CIA P3 Text V1 A4 Oct2013 PDF

CIA Part 3
Volume 1: Sections A-F
Internal Audit
Knowledge Elements
HOCK international books are licensed only for individual use and may not be
lent, copied, sold, or otherwise distributed without permission directly from
HOCK international.
If you did not download this book directly from HOCK international, it is not a
genuine HOCK book. Using genuine HOCK books assures that you have complete,
accurate and up-to-date materials. Books from unauthorized sources are likely outdated
and will not include access to our online study materials or access to HOCK teachers.
Hard copy books purchased from HOCK international or from an authorized

training center should have an individually numbered orange hologram with the
HOCK globe logo on a color cover. If your book does not have a color cover or does
not have this hologram, it is not a genuine HOCK book.
Fourth Edition
CIA
Preparatory Program
Part 3
Volume 1: Sections A-F
Internal Audit
Knowledge Elements
Brian Hock, CIA, CMA

and
Carl Burch, CIA, CMA
with
Kevin Hock
HOCK international, LLC
P.O. Box 204
Oxford, Ohio 45056
(866) 807-HOCK or (866) 807-4625

(281) 652-5768
www.hockinternational.com
cia@hockinternational.com
Published October 2013
Acknowledgements
Acknowledgement is due to the Institute of Internal Auditors for permission to use

copyrighted questions and problems from the Certified Internal Auditor Examinations by
The Institute of Internal Auditors, Inc., 247 Maitland Avenue, Altamonte Springs, Florida
32701 USA. Reprinted with permission.
The authors would also like to thank the Institute of Certified Management Accountants
for permission to use questions and problems from past CMA Exams. The questions and
unofficial answers are copyrighted by the Certified Institute of Management Accountants
and have been used here with their permission.
The authors also wish to thank the IT Governance Institute for permission to make use
of concepts from the publication Control Objectives for Information and related
Technology (COBIT) 3rd Edition, © 2000, IT Governance Institute, www.itgi.org.
Reproduction without permission is not permitted.
© 2013 HOCK international, LLC
No part of this work may be used, transmitted, reproduced or sold in any form or by any
means without prior written permission from HOCK international, LLC.
ISBN: 978-1-934494-87-5
Thanks
The authors would like to thank the following people for their assistance in the
production of this material:
 Kekoa Kaluhiokalani for his assistance with copyediting the material,

 Lynn Roden, CMA for her assistance in the technical elements of the material,
 All of the staff of HOCK Training and HOCK international for their patience in the
multiple revisions of the material,
 The students of HOCK Training in all of our classrooms and the students of HOCK
international in our Distance Learning Program who have made suggestions,
comments and recommendations for the material,
 Most importantly, to our families and spouses, for their patience in the long hours
and travel that have gone into these materials.
Editorial Notes
Throughout these materials, we have chosen particular language, spellings, structures

and grammar in order to be consistent and comprehensible for all readers. HOCK study
materials are used by candidates from countries throughout the world, and for many,
English is a second language. We are aware that our choices may not always adhere to
“formal” standards, but our efforts are focused on making the study process easy for all
of our candidates. Nonetheless, we continue to welcome your meaningful corrections and
ideas for creating better materials.
This material is designed exclusively to assist people in their exam preparation. No

information in the material should be construed as authoritative business, accounting or
consulting advice. Appropriate professionals should be consulted for such advice and
consulting.
Dear Future CIA:
Welcome to HOCK international! You have made a wonderful commitment to yourself
and your profession by choosing to pursue this prestigious credential. The process of
certification is an important one that demonstrates your skills, knowledge and commit-
ment to your work.
We are honored that you have chosen HOCK as your partner in this process. We know
that this is a great responsibility, and it is our goal to make this process as painless and
efficient as possible for you. To do so, HOCK has developed the following tools for your
use:
 A Study Plan that guides you, week by week, through the study process. You
can also create a personalized study plan online to adapt the plan to fit your
schedule. Your personalized plan can also be emailed to you at the beginning of
each week.
 The Textbook that you are currently reading. This is your main study source and
contains all of the information necessary to pass the exam. This textbook follows
the exam contents and provides all necessary background information so that you
don’t need to purchase or read other books.
 The Flash Cards include short summaries of main topics, key formulas and
concepts. You can use them to review whenever you have a few minutes, but
don’t want to take your textbook along.
 ExamSuccess contains original questions and questions from past exams that
are relevant to the current syllabus. Answer explanations for the correct and in-
correct answers are also included for each question.
 Teacher Support via our online student forum, e-mail, and telephone through-
out your studies to answer any questions that may arise.
 A Mock Exam for each part of the exam enables you to make final preparations
using questions that you have not seen before.
We understand the commitment that you have made to the exams, and we will match
that commitment in our efforts to help you. Furthermore, we understand that your time
is too valuable to study for an exam twice, so we will do everything possible to make
sure that you pass the first time.
I wish you success in your studies, and if there is anything I can do to assist you, please
contact me directly at brian.hock@hockinternational.com.
Sincerely,
Brian Hock, CIA, CMA

President and CEO
CIA Part 3 Table of Contents
Table of Contents
Exam Introduction ............................................................................................................. 1
Section A – Governance and Business Ethics................................................................ 3

Corporate Governance Principles .................................................................................... 4
Defining Governance 4
Principles of Good Governance 5
Cornerstone of Good Corporate Governance 5
The Governance Process Relationship with Risk and Control 6
Corporate Social Responsibility....................................................................................... 7
Section B – Risk Management ........................................................................................ 10

Risk Management Techniques ....................................................................................... 11
Benefits of Risk Management 11
Risk Appetite 12
Risk Appetite, Capacity, and Tolerance 13
Steps in the Risk Management Process 16
Organizational Use of Risk Frameworks ....................................................................... 17
Managing Operational Risk 17
Managing Financial Risk 17
Section C – Organizational Structure/Business Processes and Risk ......................... 21

Control Implications of Different Organizational Structures ....................................... 22
Elements of the Organizational Structure 22
Structure of the Organization 25
Components of an Organization 27
Departmentation 29
Matrix Organizations 30
Span of Control 30
Business Process Analysis ............................................................................................ 31
Tools for Analyzing Business Processes 31
Inventory Management Techniques & Concepts .......................................................... 39
Inventory Costs 39
Other Inventory Terms 40
Methods of Inventory Cost Management 42
Other Inventory Systems 44
Electronic Commerce ...................................................................................................... 45
Business-To-Business (B2B) 45
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. i
Table of Contents CIA Part 3
Electronic Data Interchange (EDI) 45

Business-To-Consumer (B2C) 47
Consumer-To-Consumer (C2C) 47
Electronic Payment Processing 48
Business Development Life Cycles ............................................................................... 49
The International Organization for Standards (ISO) ..................................................... 52
Outsourcing Business Processes ................................................................................. 52
Section D – Communication ........................................................................................... 53

Communication ............................................................................................................... 54
The Communication Process 54
Interpersonal Communication 55
Channels of Communication in Organizations 56
Problems in Communication 59
Methods to Improve Communication 60
Listening 60
Electronic Communications 63
Stakeholder Relationships ............................................................................................. 65
Managing Stakeholders 66
Section E – Management and Leadership Principles ................................................... 67

Strategic Management .................................................................................................... 68
Market Structures and How it Impacts Pricing 73
Porter’s Five Forces Model 76
Strategic Groups 79
Competitive Strategies.................................................................................................... 83
1. Generic Strategy Model 83
2. Marketing-Based Strategies 86
Competitor Analysis........................................................................................................ 92
Competitive Intelligence 92
Portfolio Techniques of Competitive Analysis 95
Market Signals ................................................................................................................. 99
Industry Evolution ......................................................................................................... 101
Evolutionary Processes 101
Product Life Cycle 103
Industry Environment ................................................................................................... 106
Fragmented Industries 106
Emerging Industries 110
Declining Industries 113
ii © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Competition in Global Industries ................................................................................. 116

