performance, but may also be done as a backup strategy or to provide a fail-over database in case of
disaster. A database that is stored in more than one location is a distributed database.
When you have a distributed database, you will need to have a process to bring the two or more parts of the
data together to form the complete set of data. This is done through replication (or the snapshot
technique), which makes duplicate copies of the entire database, or some subset of tables, on a regular
schedule, and then sends these copies to the other locations where they will be used. With replication, the
users update only the original database. The copies are used in query-only mode and may not be updated lest
they become out of sync with the original. Some databases, such as Oracle, offer automatic replication as an
option.
If a company uses the fragmentation (or partitioning) system, the system stores items of data where they
are most needed. For example, information on sales in San Francisco is kept and updated on a database
server in San Francisco, while information on sales in New York is kept and updated on a database server in
New York. Then, if the information is needed somewhere else, it is retrieved from the place where it is stored.
Deadly Embrace
A deadly embrace occurs when two different applications or transactions each have a lock on data that is
needed by the other application or transaction. Neither process is able to proceed, because each is waiting for
the other to do something. In these cases the system must have a method of determining which transaction
goes first and then it must let the second transaction be completed using the updated information after the
first transaction.
Question 151: Of the following, the biggest advantage of a database architecture is:
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 253
Databases CIA Part 3
1) Database development, enabling database administrators to develop databases and create data-
base records.
2) Database maintenance, including record deletion, alteration of database information and reorgani-
zation of records when necessary.
3) Database interrogation, permitting users to ask simple questions in a query language in order to
select subsets of records to extract information from the database.
4) Application development, such as developing queries, forms, reports and labels for a business
application and permitting several different application programs to easily access a single database.
Database management systems contain various programs, including utilities to use to back up data;
commands to use in a Data Definition Language (DDL), Data Manipulation Language (DML), and
Query Language; and program creation packages. A database administrator uses the DBMS not only to
create a database, but also sometimes to create an application that will access the data in the database.
Note: A Database Management System is not a database, but rather a set of separate computer programs
that enable the database administrator to create, modify and utilize database information, and also enable
applications and users to query the database.
Database Development
The DBMS is used to create a description of the logical and physical structure or organization of the database
and the relationships among the data elements in the database. This is called the schema. The schema is a
map or plan of the entire database. It specifies the names of the data elements contained in the database and
their relationship to each other.
A subschema defines the data required for specific end-user applications and limits the data elements and
functions available to each application. A subschema is the description of a particular part of the database,
often called a view. One common use of views is to provide read-only access to data that only certain users
are allowed to update but many users need to query. Any particular user or application program will use only
a subset of the information in the database. Subschemas determine what data each user or application
needs and protect data from unauthorized access.
The database administrator uses a Data Definition Language (DDL) to create or modify the schema,
subschema and the record structure of the database. In defining the record structure for each table, the
database administrator gives each field a name and a description, determines how many characters the field
will have and what type of data each field will contain (i.e., text, integer, decimal, date, etc.), and may
specify other requirements such as how much disk space is needed for the table.
The format of the input is also defined (i.e., a telephone number will be [XXX] XXX-XXXX). The input mask
for a data field creates the appearance of the input screen, so that a user who is inputting data into the table
will see a blank field or fields in the style of the format (e.g., a date field will appear as __/__/____). The
input mask helps ensure input accuracy.
This information is stored in a database of data definitions and specifications called a data dictionary. The
data dictionary contains metadata, i.e., data about data. The data dictionary contains the names and
descriptions of all the different data records and their relationships. It also contains the requirements for user
access, use of the application programs, database maintenance, and security.
Once the record structure of the database table has been created, the records can be created.
254 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Databases
Structured Query Language (SQL) is a DML, a DDL, and a query language. It has been adopted as a
standard language by the American National Standards Institute (ANSI). All relational databases in use today
allow the user to query the database directly using SQL commands. SQL uses the “Select” command to query
a database. However, business application programs usually provide a graphical user interface (GUI) that
creates the SQL commands to query the database for the user, so users don’t need to know the specific
format of SQL commands. Almost every relational database uses SQL for the description and querying of
records.
A DBMS also enables a user to reorganize an entire file of database records quickly and easily by sorting.