Sources of Global Competitive Advantage 116
Impediments to Global Competition 117
Evolution of Global Markets 118
Strategic alternatives 119
Trends affecting Competition 119
Strategic Decisions ....................................................................................................... 120
Analysis of Integration Strategies 120
Capacity Expansion 123
Entry into New Businesses 126
Forecasting .................................................................................................................... 127
Qualitative forecasting 127
Quantitative forecasting 128
Time Series Analysis 128
Causal Forecasting 137
Quality Management...................................................................................................... 139
Quality Management and Productivity 139
Total Quality Management (TQM) 139
Cost of Quality 140
Measuring Quality 142
Monitoring Quality 143
Organizational Behavior ............................................................................................... 145
Motivation Theories ....................................................................................................... 145
Needs-based Theories of Motivation 145
Process-Based Motivational Theories 147
Other Motivational Theories 149
Impact of Job Design 151
Group Dynamics ............................................................................................................ 153
Traits of Group Dynamics 153
Stages of Group Development 157
Organizational Politics 158
Human Resource Processes ........................................................................................ 159
Human Resource Planning 159
Employee Recruitment 160
Employee Selection 160
Career Development 163
Performance Evaluation 163
Compensation and Benefits 165
Management Skills and Leadership Styles ................................................................. 167
Leader vs. Manager 167
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. iii
Studies on Leadership 167

Contingency Theories of Leadership 169
Transformational Leadership 171
Team Building ................................................................................................................ 173
Participative Management 173
Teams and Work Groups .............................................................................................. 174
Team Effectiveness 175
Conflict Management .................................................................................................... 177
Conflict Triggers 177
Resolving Conflicts 178
Negotiation ..................................................................................................................... 181
Approaches to Negotiations 181
Effective Negotiations 181
Overcoming Resistance 182
Added Value Negotiating 182
Principled Negotiation 183
Third Party Negotiations 184
Change Management .................................................................................................... 186
Project Management ..................................................................................................... 188
Section F – Information Technology and Business Continuity ................................. 198

Information Technology (IT) ......................................................................................... 199
General Controls 200
Application Controls 205
Control Frameworks...................................................................................................... 210
COBIT Components 212
Functional Areas of Information Operations 213
Systems Development .................................................................................................. 214
Program Development and Documentation Controls 222
Computer Programs and Software .............................................................................. 224
Systems Software.......................................................................................................... 224
Operating Systems 224
Evaluation and Selection of Vendor-Supplied software 225
Software Piracy 226
End-User Computing 226
Organizing the Information Systems Function 228
Data Communications and Telecommunications Networks ...................................... 231
Voice over Internet Protocol (VoIP) 232
Types of Networks 232
Client/Server Networking 235
iv © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
The Internet .................................................................................................................... 237

Telecommunications and Network Auditing 239
System Security ............................................................................................................. 240
Viruses, Trojan Horses and Worms 241
Cybercrime and Defenses Against Cybercrime 242
Encryption 245
Privacy 246
Contingency Planning ................................................................................................... 247
Disaster Recovery 248
Databases ....................................................................................................................... 250
Accessing Files 250
History of Database Development 251
Entity-Relationship Modeling 251
Database Structure 252
Distributed Databases 253
Deadly Embrace 253
Database Management System (DBMS) 254
Database Development 254
Database Use and Maintenance 255
The Database Administrator 256
Enterprise Resource Planning...................................................................................... 257
Appendix A – 34 IT Processes ...................................................................................... 259
Answers to Questions ................................................................................................... 260
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. v
(This page intentionally left blank)
vi © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
CIA Part 3 Introduction
Exam Introduction
The CIA Part 3 exam, Internal Audit Knowledge Elements, is 120 minutes (2 hours) long and consists of
100 multiple-choice questions. For more information about the exams, visit the IIA’s website
(www.theiia.org).
The Part 3 exam has eight sections:
• Section A: Governance and Business Ethics (5–15%)
• Section B: Risk Management (10–20%)
• Section C: Organizational Structure/Business Processes and Risks (15–25%)
• Section D: Communication (5–10%)
• Section E: Management and Leadership Principles (10–20%)
• Section F: Information Technology and Business Continuity (15–25%)
• Section G: Financial Management (13–23%)
• Section H: Global Business Environment (0–10%)
Additionally, the IIA syllabus refers to proficiency and awareness levels:
• Proficiency: Candidates must exhibit thorough understanding and ability to apply concepts.
• Awareness: Candidates must exhibit knowledge of terminology and fundamentals.
In preparing for the exam, you need to read the textbook and use the ExamSuccess software with questions
from past exams. Many of the exam topics are very large and by studying past exam questions you can get a
feeling for the manner and depth to which a topic has been tested.
Note: All information in Part 3 is tested at the awareness level unless otherwise indicated.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 1
Introduction CIA Part 3
(This page intentionally left blank)
2 © 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A Section A – Governance and Business Ethics
Section A – Governance and Business Ethics

The first section of Part 3 covers Corporate Governance and Business Ethics. The continuing prevalence
of financial and accounting scandals demonstrates the ongoing reality that there are companies that conduct
their businesses unethically or that do not practice good corporate governance.
This section begins with a look at the principles behind good corporate governance and then discusses
what it means for corporations to be socially responsible.
Corporate Governance
The purpose of corporate governance is to facilitate effective, entrepreneurial, and prudent manage-
ment that can deliver long-term success to the company. “Long-term success” suggests that the company is
able to achieve its objectives in a manner that is acceptable to the cultural environment in which it operates.
In this respect, companies need to be responsible corporate entities.
This topic is tested at a proficiency level, which means students must know the basic principles of corporate
governance and be able to identify the situations where good corporate governance is not being practiced.
Corporate Social Responsibility (CSR)

Corporate social responsibility (CSR) refers to the responsibilities that a company has towards society.
CSR can be described as the decision-making by a business that is linked to ethical values and respect for
individuals, society, and the environment, as well as compliance with legal requirements.
Furthermore, CRS means that, in addition to being responsible to its shareholders, corporations are also
responsible to the general public and other stakeholder groups.
This section makes up only 5–15% of the exam, so it should not be a primary focus of study. Many questions
can be answered through common sense and from your own experience as an internal auditor. It is
recommended that you read through the material, understand the general concepts, and use ExamSuccess to
become familiar with what has been asked in the past.
Corporate Governance Principles CIA Part 3
Corporate Governance Principles

Standard 2110 – Governance
The internal audit activity must assess and make appropriate recommendations for improving the
governance process in its accomplishment of the following objectives:
 Promoting appropriate ethics and values within the organization,
 Ensuring effective organizational performance management and accountability,
 Communicating risk and control information to appropriate areas of the organization, and
 Coordinating the activities of and communicating information among the board, external and internal
auditors and management.
Corporate governance has always been an important topic for shareholders, management, and the board. But
why is good governance necessary? It is not just necessary; it is an absolute necessity. If the spectacular
corporate failures of the past decades are any indication, the lack of appropriate, robust, ethical corporate
governance can have considerable, long-lasting, negative consequences. Indeed, governance decisions create
a ripple effect that begins in the boardroom and extend outwardly to management, employees, shareholders,
customers, and, in some dramatic instances, to the general health and well-being of a country’s economy.
Some governance decisions can even have global economic implications. It is important to remember that
governance does not exist merely as a set of distinct and separate processes and structures. Rather, it is
interconnected with the company’s internal control and risk management.
Defining Governance
The International Standards for the Professional Practice of Internal Auditing defines governance as “the
combination of processes and structures implemented by the board to inform, direct, manage, and monitor
the activities of the organization toward the achievement of its objectives.” Because governance is such an
important global issue, there have been many governance models published by legal and regulatory bodies.
For example, the Organization for Economic Cooperation and Development (OECD) defines governance as:
a set of relationships between a company’s management, its board, its shareholders, and other
stakeholders. Corporate governance provides the structure through which the objectives of the
company are set and the means of attaining those objectives and monitoring performance are
determined.
The UK Corporate Governance Code (formerly the Combined Code) has its own definition: “corporate
governance is the system by which companies are directed and controlled.” The Code goes on to say:
The boards of directors are responsible for the governance of their companies. The shareholders’ role
in governance is to appoint the directors and the auditors and to satisfy themselves that an appropri-
ate governance structure is in place. The responsibilities of the board include setting the company’s
strategic aims, providing the leadership to put them into effect, supervising the management of the
business and reporting to shareholders on their stewardship. The board’s actions are subject to laws,
regulations and the shareholders in general meeting.
Section A Corporate Governance Principles
Principles of Good Governance