Before the advent of database management systems, when records were written sequentially on a disk or a
tape, sorting required the physical rewriting of the records in the desired order. In a database management
system, the records can be indexed, creating a table of record keys and disk addresses that is separate from
the data itself but contains pointers to each physical record of data. Indexing accomplishes the same thing as
sorting, since records can be retrieved in index order, and it is faster and more efficient than sorting.
DBMS packages usually include one or more programming languages that can be used to develop custom
applications by writing programs that contain statements calling on the DBMS to perform the necessary data
handling functions. When writing a program that uses a database that is accessed with a DBMS, only the
name of the data item is needed, and the DBMS locates the data item in the storage media. Thus, the
application programs are independent from the physical arrangement of the data.
Note: One of the key characteristics of a database management system is that the applications that
access the database are programmed to be independent of the data itself. This means that the programs
do not refer to a specific number or item, but rather to the name of the data item. This is like when
changing a number in a spreadsheet, you don’t need to change the formulas, because the formulas relate
to the cell and not to the number itself.
a) The decrease in the cost of the data processing department as users become responsible for
establishing their own data handling techniques.
b) The independence of the data from the application programs, which allows the programs to be
developed for the user's specific needs without concern for data capture problems.
c) A decreased vulnerability because the database management system has numerous security
controls to prevent disasters.
d) The responsibility and control assumed by each organizational unit for its own data.
(CMA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 255
Databases CIA Part 3
Question 153: Which of the following is a false statement about a database management system
application environment?
(CISA adapted)
Once the database is created, the company must decide upon the best way to store the data. It is easiest to
use a single medium to store all of the data, but there is a risk in that if something happens to that single
medium, then the entire database is lost, or at least temporarily inaccessible. Therefore, great care has to be
taken that the data is properly stored and backed up. One way of doing this is to have the database
information always stored in different places.
This responsibility for making sure the database is stored efficiently and securely and backed up properly falls
to the database administrator. The database administrator position is a position of high confidentiality and
strong trust. A person under consideration for that position must be carefully investigated because the
position is a highly security-sensitive one.
Question 154: The increased use of database processing systems makes managing data and information
a major information service function. Because the databases of an organization are used for many
different applications, they are coordinated and controlled by a database administrator. The functions of a
database administrator are:
(CMA Adapted)
Question 155: Each day after all processing is finished, a bank performs a backup of its online deposit
files and retains it for 7 days. Copies of each day’s transaction files are not retained. This approach is:
a) Valid, in that having a week’s worth of backups permits recovery even if one backup is unreadable.
b) Risky, in that restoring from the most recent backup file would omit subsequent transactions.
c) Valid, in that it minimizes the complexity of backup/recovery procedures if the online file has to be
restored.
(CIA Adapted)
256 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section F Enterprise Resource Planning
Note: The major components of an ERP system are: Production Planning, Integrated Logistics, Accounting
and Finance, Human Resources, and Sales, Distribution and Order Management.
Any subdivision of any of the above components is, by itself, not a component of an ERP system.
The two largest ERP vendors are SAP AG and Oracle. PeopleSoft, another well-known ERP vendor, was
purchased by Oracle in late 2004.
The main focus of an ERP system is tracking all business resources and commitments regardless of
where, when, or by whom they were entered. For example, a customer support representative using an
ERP system would be able to look up a customer’s order, see that the product that they ordered is on
backorder due to a production delay, and provide an estimate for the delivery based on the expected arrival
of the required raw materials. Without the sales, support, and production systems being tightly integrated
through an ERP system, this level of customer service is very difficult – or impossible – to achieve.
Writing a program that serves the needs of finance as well as human resources and those in the warehouse is
not an easy task. This is because each of the individual departments in a company usually has its own
computer system and software to help perform its specific work. However, through ERP all of them are
combined into a single, integrated software program through business re-engineering.
All of the data for the entire company is also stored in a single location – called an enterprise-wide
database, also known as a data warehouse. By having all of the company’s information from different
departments in the same location, a company is able to more efficiently manage and access this information.
Through data warehousing and data mining facilities, individuals in the company can sort through and utilize
the company’s information more quickly and easily than if it were stored in separate locations. In data
mining, the data in the data warehouse is analyzed to reveal patterns and trends and discover new
correlations to develop business information.
• Integrated back-office systems result in better customer service and production and distribution
efficiencies.
• Centralizing computing resources and IT staff reduces IT costs versus every department maintaining
their own systems and IT staff.