The IIA has listed ten basic principles necessary for the development of sound corporate governance. These
principles were issued in the IIA’s Tone at the Top publication. Even though this document was published in
2002, these ten principles are still relevant today:
1) Interaction. Sound governance requires effective interaction among the board, management, the
external auditor, and the internal auditor.
2) Board Purpose. The board of directors should understand that its purpose is to protect the interests
of the corporation’s stockholders, while considering the interests of other stakeholders (such as cred-
itors and employees).
3) Board Responsibilities. The board’s major areas of responsibility should be monitoring the CEO,
overseeing the corporation’s strategy, and monitoring risks and the corporation’s control system. Di-
rectors should employ a healthy skepticism in meeting these responsibilities.
4) Independence. The major stock exchanges define an “independent” director as one who has no
professional or personal ties (either current or former) to the corporation or its management other
than service as a director. The majority of directors should be independent in both fact and appear-
ance to promote arms-length oversight.
5) Expertise. Directors should possess relevant industry, company, functional area, and governance
expertise. The directors should reflect a mix of backgrounds and perspectives. All directors should
receive detailed orientation and continuing education to assure that they achieve and maintain the
necessary level of expertise.
6) Meetings and Information. The board should meet frequently, for extended periods of time, and
they should have access to the information and personnel it needs to perform its duties.
7) Leadership. The roles of board chair and CEO should be separate.
8) Disclosure. Proxy statements and other board communications should reflect board activities and
transactions (such as insider trades) in a transparent and timely manner.
9) Committees. The nominating, compensation, and audit committees of the board should be com-
posed only of independent directors.
10) Internal Audit. All public companies should maintain an effective, full-time internal audit function
that reports directly to the audit committee.
Because every organization is different, the amount of necessary governance oversight depends on:
• The type of organization. For example, is the organization a for-profit or non-profit? Is it publicly
traded or private? Is it an association, government, or quasi-government entity? Is it an academic
institution, private institution, a stock exchange (such as New York Stock exchange or London stock
exchange)?
• The size and complexity of the organization. For example, smaller companies may judge that
some of the provisions mentioned above are disproportionate and less relevant to their situation.
Cornerstone of Good Corporate Governance

There are four cornerstones of good corporate governance: the board of directors, executive manage-
ment, external auditors, and internal auditors. The governance processes are strengthened when there
is synergy among these four groups, enabling them to work well and productively with each other. To make
sure that there is consistent and effective governance processes, all four of these groups should be in place
and working cohesively.
Corporate Governance Principles CIA Part 3
The IIA Corporate Governance Model
BOARD
EXTERNAL AUDIT
INTERNAL AUDIT
Effective
Governance
MANAGEMENT
In addition to these basic principles, companies have to make sure that inappropriate and unethical behavior
is not tolerated. Successful companies foster a culture of integrity, which is dependent on the so-called “tone
of at the top,” and this environment is put in place by the board, top management, and the audit committee.
The Governance Process Relationship with Risk and Control

Practice Advisory 2110-2 (Governance: Relationship with Risk and Control) discusses the relationship of risk
and control within the governance process. The board and executive management develop and implement
business strategies; however, when business strategies are being set, the board and executive management
have to consider risk. Conversely, the company must have an effective risk management process in order to
be able to identify, assess, and manage risk. Therefore, in order to have an effective risk management
process, the company likewise must have an effective internal control system. As can be seen, governance,
risk management, and internal control are interdependent.
Based on this interconnectedness, internal auditing plays an important role in assessing and improving an
organization’s governance processes.
Based on the principles outlined in PA 2110-2, the chief audit executive (CAE) should consider these
relationships when planning an assessment of an organization’s governance processes. The following should
be considered:
• An audit should address those controls in governance processes that are designed to prevent or
detect events that could have a negative impact on the achievement of organizational strategies,
goals, and objectives; operational efficiency and effectiveness; financial reporting; or compliance
with applicable laws and regulations.
• Controls within governance processes are often significant in managing multiple risks across the
organization. For example, controls around the code of conduct may be relied upon to manage com-
pliance risks, fraud risks, and other related topics. This aggregation effect should be considered
when developing the scope of an audit of governance processes.
• If other audits assess controls in governance processes (such as audits of control over financial
reporting, risk management processes, or compliance), the auditor should consider relying on the
results of those audits.
Section A Corporate Social Responsibility
Corporate Social Responsibility

Corporate social responsibility (CSR) refers to the responsibilities that a company has towards society. CSR
can be described as the decision-making by a business that is linked to ethical values and respect for
individuals, society, and the environment, as well as compliance with legal requirements.
Furthermore, CRS means that, in addition to being responsible to its shareholders, corporations are also
responsible to the general public and other stakeholder groups.
Note: Stakeholders are any group or persons that can affect or be affected by the achievement of an
organization’s objectives. It is a bi-directional relationship. Each stakeholder group has different expecta-
tions about what it wants and different claims upon the organization.
There are five main aspects of CSR:
1) A company should operate ethically and with integrity.
2) A company should treat its employees fairly and with respect.
3) A company should demonstrate respect for human rights.
4) A company should be a responsible citizen in its community.
5) A company should do what it can to sustain the environment for future generations. This could take
the form of:
• Reducing pollution of the air, land, rivers, and seas.
• Developing a sustainable business whereby all the resources used by the company are replen-
ished.
• Reducing reliance on non-renewable, polluting energy (such as fossil fuels) and increasing the
use of renewable energy (such as water or wind).
• Recycling waste materials.
Corporate Social Responsibility CIA Part 3
Archie B. Carroll writes that there are four ascending levels of social responsibility, diagramed below 1:
The Pyramid of Social Responsibility
PHILANTROPIC
Responsibilities
Be a good corporate
citizen.
Contribute resources to
the community; improve
quality of life.
ETHICAL
Responsibilities
Be ethical.
Obligation to do what is right, just,
and fair. Avoid harm.
LEGAL
Responsibilities
Obey the law.
Law is society’s codification of right and wrong.
Play by the rules of the game.
ECONOMIC
Responsibilities
Be profitable.
The foundation upon which all others rest.
• Philanthropic responsibilities: According to Carroll, charitable donations and contributions to local

community projects are examples of desirable, as opposed to mandatory, requirements.
• Ethical responsibilities: Apart from compliance with legal requirements, companies should act in a
fair and just way, even if the law does not compel them to do so.
• Legal responsibilities: Companies have an obligation to respect prevailing moral views as ex-
pressed in legislative codes. Obeying these laws must be the foundation of an organization’s
compliance with social responsibilities.
• Economic responsibilities: Companies have economic responsibilities to shareholders (who require

a good return on their investment), to employees (who want fair employment conditions and rea-
sonable wages), to customers (who want value for money), and to suppliers (who should be paid on
time).
Carroll clarifies that the lower levels should be generally addressed first, although true responsibility can only
be demonstrated with reference to all four.
1
Corporate Social Responsibility: Evolution of Definitional Construct (1999).
Section A Corporate Social Responsibility
Corporate Citizenship
A term often connected with corporate social responsibility is corporate citizenship. As defined by the
Boston Center for Corporate Citizenship, corporate citizenship is:
a business strategy that shapes the values underpinning a company’s mission and the choices made
each day by its executives, managers and employees as they engage with society. Three core
principles define the essence of corporate citizenship, and every company should apply them in a
manner appropriate to its distinct needs: minimizing harm, maximizing benefit, and being accounta-
ble and responsive to stakeholders.
Criticism of Corporate Citizenship

The notion of corporate responsibility and corporate citizenship is not without its critics. There are some who
argue that only through economic self-interest and allocative efficiency can maximum economic growth
and hence maximum social welfare be obtained.
On the other hand, supporters of corporate citizenship and corporate social responsibility highlight inequalities
of resource distribution in society and the limitations of traditional accounting methods as the reasons for
needing such altruistic behaviors. For example, advocates for corporate citizenship and CSR believe that
making organizations more transparent to shareholders and stakeholders (for example, through reporting) is
a pathway to maximum economic growth and maximum social welfare.
Section B – Risk Management CIA Part 3
Section B – Risk Management

This section covers approximately 10–20% of the exam, and it is tested at a proficiency level.
There are two primary topics covered in this section: risk management techniques and organizational
use of risk frameworks.
Note: The topic of risk management has been gaining importance in the past couple of decades as a result
of both individual company failings and larger market-wide failings in the economy. To some extent, recent
corporate failings were the result of organizations not properly managing their risks. As a result,
organizations ended up taking on more risk than they had thought they were, and when the financial
markets started to move against them the value of their assets plummeted.
Risk Management Techniques

This section begins by discussing risk and the benefits of risk management. In order for an organization to
develop a risk management process, it first needs to understand its risk appetite, which is the amount of
risk an organization is able and willing to take on. Once a company knows its risk appetite, it can implement
an appropriate, tailor-made risk management process. Therefore, the section covers the factors that influence
an organization’s risk appetite.
Organizational Use of Risk Frameworks

The section covers the methods through which organizations can manage their financial and operational
risks. Additionally, organizational risks can be assessed both quantitatively (or numerically) as well as
qualitatively (through characteristics).
This section makes up 10–20% of the exam, so it is an important topic to study thoroughly. However, as with
Section A, many questions can be answered through common sense and from your own experience as an
internal auditor. It is recommended that you read through the material, understand the general concepts, and
use ExamSuccess to become familiar with what has been asked in the past.
Section B Risk Management Techniques
Risk Management Techniques

Risk management is defined by the IIA as “a process to identify, assess, manage and control potential events
or situations, and provide reasonable assurance regarding the achievement of the organization’s objectives.” 2
The following are two important ideas related to risk management:
• Risk is the probability that some future event or action could adversely impact the organization. Risk
is measured in terms of both the impact (in dollars) and the likelihood (probability) of the event oc-
curring.
• Risk Assessment is the systematic process of assessing and integrating professional judgment
about probable adverse conditions and/or events. The risk assessment process should provide a
means of organizing and integrating professional judgments in order to develop the audit work-
schedule. The CAE should generally assign higher audit priorities to activities with higher risks. 3
Risk assessment can be summarized in this manner:
Every entity faces a variety of risks from external and internal sources that must be as-
sessed. A pre-condition to risk assessment is establishment of objectives, linked at different
levels and internally consistent. Risk Assessment is the identification and analysis of rele-
vant risks to achievement of objectives, forming a basis for determining how the risks
should be managed. Because economic, industry, regulatory and operating conditions will
continue to change, mechanisms are needed to identify and deal with the special risks as-
sociated with change. 4
Benefits of Risk Management

Every organization needs to undertake risk management. Through proper risk management, an organization
can reduce the probability of negative events occurring; furthermore, with appropriate risk management the
organization can reduce the impact suffered from a negative event.
The benefit an organization receives from implementing a risk management process will, to some extent,
depend on the industry the organization operates in. However, organizations can derive the following benefits
as a result of prudent risk management:
• Increased shareholder value (because risk management minimizes losses and maximizes opportuni-
ties)
• Fewer disruptions, shocks, and unwelcomed surprises to the operations of the business
• Employees, stakeholders, and governing and regulatory bodies have increased confidence in the
organization
• More effective strategic planning
• Better cost control
• Quick assessment and grasp of new opportunities
• More complete contingency planning
• Improved ability to meet objectives and achieve opportunities
• Quicker response to opportunities
In order for an organization to implement a risk management process, it first has to determine the amount of
risk it is willing and able to take on. The level of willingness and ability to take on risk is referred to as risk
appetite.
2
IIA’s Standards Glossary, pg. 21.
3
SIAS No. 9 – Risk Assessment 520.04.10.
4
COSO, Internal Control-Integrated Framework, Executive Summary, pg. 3.
Risk Management Techniques CIA Part 3
Risk Appetite
Risk appetite reflects the level of risk a company can optimally handle, given its capabilities and the
expectation of its various stakeholders (such as vendors and creditors).
Searching the Internet for the term “risk appetite” reveals a number of relevant definitions.
Term Definition
COSO’s ERM framework “The amount of risk an entity is willing to accept in pursuit of value.”
The Institute of Internal Auditors “The level of risk that an organization is willing to accept.”
(from January 2009)
ISO 31000:2009/ISO Guide “Amount of risk that an organization is will to pursue or retain or
73:2009 take.”
ISO 31000: 2009 does not actually use the word “risk appetite”
but instead focuses on “risk attitude’” and “risk criteria.”
Society of Actuaries ERM “The level of risk that company management deems to be
Symposium (from April 2010) acceptable in pursuit of overall financial and solvency goals.”
HM Treasury’s Orange Book “The amount of risk which is judged to be tolerable and justifiable.”
A company’s risk appetite reveals a great deal about its culture because the level of risk a company is willing
to take on is a corporate-level decision. The degree of risk that a company, department, or division should
take on is very much a matter of perspective. For example, equity investors seek a return on their equity
investment, so they would be willing to take on greater levels of risk than a rating agency scrutinizing a
company’s default risk.
Management must consider and balance the many different views and risk factors, with the final decisions
being made at the corporate-level (that is, incorporating a top-down approach). Balancing risk appetite and
control is not easy, but it is a process that companies need to perfect if they are to succeed. For example, if a
financial institution is actively involved with complex financial instruments (such as forward contracts, futures,
options, or swaps), all relevant stakeholders need to know whether or not the company’s directors understand
the function of these instruments and the reasons why the company is involved in them. Understanding a
company’s risk appetite is useful for ascertaining the goal congruence between the wishes of the board and
the actions of management.
Risk Appetite, Capacity, and Tolerance

Two additional terms are useful for understanding risk appetite: risk capacity and risk tolerance. The
figure below illustrates and defines the interrelatedness of risk capacity and risk tolerance.
Risk Capacity, Appetite, and Tolerance
Risk
Risk Capacity: The limit of risk that can be
capacity
taken by the organization.
Risk Appetite: The risk that is deemed to

Risk appetite be acceptable in the pursuit of overall
operational and financial goals.
Risk Tolerance: The amount of risk a

Risk tolerance company is actually prepared to bear,
given a specific risk factor.
Business Credit Market Operational Liquidity Other Risk Categories: These categories
are tailored for each business unit.
As this diagram indicates, a company must first determine its risk capacity in order to decide its risk appetite.
Simply put, risk capacity is the absolute limit a company is willing to lose without bankrupting itself. Once a
company gauges its risk capacity, it can ascertain how much it is willing and able to lose (that is, its risk
appetite). As the diagram indicates, risk appetite must be set within the limits of risk capacity. Once risk
capacity and appetite are established, risk tolerance represents the actual level of risk a company is able to
bear, given certain specific risk factor (see risk categories). For example, if a company extends credit to its
customers, then the company exposes itself to credit risk (that is, the risk that the customer will default).
Given such possibilities, the company has to be completely clear about the amount of debt it can tolerate.
Different Attitudes Towards Risk