• Business re-engineering (i.e. developing business-wide integrated processes for the new ERP sys-
tem) is time-consuming and requires careful planning.
• Converting data from existing systems into the new ERP system can be time-consuming and/or
costly and, if done incorrectly, can result in an ERP system that contains inaccurate information.
• Training employees to use the new system disrupts existing workflows and requires employees to
learn new processes.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 257
Enterprise Resource Planning CIA Part 3
• Most significantly, an unsuccessful ERP transition can result in system-wide failures that disrupt
production, inventory management, and sales, leading to huge financial losses. Because the entire
business relies on the new ERP system, it is critical that it be completely functional and completely
understood by all employees. There is no opportunity to “work out the bugs” or “learn the ropes”
when your entire business relies on the one system.
Internal auditors need to be intimately involved in two areas with respect to ERP software: (1) the evaluation
and selection process for the ERP system, and (2) maintaining the integrity and security of the data.
Question 156: Which of the following statements about ERP systems is correct?
a) While business re-engineering is usually done prior to implementing a new ERP system, it can be
done afterwards without much difficulty.
b) ERP systems require each department or business segment to set up and manage their own
information systems.
c) The most common causes of failure when implementing a new ERP system are inadequate
planning, development and/or training.
d) ERP systems provide mainly transaction processing support, and little in the way of data analysis.
(HOCK)
Question 157: An enterprise resource planning (ERP) system integrates the organization’s computerized
subsystems and may also provide links to external parties. Advantages that companies have experienced
using ERP are:
a) I only.
b) I, II, IV.
(HOCK)
258 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Appendix A 34 IT Processes
Appendix A – 34 IT Processes
Planning and Organization Domain
1) Define a strategic IT plan.
2) Define the information architecture.
3) Determine technological direction.
4) Define the IT organization and relationships.
5) Manage the IT investment.
6) Communicate management aims and direction.
7) Manage human resources.
8) Ensure compliance with external requirements.
9) Assess risks.
10) Manage projects.
11) Manage quality.
Monitoring Domain
31) Monitor the processes.
32) Assess internal control adequacy.
33) Obtain independent assurance.
34) Provide for independent audit.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 259
Answers to Questions CIA Part 3
Answers to Questions
1 a – When the risk of loss is high and the likelihood is high, the best course of action is probably to avoid the
risk. This might include selling the business unit or in some other way eliminating this activity from the
company.
2 d – Value at Risk provides a confidence interval which provides a range of results with a percentage chance
that the result will be within that range.
3 b – In any delegation, it is critical that the task or outcome be precisely defined. Additionally, it is good if
there is discussion about how it will be done. The manager does not want to dictate how it should be done
and also should not let the subordinate decide how it will be done, because that may lead to a lot of wasted
time and resources if the subordinate chooses an inappropriate method for completing the task.
4 b – A mechanistic approach is used when there is an assembly line type system where there is not a need
for a lot of decision-making. This system is motivated by efficiency and trying to produce as much as possible.
5 a – In a dynamic and complex environment, the company will face more uncertainty because the
environment is changing. As a result, it will need a more organic structure in order to react better to the
changes.
6 c – Discount stores gain their market edge by selling at a lower price and therefore need to minimize their
costs. This is done by not offering as much sales help or the more “decorated” stores as their competitors
provide.
7 a – As companies grow, they tend to expand their efforts and the products or services they offer. Their
expansion may also be outside of their initial industry as well as within it.
8 c – By definition, in a professional bureaucracy, management has to give up a lot of control.
9 c – A bureaucratic structure does not allow for much creativity. This is one of the disadvantages of this
structure.
10 b – In a divisional structure, each division may have its own staff to perform a function that all divisions
have. An example may be payroll or HR. Each division may have its own payroll or HR department, and as
such, the company as a whole has duplicate departments.
11 b – In a matrix organization, there is a combination of organizational methods. As such, an employee may
end up reporting to a functional manager as well as to a project team manager, or other multiple managers.
12 d – The number of people in an organization does not impact the span of control that a manager would
have.
13 c – Generally, if the jobs are fairly similar and procedures are alike, then a wider span of control would be
most effective.
14 c – Theory of constraint analysis would be used in this problem. TOC is used for revenue maximization
and cost management in the face of bottlenecks.
15 c – Senior management should not be involved in setting standards for production, because this is a very
low-level activity that is best done by the people more directly involved.