Businesses must assume risks in order to grow and survive. A risk-averse business is not one that is
necessarily trying to avoid risk, but rather it is a business seeking to obtain a reasonable, safe return for the
(comparatively low) risk it is willing to undertake. On the other hand, risk-seeking businesses focus on
maximizing their returns, and thus they are not so concerned about the level of risk that they assume.
The range of attitudes that businesses have towards risk can be shown in the Risk Continuum diagram
(shown below). The left-hand side indicates businesses that are averse to taking on risk and whose strategies
are therefore designed to avoid risk. On the right-hand side are businesses that actively seek out and accept
risks. The ends of the diagram represent two extreme conditions, and most companies situate their place on
the continuum somewhere in between these polar opposites.
Risk Continuum
Risk averse Risk seeking
Business strategy is Business strategy is liberal

conservative (more likely to (more likely to accept risk)
avoid risk)
No matter where a business situates itself on this continuum, it should be concerned about reducing risk
without eliminating it completely. The function of risk appetite in this regard is to show the business where it
is on this continuum: either on the left (risk averse) or to the right (risk seeker). It is important to consider
risk appetite when business strategies are being formulated and developed 5; in fact, business strategy and
risk appetite are so intertwined that both must be considered together.
To illustrate the considerations relevant to the adoption of a high-risk-seeking strategy, consider the example
of a defense contractor dealing in computer software protection. This contractor decides to direct all corporate
resources to a single product: a new software program to protect highly classified defense information from
viruses and hackers. Through appropriate due diligence, it is determined that a successful bid will result in an
extremely profitable windfall for the company. In addition, however, the tremendous investment of time and
resources means that failure to secure the government contract will unavoidably result in bankruptcy. Clearly,
this strategy represents a high level of risk appetite. Therefore, before moving forward on this decision the
board must meet, consider all pertinent angles, and sign off on the plan, thus indicating their acknowledge-
ment and acceptance of the risk-seeking strategy. It is also possible that investors may approve this
approach by increasing the value of the company’s stock; conversely, they may punish the company by
selling off shares. Either way, the direction of investor activity greatly depends on their own assessment of
the company’s position on the risk continuum. From this example, it is clear that the choice of risk appetite
influences all levels of the company’s structure.
Influences on a Company’s Risk Appetite

The following is a list of the many factors that can influence a company’s risk appetite:
• The company’s position in the business-development life cycle. A company’s position in its life
cycle should exert a strong influence on its risk appetite. A company in the start-up phase will often
require a high risk-appetite (indeed, 50% of US companies fail within their first five years). If a com-
pany survives the start-up phase and moves into the growth stage, it will need tighter controls to
manage risk. Companies in this stage might establish an internal control function to oversee control
and risk processes. Once companies enter the maturity stage, sales generally level off, which
means that the focus switches to controlling cost, which can be done by taking advantage of in-
creased productivity gains (perhaps through expanding overseas or developing other types of
products).
• The viewpoints of the major stakeholders, including the company’s major shareholders, bond-
holders, lenders, analysts, and many others. Each one of these stakeholders might have a different
opinion as to how much risk the company should be willing to take on. For example, shareholders
who are looking for higher returns might press a company to take greater risks; however, the bank
that lent the company money would probably prefer that the company limit its risk-taking.
5
COSO, Enterprise Risk Management – Integrated Framework, Understanding and Communicating Risk Appetite, pg. 4.
Whether a particular stakeholder’s viewpoint is taken into account will depend on how much influ-
ence or power the stakeholder has over the company. For example, if a bank lends a company a
substantial amount of money, then the bank will have a strong interest in the company’s continued
existence. If the bank feels that the company is taking unnecessary risks, then it could be in a posi-
tion to voice its concerns to management and to the board; the level of concern the bank expresses
would be directly proportional to the amount it has invested (that is, more investment, more level of
concern). In addition, the likelihood that the bank’s concerns will influence company policy also rises
in proportion to the bank’s level of investment (that is, more investment means more influence).
• Accounting factors, such as the volume of transactions, the complexity of the accounting system,
changing rules and regulations, and so forth.
• The opportunity for fraud to be committed.
• External factors, such as changing economic considerations, changes in the industry, changes in
technology, and so forth. For example, if an economy in which a company operates is going through
a recession, the company may decide that a larger bad-debt provision would be appropriate to take
into account the possibility of more consumer bad debt. Or if an industry comes under more scrutiny
because of environmental issues, the company might also decide that it needs a provision for envi-
ronmental contamination.
• Governmental restrictions. Depending on the industry, governments can dictate the level of risk a
company is able to take on. Industries such as insurance and banking are generally more regulated
and more restricted then other companies because they are responsible for and have a liability to
the public’s money.
• Entity-level factors, such as the quantity and quality of hired personnel, quantity and quality of
training courses, disruptions in the information system processing system, changes in the organiza-
tion’s structure, and changes in key personnel.
Risk-taking and Cultural Considerations

Companies that operate across national and cultural borders will encounter a range of cultural practices and
expectations. In setting business strategies, a company might choose to adopt what appears to be the path of
least resistance, which is to export the corporate and management philosophies of the “home” country to the
cross-border or overseas divisions. However, cultural insensitivity may cause unintentional but serious harm
to relationships with employees and customers and damage a company’s potential for success in the new
market.
Risk-taking, particularly in the business environment, is a subject that is closely connected to cultural
practices and beliefs, and therefore management should carefully study and understand the regional attitudes
about risk-taking before implementing a particular set of objectives and the methods for achieving these
objectives. By gaining an understanding of risk-taking attitudes in the overseas culture, a company has much
to gain. Foremost, a company can cultivate strong ties with employees and business associates. Second,
potential pitfalls (such as unintentional offense or misunderstandings) can be avoided. Third, a culture-
sensitive company can derive an advantage over their less-aware competitors by demonstrating a willingness
to take the local culture into account.
That said, it is not necessary for a company to remove all ties to the “home” culture, since doing so might
very well jeopardize the identity that makes a company distinct among its competitors (and risk-taking
strategies are certainly an important component of a company’s identity). Striking the right balance between
the organization’s “home” culture and other nations’ culture is a delicate but rewarding process. Toward this
goal, cross-cultural training (such as through consultants or retreats) is an effective means of creating
inter-cultural dialogue, communicating company goals, and addressing and bridging cultural differences.
Formulizing Risk Appetite

If a company has not made a formal statement about its risk appetite, then it has a potential control
problem. Without such a statement, managers could be running the company with insufficient guidance on
the levels of risk that they are permitted to take, or they may not be seizing important opportunities due to a
perception that taking on additional risk is discouraged.
Formulizing risk appetite means putting it in writing so that there is little confusion about the board and
management’s attitude toward risk. Indeed, formulizing risk appetite improves communication between all
those who oversee risk management. Generally speaking, the larger and more complex an organization is,
the more formulized its policies and procedures should be regarding risk appetite. For example, large financial
services companies (such as Citibank, Bank of America, BNP Paribas, ING, HSBC and others) can be expected
to have highly detailed risk-appetite statements, whereas a small or mid-sized company might have a risk-
appetite statement no more than a sentence or two. For example, a short risk-appetite statement may be “no
project investment should be greater than 20% of company’s net assets” or “IFRS earnings should not be
negatively affected by more than 50% of its forecasted earnings.”
Risk appetite can be expressed either quantitatively (numerically) or qualitatively. The following are
examples of quantitatively expressing risk appetite:
• Solvency. A company does not want to lose more than a defined amount of its capital so that it can
remain a going concern following an extreme-loss event or combination of extreme-loss events.
• Capital coverage. A company requires that its capital is sufficient to cover a multiple of the amount
of capital needed to absorb a loss of a certain magnitude (for example, a 1-in-100-year event).
• Earnings. A company does not want to lose more than a defined percent or multiple of annual net
income.
• Company value. A company wants to assume the amount and kinds of risks that maximizes com-
pany value (that is, the risk adjusted present value of future cash flows).
There may be aspects of risk that just cannot be measured quantitatively, but regardless of the measurement
limitations, risk still has to be identified. In such cases, “risk preferences” can be used to determine and
establish risk appetite. Risk preferences define certain risk that the company does not want to accept, such
as avoiding investment in subprime mortgages or taking out variable-annuity loans.
Once a company understands its risk appetite, it can start developing its risk management process.
Steps in the Risk Management Process