16 d – The internal auditor should not become directly involved in the implementation of the redesign
process. The internal auditor’s direct involvement would impair the auditor’s objectivity and independence.
17 b – By definition.
18 c – By definition.
19 c – The number of units that are currently held in inventory does not affect how many units should be
held in inventory.
20 c – The greater the increase in the variability of lead time, the more safety stock must be held to guard
against a stockout when the lead time is unusually long.
21 a – E-commerce does not relate to data storage.
22 c – EDI is the electronic transfer of documents between businesses.
23 a – An audit trail allows for tracing of transactions from initiation to conclusion.
24 d – The decline stage is marked by declining sales and declining profits. In some cases, the organization
becomes so large that management becomes complacent, which causes a leadership problem. Because of
this, the board may try a change of leadership to save the company.
25 b – In the growth stage, if an entity is reasonably profitable, then it could need financing in excess of the
funds it has available from internal sources (i.e. trade receivables). Additional debt financing could result in
260 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
CIA Part 3 Answers to Questions
unreasonable financial leverage and public equity financing is generally not yet available. Therefore, a
company in the growth stage is most likely to seek and obtain venture capital.
26 c – When formal communication is insufficient, rumors will fill the gap due to employees’ anxiety and
desire to know what is happening. Such a situation may have a negative effect on morale and reduce the
employees’ productivity.
27 b – Communication is dependent upon the receiver understanding the message properly. If the receiver
does not understand it, then communication has not taken place.
28 b – Managers spend most of their time communicating, while the technical aspects are being performed
by those supervised.
29 b – Suppressing informal communication is neither effective nor desirable. Management should instead
make good use of it.
30 c – The medium chosen by the clerk was wrong because there is no written record of the telephone order
to substantiate any claim, as there would have been if a purchase order had been issued.
31 b – The only acceptable way to let an employee know that their employment is being terminated is face to
face.
32 b – Filtering is presenting information in such a way that it will be received favorably.
33 b – Many different issues within a short time period will impede comprehension and is therefore unlikely
to lead to desired changes in attitudes.
34 d – A change in the behavior of the receiver is the aim of an effective communication.
35 d – An effective communicator has to take into account the receivers’ needs and opinions to make sure
that they do not interfere with the message and the message is received and understood properly.
36 a – Effective listening is best achieved by resisting internal and external distractions. Distractions, i.e.
noise, make it more difficult for the listener to truly understand the message.
37 a – Information overload and misrepresentation of feelings and emotions are considered to be
disadvantages of electronic communication. Information overload, such as numerous irrelevant memos, could
lead to lost time and inefficiencies. Also, email cannot accurately convey feelings and tone intended by the
person initiating the communication. Thus, the receiver may misinterpret the email.
38 b – Market synergy is a type of business synergy. It arises when products or services positively
complement each other. The bundling of products distributed through the same channels is a type of market
synergy.
39 b – Corporate-level strategies address the entire strategic scope of the firm. This is the “big picture” view
of the firm and includes deciding in which product or service markets to compete and in which geographic
regions to operate.
40 d – When inelastic demand exists, cutting prices will not increase sales. Thus, this situation is atypical of
an intensely competitive industry.
41 d – Buyers want lower cost, better quality products and more services. All of these factors can influence
the buyer’s bargaining power.
42 b – Strategic group are made up of organizations with similar strategic characteristics, following similar
strategies or competing on similar bases. Organizations with similar profitability is not a distinguishing feature
of a strategic group.
43 b – A focus strategy seeks to be a cost leader in a particular segment. The theory behind the focus
strategy is that a narrow market can be better served.
44 b – Threat of new entrants and bargaining power of suppliers are two of the five basic forces that drive
industry competition and ultimately profitability. The other three forces are rivalry, bargaining power of
buyers, and threat from substitutes.
45 c – Firms that can successfully differentiate their products (e.g., by developing a desirable image,
providing better services, being a cost leader, or other means) are in a more favorable competitive position.
Thus, in these situations, competitors will find it more difficult to acquire the firm’s customers.
46 c – The most effective response to an aggressive move by a competitor is to initiate a move in the market
where the competitor is strong. This is an effective method to signal displeasure and raise the threat of more
serious retribution without directly triggering destructive moves and countermoves.
47 b – Flanking defense involves the company watching its weaker flank. This is done by the company
strengthening its competitive position by introducing new products, and other tactics.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 261
Answers to Questions CIA Part 3
48 d – A flanking attack involves not attacking another company head-on, but seeking to identify and attack
the competitor’s weak points. This is ideal for the challenger that does not have sufficient resources.
49 a – A market challenger tries to increase its market share in order for it to become the market leader.
50 a – The proper order is: 1) Planning and directing the system; 2) Collecting the data; 3) Analysis of the
data; 4) Disseminating the data; and 5) getting feedback from the decision-maker.
51 b – Targeting a stronger competitor forces the firm to improve its own line of products.
52 b – This is would be considered a star. A market growth rate greater than 10% is considered to be high. A
relative market share greater than 1.0x indicates that the SBU has a strong competitive position. Stars have a
high market share and a high market growth rate.
53 c – The SBU would be in the Build Selectively quadrant. The strategies for SBUs in this quadrant are to
invest heavily in most attractive segments, build up ability to counter competition, and emphasize profitability
by raising productivity.
54 d – These are the characteristics of a cash cow. Cash cows have large market share in a mature, slow
growth industry. Cash cows, as the name indicates, generate good cash flow.
55 a – By offering a discount or some other marketing scheme, the company is signaling its aggressive
intent.
56 c – A company has to be careful about bluffs because there is always a chance that the company could
lose creditability for future announcements.
57 b – The learning curve effect is when personnel become more familiar with their jobs and can perform
their jobs more effectively and efficiently.
58 a – Rather than the introduction stage, the majority of products today are in the maturity stage, where
sales growth usually slows and profits stabilize.
59 b – The decline stage is really the beginning of the end of the product. The first symptom that the
company has entered this stage is a decline of product sales.
60 a – During the introduction stage, there needs to be extensive sales promotion in order to educate the
consumer about the product. Thus, due to high costs of sales promotion, this stage is characterized by slow
profit growth.
61 b – During the growth stage, firms attempt to improve upon their products in order to increase sales and
maximize market share. Thus, during this stage, new products and features are introduced.
62 c – During the maturity stage, competition will be the greatest and prices will be at their lowest. During
this stage, firms will be more inclined to engage in competitive price-cutting measures, resulting in the lowest
prices.
63 c – During the maturity stage, competition will be the greatest; thus, during this stage it would be
appropriate to advertise that the company’s product is the lowest price and best quality of all competitors.
64 b – It is during the growth stage that the opportunity for cost reduction is the greatest. This is because
production volume is increased at a high rate; therefore, manufacturing fixed cost can be spread over more
units of production.
65 c – Strategies such as franchising and horizontal mergers are commonly used in fragmented industries.
Fragmented industries have low entry barriers, and economies of scale and learning curves are generally not
present.
66 c – Standardized products means that a firm is able to maintain the same product in different locations or
markets. Franchises use standardized products in order to reduce costs.
67 d – Items I, II, III and IV are all characteristics of a fragmented industry, i.e., the absence of visible
market leaders; low entry barriers; the absence of scale economies; and high transportation costs.
68 a – Entry barriers tend to be low in an emerging industry, not high. The remaining answers are all
characteristics of an emerging industry, i.e., few producers, underdeveloped markets, and the firm may have
difficulty in securing raw materials.
69 d – Limitations to an emerging industry could be the difficulty in securing raw materials, lack of consistent
product quality, and lack of available infrastructure (in regards to distribution channels, etc.).
70 c – Declining industries experience declining demand for their products over the long run.
71 b – A source of competitive advantage is the production economies of scale. This means that the next unit
produced will be cheaper than the one before. This favors large concentrated producers on a global scale.
262 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
CIA Part 3 Answers to Questions
72 c – Government restrictions to global competition are generally imposed for the reasons of protecting local
firms and jobs or developing new industries. Restrictions often serve to protect industries that cannot
compete effectively with global firms. In the short run, government restrictions may also have the effect of
raising revenues, but in the long run, tax revenue will decline because of reduced trade.
73 b – Vertical integration is when a company becomes its own supplier or distributor. Thus, the milk
producer acquiring dairy farms to supply milk is an example of vertical integration.
74 a – A key issue for management is to avoid overcapacity. Overcapacity tends to be a long-term problem
because firms are more likely to compete rather than reverse their expansion.
75 b – A production-oriented business concentrates on production issues, whereas market-oriented
businesses focus on the market in which the company operates. Market-oriented firms allow the wants and
needs of customers and potential customers to drive all of the firm’s strategic decisions.