There are a number of ways that the steps in the risk management process may be categorized. Listed below
is the general approach to the risk management process, envisioned as a six-stage process.
Stage 1: Risk Identification and Analysis

This stage involves management looking at the company’s internal business, its external environment,
its business processes, its existing controls, and anything else that could impact the company. During
this stage, management has to keep in mind the strategic goals of the company, the threats and opportuni-
ties the company faces, and the strengths and weaknesses within the company itself.
Stage 2: Risk Evaluation and Assessment

The risks that were identified in Stage One have to be evaluated against the criteria that the company has
created for measuring the risk to its business. Such an evaluation will include assessing the likelihood of
occurrence, the estimated impact on the company, and nonfinancial consideration (such as the image of the
company, the impact of shareholders, or anything else that the company has determined to be significant). In
essence, this is the process of quantifying the different risks so that comparisons can be made.
Section B Organizational Use of Risk Frameworks
Stage 3: Risk Reporting

Once risks have been identified and assessed, they need to be communicated to those in the organization
who might be impacted by these risks. It is not uncommon for companies to make a report on risk
assessment to its stakeholders (for example, creditors and external auditors).
Stage 4: Deciding which Risks Must be Addressed and in which Order

In this stage, risks are prioritized. Priorities are determined based on quantitative analysis (the dollar at
risk) as well as qualitative (the nature of a given risk item and its significance, even if the dollar amount is
not large).
Stage 5: Residual Risk Reporting

After the risk management process has been completed, there may still be some residual risk that remains.
This residual risk should be reported to the appropriate level (usually the board of directors) so that decision-
makers can make a final determination to accept or reject that amount of residual risk or if further work must
be done to reduce residual risk further.
Stage 6: Ongoing Monitoring

After risk management strategies have been implemented, the company must continue oversight to ensure
that the risk has been addressed as intended. Additionally, there must be an ongoing review and assessment
of the Risk Management Process, since policies that may have worked or were relevant years before might no
longer be appropriate.
Organizational Use of Risk Frameworks

The risk management process described above can be used to manage both operational and financial
risks. These methods are discussed below.
Managing Operational Risk

By definition, operational risks are connected to the day-to-day operations of the business. These are the
risks that result from inadequate or failed internal processes, individuals, or systems. Because of the nature
of the risks, they are usually best managed at a lower level in the organization, preferably by those who work
with these issues on a daily basis.
One of the main ways of managing operational risk is through properly developed and implemented internal
controls. Additionally, monitoring business processes and a continuous review of both the processes and the
personnel in the company are a part of the process of managing operational risks.
Managing Financial Risk

Financial risk management creates economic value to the company through financial instruments that
manage exposure to risk, especially credit risk and market risk. Policies and procedures other than financial
instruments may also be used in financial risk management.
The following is a list of ways that a company can manage its financial risk:
• Forward contracts and options hedge the risk of foreign currency value fluctuations or fair value
fluctuations
• Specific investment policies can be used to invest in short-term and long-term investments
• Future contracts can be used as a hedging tool
• Swaps hedge an interest rate or fair value of an asset
Organizational Use of Risk Frameworks CIA Part 3
Qualitative Risks Assessment Tools

Stage Four of the Risk Management Process, “Deciding which Risks Must be Addressed and in which Order,”
mentions the need for a company to assess its risks in quantitative and qualitative terms. Although the
quantitative approach is the easiest to visualize (that is, valuing risk according to dollar amounts), a
qualitative approach recognizes that some events may be significantly impactful even if the actual monetary
value of such risks is comparatively low. In other words, qualitative assessments evaluate and rank risk
events in terms other than amount of potential dollars loss. For example, the potential for lost customer
goodwill cannot be readily defined in numerical terms; however, a qualitative assessment can provide a
company with a rubric and vocabulary with which to ascertain the broader impact and thus better rank this
important risk in relation to other risks that might arise from other business-related decisions.
A risk map is a visual depiction of the relative risks. For the different events, the likelihood of the event
happening is on the horizontal or x-axis and the level of impact is on the vertical or y-axis. This visualization
identifies the risks that are more likely to occur and that have a greater monetary amount at risk should the
event occur.
The diagram below also indicates the suggested risk response.
Likelihood (%)
Remote Likely
ACCEPT REDUCE
Risk are considered not be This is an area where manage-
significant. ment should take immediate
action to reduce frequency of
The cost of dealing with the risks losses.
Minor
is greater than perceived benefit.

Management should consider the
Risk should remain under review need for risk control measures,
in case the business environment such as self-insurance to deal
Impact ($)
changes. with frequency of loss.
TRANSFER AVOID
Risks in this area should be Need to take immediate action to
transferred or minimized reduce the impact or
Critical
through insurance, hedging, or likelihood of the risk.

contingency planning.
An extreme form of business risk
Reduction of the impact of the risk avoidance is to terminate the
will minimize insurance premiums. operation.
Analyzing Results
The nearer the risk is towards the bottom right-hand corner (dark red zone), the more important the risk
is to the company. Thus, the company should spend most of its energy on analyzing, evaluating, and dealing
with these risks. On the other hand, the nearer the risk is towards upper left-hand corner (yellow zone),
the less significant the risk is, and thus the company does not have to nor should take actions to lessen the
risk. In such cases, the company is willing to take on the risk that an undesirable event could occur.
Section B Organizational Use of Risk Frameworks
Responses to Risks
The above diagram identifies four different ways that companies can respond to risks:
1) Transfer the risk. To transfer risk, a company might purchase insurance against the possibly of a
natural disaster or theft. Another example of transferring risk is the use of derivatives to hedge
against possible changes in commodity prices, changes in interest rates, or changes in currency ex-
change rates. Transferring risk may also be done without insurance, as it may be included in the
contract between the involved parties.
Note: Risk retention is connected to risk transfer. It is the portion of risk not covered by insur-
ance or by the hedge, such as a deductible amount that must be paid before any losses are
reimbursed.
2) Accepting the risk. If a company believes that the cost of dealing with risk does not outweigh its
benefits, then it might decide to accept the risk. However, when accepting risk, a company still
needs to keep the risk under review in case the risk becomes more significant.
3) Reduce the risk. In this situation, the company believes that it can put in the necessary controls to
lessen or mitigate risk. Experience has shown that, though careful oversight, many risks can be re-
duced. For example, if a company has a petty cash account and believes that the most at stake is
$200, it could lessen the risk of theft by having an independent verifier doing an occasional inspec-
tion of the balance.
4) Avoid the risk. To avoid the risk is to eliminate it if it is judged to be too great for the company to
bear. For example, if the company produces a product that is highly controversial, it could decide to
avoid risks by ceasing to produce the product.
Note: Use the acronym TARA (Transfer, Accept, Reduce, or Avoid) to remember the responses
to risks.
Question 1: When the likelihood of loss is high and the amount of risk is high, the most appropriate risk
response would probably be
a) Avoiding the risk in whatever manner is available.
b) Reducing the risk by trying to minimize the loss that might occur.
c) Transferring the risk to another party through hedging or similar action.
d) Accepting the risk, since the cost of reducing the risk is greater than the potential benefits.
(HOCK)
Quantitative Risk Assessment Tools