76 b – The ability to raise mobility barriers after the firm has entered the industry is a reason to target an
industry. Also, a firm may be able to recognize that entering a fragmented industry will start a process of
consolidation and increased entry barriers.
77 b – Under exponential smoothing, the most recent results are given more weight than results from in the
past. Since the last nine months have seen a significant change, it is important to give more weight to recent
results.
78 c – A regression coefficient of .8 means that every change of 1 in the one item will result in a .8 change in
the other. In this question this means that for every $1 spent in advertising, the increase in sales will be only
$.80.
79 b – The relationship between these two variables is a perfectly direct relationship – as x increases by 1, y
decreases by 2. Since the variables move in the opposite direction it is a perfectly negative relationship,
represented by –1.
80 c – The regression coefficient must lie between −1 and +1. The closer the absolute value of the coefficient
is to 1, the stronger the relationship is. Among the alternatives, -0.89 has the highest absolute value that is
not greater than +1 or less than −1.
81 a – The company believes that by being known as a TQM and CI adherent, there will be a greater level of
customer satisfaction. The other choices may all result from this, but they are not the reason that this
decision was made.
82 a – As part of TQM, all employees are expected to be proactive in their education and self-improvement.
83 c – Self-actualization is the desire to become all that one is capable of becoming. The best employees will
be strongly motivated if they see that the work they perform is important and fully involves them.
84 b – The best course of action for the manager is to assign two employees to moderate the risk of failure.
According to McClelland’s theory of needs, high achievers thrive when the job provides for personal
responsibility, feedback, and moderate risk.
85 a – A happy, satisfied worker is not always more productive.
86 b – Written warnings exemplify negative reinforcement; this is a “stick” rather than “carrot.”
87 c – Positive reinforcement on a random basis has proved to be the most effective motivational tool in the
long run.
88 c – Job enrichment is the most effective technique for increasing motivation.
89 b – Salary is a dissatisfier. The lack of an adequate salary will make a person feel dissatisfied. Improved
salary will make the employee feel less dissatisfied, but it will not make the person feel satisfied if other
factors such as achievement and recognition are missing. Those other factors – satisfiers – are required in
order for the person to feel satisfied.
90 d – The lack of accountability can be a limiting factor associated with group decision making. This is why,
in many cases, the group only provides advice, and a particular person, such as a CAE, makes the final
decision. Thus, the CAE becomes accountable.
91 a – This is a true statement concerning “groupthink.”
92 d – Groups tend to make riskier decisions, and as such, individual responsibility is reduced.
93 c – According to Jewell and Reitz, a mature group is characterized by conflicts over substantive issues, not
emotional issues.
94 c – A good indication of politicking is when promotions are based an employee’s attitude rather than
based on specific job performance.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 263
Answers to Questions CIA Part 3
264 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
CIA Part 3 Answers to Questions
116 b – In PERT analysis, the first activity to be crashed must lie on the critical path in order to shorten the
duration of the project, and it must be the one with the lowest unit crash cost to minimize the overall cost of
the project.
117 d – Slack refers to the number of days an activity can be delayed without forcing a delay for the entire
project.
118 d – A minimal spanning tree algorithm is a series of branches (arcs) that connects all of the nodes
together. One example would be a cable TV company that is laying cable in a new neighborhood. A minimal
spanning tree would be the one with the lowest total cost of installation of cable.
119 c – Management by Objectives (MBO) is a comprehensive approach and is related to planning and
control of projects. To be successful, MBO requires realistic expectations of goals, regular review of employee
progress to goals, honest and free communication between managers and subordinates, and commitment by
senior management.
120 a – The most important segregation in computer systems is between the programmers and the
operators. If the operators could also program the system, they would be in a position to change or alter
data.
121 b – Application controls are related to the inputs, files and outputs of an application program.
122 a – An echo check is the process of sending the received data back to the sending computer to compare
with what was actually sent to make sure that it is the same.
123 b – A validity check compares the input information with a list of correct information (such as personnel
numbers) to make sure that the information being entered is valid.
124 d – A program not performing a field check is the most likely explanation for reporting a quantity using a
character other than a digit.
125 c – The use of computers does not change the basic principles of control. However, the use of computers
may modify the control techniques used.