There are a number of different quantitative risk assessment tools. For the exam, be aware of the following:
Value at Risk
Value at Risk (VaR) measures the potential loss in value of a risky asset or event over a defined period for a
given confidence interval. VaR is based on the assumption that the possible outcome of the event is
represented by a normal distribution.
With normal distribution, 95% of the results will lie within 1.96 standard deviations of the mean and 99% of
the results will lie within 2.57 standard deviations of the mean. However, VaR focuses on down-side risk,
meaning that, with respect to a 95% confidence level, the main concern is the 5% risk that the loss will
exceed a given amount. For example, if the VaR on an asset is $100 million at a one-week, 95% confidence
Organizational Use of Risk Frameworks CIA Part 3
level, there is only a 5% chance that the value of the asset will drop more than $100 million over any given
week.
VaR is expressed in the following equation:
VaR = kσ√N
Where k is the probability level, σ is the standard deviation, and N is the periods over which the VaR is
calculated.
Example: The annual cash flows from a project are expected to follow the normal distribution with a mean
of $50,000 and standard deviation of $10,000. The project has a ten-year life. What is the project VaR (or
PVar)?
PVaR for one year is:
PVaR = 1.645 x $10,000 x √1 = $16,450
The PVaR that takes into account the entire project life is:
PVaR = 1.645 x $10,000 x √10= $52,019
Therefore, the project should fall no further than $52,019 over the ten-year period, given a confidence
level of 95%.
Cash Flow at Risk

“Cash flow at risk” is a concept similar to VaR, but it provides a different measure. As the name implies, “cash
flow at risk” measures the likelihood that cash flows will drop by more than a certain amount. This quantity is
calculated using the measures of a normal distribution.
Earnings at Risk
This measures the confidence interval for the fall in earnings during a specific period.
Earnings Distributions
This is a graphical representation of the probability of a level of return and the level of return itself.
Earnings per Share Distributions

This is a graphical representation of the probability of the amount of earnings per share (EPS) and the
likelihood of each occurring.
Question 2: The measure that provides a quantitative measure of the accuracy of the potential financial
loss is
a) Residual risk
b) Inherent risk
c) Risk ranking
d) Value at Risk
(HOCK)
Section C Section C – Organizational Structure/Business Processes and Risk
Section C – Organizational Structure/Business Processes and Risk

Section C accounts for approximately 15–25% of the exam, so you will need to spend some time learning the
primary concepts in this section.
The following is a list of concepts that should be thoroughly understood:
• Control implications of different organizational structures. The type of organizational struc-

ture can greatly impact the control environment and the success of the controls of the company.
• Business process analysis. Business process analysis is a system of analyzing a company’s opera-
tional plans and business strategies so that improvements can be achieved. The important analysis
techniques included in this section are workflow analysis, theory of constraints, variance anal-
ysis, and value chain analysis.
• Inventory management techniques and concepts. Inventory can be a tremendous investment,

so companies have to make sure it is well protected. Inventory management is concerned with the
effective and efficient acquisition, storage, use, and distribution of inventory. This part will focus on
the different inventory costs, value analysis, and economic order quantity.
• E-commerce. E-commerce has had a significant impact on the way companies do business. Two
programs associated with e-commerce are electronic data interchange (EDI) and electronic
funds transfers (EFT).
• Business development life-cycles. With respect to organizational structure, it is important for

companies to recognize where their business is in the business life-cycle, as its position impacts its
overall business strategy.
• International Organization for Standardization (ISO) framework. The ISO is a set of stand-
ards that provides a set of rules for evaluating the quality of a company’s operations. The primary
aim of the ISO framework is to provide an assurance to customers and suppliers that a company’s
products are made or its services are delivered in a way that meets ISO’s standards for quality.
• Outsourcing business processes. Businesses should concentrate their efforts on those activities
that are crucial for its competitive advantage. Activities that are not critical can be outsourced. It is
possible that through outsourcing the business can save money and thus be more competitive.
It is recommended that you read through the material, understand the general concepts, and use Exam-
Success to become familiar with what has been asked in the past.
Control Implications of Different Organizational Structures CIA Part 3
Control Implications of Different Organizational Structures

A company’s organizational structure does greatly impact its risk and control environment, and therefore also
the success of the controls of a company. No matter what type of organizational structure a company has,
there must be a unity of objective throughout the company. This occurs when all of the objectives of
individuals and departments are in agreement with the larger organizational goals. In order to accomplish
this, management must ensure that the organizational goals are communicated.
Besides the unity of objectives, the relationships between the individuals, groups, and departments need to
be considered as well. These relationships are to varying degrees based upon authority, responsibility, and
accountability.
• Authority is the right to direct the performance of others. This includes the right to describe the
means and methods by which the work will be performed.
• Responsibility is the obligation a person has to perform. Under the classical approach this comes
from the superior and is part of every job.
• Accountability is the duty to account for the completion of the responsibility.
Note: Even when responsibility is delegated downward, the person who did the delegating is still
ultimately responsible for the task that has been delegated. This final responsibility cannot be delegated.
Listed below are some of the different types of organizations and different elements of the relationships within
an organization.
Elements of the Organizational Structure

A structure of an organization may be defined in terms of its:
• Complexity
• Formalization
• Centralization
Complexity
The type of differentiation that exists within the organization determines complexity:
• Vertical differentiation – the more levels there are within an organization the more complex it is
and also the slower and less effective it will be in adapting to changing conditions. These are tall or-
ganizations.
• Horizontal differentiation – this relates to the extent that special skills and knowledge are re-
quired to complete the tasks. An organization is more complex when a greater diversity and depth of
skills are required. These are flat organizations because there are many different skills within the
organization, but there is not a lot of hierarchical differentiation between them.
• Spatial differentiation – this relates to the geographic separation of the organization's activities.
Formalization
This is the extent to which jobs are standardized and the clarity of the procedures and tasks that need to be
performed. The lower the level of formalization within a company, the more room there is for employee
decisions. A strong corporate culture reduces the need for the formal expression of all corporate standards
because these are disseminated and monitored naturally as part of the corporate culture.
Section C Control Implications of Different Organizational Structures
Centralization
This is a larger concept in that within centralization is the debate of centralization or decentralization. We
will look at the differences between these two approaches here. Centralization is the extent to which a
company’s authority and freedom of decision-making is concentrated in one location or dispersed over many
locations, departments or individuals.
Classical theorists do not like decentralization because they view it as dissolution (weakening) of the authority
of management. However, behavioralists see decentralization as a positive development because it is a good
way to motivate employees and keep morale as high as possible. The modern view is that neither form of
structure (centralization or decentralization) is necessarily good or bad in itself. Rather, the company needs to
select the method that best serves its needs.
Under this modern view, the amount of decentralization that takes place will depend upon a few factors
specific to that company.
• There must be necessary and proper information available to the people making the decisions.
This means that if the information is available only in the head office, there should not be any decen-
tralization.
• Decisions can only be decentralized if there are people in outside locations who have the necessary
skills and are able to make decisions.
• Decisions must be made in a timely manner. An outside location is often in a better position to
make a timely decision.
• If a company has large, interconnected operations, decentralization should not take place at a level
below which any coordination between locations needs to be maintained.
• Decisions that are critical to the company as a whole are generally made at the central location
and should not be decentralized.
In summary, there will be more decentralization when: lower levels of management make many of the
decisions, most functions and tasks are influenced by decisions made at lower levels of management, and the
review or approval of a decision is required before implementation.
Decentralization is most often and easily implemented in organizations that have departments that are based
upon clearly divisible units, functions or products.
Advantages of Decentralization
Among the many advantages that result from decentralization are:
• Greater speed in making operational decisions.
• Encourages better communication and initiative among employees.
• Requires the understanding of company goals throughout the organization.
• Identifies and trains good decision-making at lower levels; this builds a pool of managers.
• Gives responsibility and authority to lower level managers.
• Frees top management from operations duties and enables them to focus on strategic goals.
• Enables the financial measurement of a particular unit.
Disadvantages of Decentralization
Though there are many advantages of decentralization, there are also some drawbacks:
• Tendency to focus on short-term local issues rather than long-term success of the larger organi-
zation.
• Increased risk due to the loss of control by top management.
• More difficulty in coordinating interdependent units – lower levels of management may make con-
flicting decisions.
• Greater danger of satisficing (this is good enough so we will do it) decisions made by lower man-
agement.
Delegation
One of the key parts of the decentralization process is the proper delegation of authority. Though this is
part of decentralization, delegation also occurs within an office or department. Delegation is the process of
passing power downward from one individual to his or her subordinate. Under the classical approach, this
process of delegation should be avoided because it is a reduction of the power of the manager. The behavioral
approach sees this as a useful step because no one has time to make every decision and subordinates like to
be involved in the process.
Delegation helps subordinates develop confidence and initiative in situations where there are some safeguards
and controls in place. This is part of the process of a person becoming a manager.
In order to successfully delegate the following must exist:
• The necessary skills and a sound knowledge of the organization objectives
• A feedback system that allows assessment of performance
• A faith in the abilities of the subordinate
• A recognition of the need to delegate
• A willingness to accept risk
• The desire to train subordinates
Note: It is very possible that a manager will hesitate to delegate because of the fear that she or he will be
held accountable for someone else’s performance. This is a counterproductive fear, but if it is a valid the
organization needs to work to eliminate it.
The delegation process involves the following steps:
• Determine the expected results
• Assign tasks and responsibilities
• Delegate the necessary authority to complete those tasks
• Recruit responsible subordinates
• Communicate clearly what is expected
• Follow-up on the process because ultimate authority still remains with the manager
Question 3: The most effective way to delegate a task to a subordinate would be to:
a) Define the desired outcome and the approach precisely − and in writing.
b) Define the desired outcome precisely, discuss possible approaches with the employee, and reach
agreement on the approach to be taken.
c) Let the employee try to perform the task for a defined period of time and then meet to critique the
approach, clarify the assignment as needed.
d) Give the assignment in very general terms, have the employee develop the desired outcome and
approach, and then review and critique the employee's decisions.
(CIA Adapted)
Structure of the Organization