126 a – COBIT is a tool that allows mangers to communicate and bridge the gap with respect to control
requirements, technical issues, and business risk. COBIT has become an IT governance tool that helps assist
management with implementing adequate controls over IT processes.
127 c – COBIT is specifically focused on IT controls, whereas COSO provides entity wide control.
128 c – Maintenance is the process of monitoring, evaluating, and modifying a system as needed. Systems
maintenance must be undertaken by systems analysts and applications programmers continually throughout
the life of a system.
129 c – The top-down method begins with analysis of broad organizational goals, objectives and policies as a
basis for the design process.
130 b – A feasibility study is simply determining if something is possible. As such, the technology and costs
will be considered during the feasibility study stage.
131 d – Interviewing users, evaluating existing applications and developing a prototype are a perfect way to
determine requirements using an in-house team. Prototyping is less effective when used by an outside team
that does not have regular access to the end users of the application being developed. The other choices are
more a part of the feasibility study that should be completed prior to the systems analysis stage.
132 d – Errors are cheaper to correct the earlier in the process that they are discovered. Therefore, errors
discovered during implementation are the most expensive to correct.
133 b – A cost-benefit analysis is one of the best ways to select a system.
134 a – A pilot operation is an alternative to parallel operations.
135 d – Assessing the cost/benefit of a new payroll system should be conducted by those who are
responsible for making the decision. Thus, the information steering committee would be the appropriate
decision-maker.
136 b – Prototyping produces the first models for a new system more quickly than other development
models.
137 a – It is always a risk of end-user computing for knowledge to be limited to one person. The command
sequences should have been documented so that the other analysts could easily use and modify them.
138 c – The end-user program may not be reviewed by an outside party; therefore, it may lack appropriate
standards, controls, quality assurance procedures and documentation.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 265
Answers to Questions CIA Part 3
139 b – In distributed data processing, each location does its own processing. As such, however, the
professionals at the central location may not be involved as much as they should be and would be if all the
processing were done centrally.
140 c – Transactions for a batch system are grouped together and then processed. These batches may be
processed daily, weekly or monthly. Therefore, there may be considerable time between the initiation of the
transaction and the discovery of the error.
141 c – A Local Area Network (LAN) is a network within one office or company.
142 d – A protocol is a set of formal rules or conventions governing communications between a sending and
a receiving device.
143 a – In order to prepare the company for the changes resulting from the enhanced external network
services, management should optimize in-house networks to avoid bottlenecks that would limit the benefits
offered by the telecommunications provider.
144 d – Client requests are for specific information, and the server will return only that specific information.
The server always maintains ownership of the records.
145 a – Not detecting certain viruses is a major risk in relying on antivirus software. This software will work
only for known viruses and may not be completely effective for variants of those viruses.
146 a – The objective of security software is to control access to information system resources, such as
program libraries, data files and propriety software.
147 b – Encryption would be the most effective control over electronic transmission of data. It may be
possible to access the transmission line, but the encryption key would be necessary to understand the data
being sent.
148 d – All three should be addressed in an analysis of cost-benefit considerations.
149 d – A hot site is a backup facility with a computer system similar to the one used regularly that is fully
operational and immediately available.
150 a – It is important that the disaster recovery plan embrace data center recovery, critical application
recovery and network recovery. It should be updated and current with regard to recent test results and new
applications, equipment and network configurations.
151 a – In a database, data is organized in files and used by the organization’s various applications
programs. Because separate files for different applications programs are unnecessary, data redundancy can
be substantially reduced.
152 b – When information is in a database, changes can be made to the application programs without having
to change the structure of the data files as well.
153 b – In this kind of system, applications use the same database. Thus, there is no need to pass files
between applications.
154 d – The database administrator’s responsibilities include designing the database, maintaining it, and
providing for its storage and security.
155 b – This is a true statement about retention of backup files, but not each day’s transaction files. By not
retaining each day’s transaction files it is possible that the last backup file that was created will be lost.
156 c – Implementing a new ERP system requires careful planning, development and training. Inadequate
planning can lead to a system that does not meet the needs of the users; inadequate development can lead
to a system that does not function properly; finally, inadequate training can lead to employees not knowing
how to use the new system, causing disruptions to the entire business process.
157 c – The advantages are improved customer service, quicker availability of information for managers, and
improvement in a JIT inventory system. But, an ERP system is costly and complex to install and maintain.
266 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.