The structure of a company’s organization may be either mechanistic or organic – these are the two ends
of the spectrum of structure.
• A mechanistic structure is a very set and detailed system in which there are tight controls, exten-
sive division of labor and high formalization. This type of structure works well for mass production
and any time there is a strong need for operational efficiency.
• An organic structure, on the other hand, has low complexity, a low amount of formalization and a
highly participative decision-making structure. Organic structures are more flexible and adaptive to
change and are better in more dynamic (changing) and complex environments. An organic structure
is better for product development.
Question 4: A large company uses assembly line techniques to manufacture a single product. Its choice of
relatively mechanistic organizational design was more likely based on its:
a) Need for rapid response to environmental change.
b) Primary concern for operational efficiency.
c) Low fixed technology requirements.
d) Project management emphasis.
(CIA adapted)
Question 5: When an organization depends to a great extent on its environment, which of the following
statements best characterizes the relationship among an organization's environment, the level of
uncertainty it faces, and its structure? The more dynamic and complex the environment, the:
a) More uncertainty the organization will face and the more organic the structure should be.
b) More uncertainty the organization will face and the more mechanistic the structure should be.
c) Less uncertainty the organization will face and the more autocratic the structure should be.
d) Less uncertainty the organization will face and the more organic the structure should be.
(CIA Adapted)
Structure and Strategy

The structure that a company chooses will be a function of its main strategy.
• If the main strategy is one of innovation and development of new products, an organic structure
will work better.
• For a cost-minimization strategy, a mechanistic structure will be better.
• If the strategy is to imitate others and move into markets only after they are proven, a combina-
tion of organic and mechanistic will work best.
The company’s structure is also a function of:
• Organizational size - Though there is no direct relationship between the size of the company and
the structure that is required, larger companies tend to be more mechanistic because of the
need for formalization.
• Technology - An organic environment would work best with non-routine technology where
formalization is lower.
• Environment - Generally, the more stable the environment, the more mechanistic the company. A
mechanist environment may also be more appropriate when the company has little opportunity for
growth. Organic environments would tend to be more dynamic and complex. These environments
generally require the flexibility and adaptability that is offered by an organic environment.
Question 6: Discount stores and sellers of generic grocery products keep prices low and innovate only
when there are low-risk, high-payback projects. They are pursuing a(n):
a) Innovation-minimization strategy.
b) Imitation strategy.
c) Cost-minimization strategy.
d) Initiation strategy.
(CIA Adapted)
Question 7: In general, as organizations grow in size, their strategies:
a) Become more ambitious, and they often expand their activities within their industry.
b) Focus on vertical integration, and their structures consequently must become more centralized.
c) Change from a focus on a diverse set of products to a focus on a single product line.
d) Follow and are determined by their internal structures.
(CIA Adapted)
Components of an Organization
According to Henry Mintzberg, an organization has five components. Depending upon which of the five
components dominates the organization, there will be one of five organizational structures.
The five organization components are:
Operating Core The employees who perform the basic production tasks.
Strategic Apex The top managers who ensure that the mission is followed and the needs of
the owners are met. They are in charge of overall strategic, long-term
planning and control.
Middle Line Managers who connect the strategic apex to the operating core.
Technostructure The staff without direct line management responsibilities, but who seek to
standardize the way the organization works. They are the ones who produce
procedures and systems manuals that others are expected to follow.
Support Staff The support staff provide ancillary services, e.g. secretarial staff, cleaning
staff, public relations, legal counsel, cafeteria, IT staff, etc.
Organizational Components:
Ideology
Strategic Apex
Techno Support
structure Middle Staff
Line
Operating Core
According to Mintzberg, surrounding every organization is the organization’s ideology, which some argue is
the sixth component of an organization. Ideology is the traditions and beliefs that make each organization
unique.
Mintzberg identified six different types of organizations, each of which configures the five standard
components in a different way. He suggested that the most suitable configuration would depend on the type
and complexity of the work done by the organization. The six types of organizations, based on which
component is dominant are:
Dominant
Component Type of Organization
Operating Core Professional Bureaucracy – This is a complex and formal organization, but
also one that is decentralized in which the specialists of production have
great amounts of independence. Top management gives up a lot of its
control in this process, but there is low creativity and there may be low
performance because of inflexibility and an impersonal environment.
Coordinating mechanism: Standardized skills.
Strategic Apex Simple Structure – There is low complexity and authority is centralized.
This is usually seen in smaller (entrepreneurial) organizations where there is
less formal planning or structure.
Coordinating mechanism: Direct supervision.
Middle Line Divisional Structure – In this structure, each division essentially operates
as its own company. This can lead to the duplication of many functions within
each of the divisions.
Coordinating mechanism: Standardization of output.
Technostructure Machine Bureaucracy – This is a complex, formal organization that

performs highly routine tasks. There is a strict chain of command and line
and staff functions are separated.
Coordinating mechanism: Standardized work processes.
Support Staff Adhocracy – This is an organization with low complexity and it is not very
formal. There is low vertical differentiation and high horizontal differentiation.
The emphasis is on flexibility and response (e.g., advertising agencies and
consulting firms).
Coordinating mechanism: Mutual adjustments.
Mission - Mintzberg Missionary Organization – In this type of organization, the members share
identified this as a common set of beliefs and values, which can mean that the organization is
another coordinating usually unwilling to compromise or accept change (e.g., religious organiza-
factor tions).
Question 8: With the shift in some countries' economies toward service industries, a new form of
organization has developed, which is referred to as the professional bureaucracy. While this structure
resembles the machine bureaucracy (which relies on standardized work processes) in several respects, it
is different in one key aspect. This significant difference is that in a professional bureaucracy:
a) Tasks are accomplished with a high degree of efficiency.
b) There is strict adherence to rules.
c) Senior management has had to give up a substantial amount of control.
d) There is a tendency for subunit conflicts to develop.
(CIA Adapted)
Question 9: A disadvantage of a bureaucratic organizational structure is that:
a) The quantity of paperwork prepared is minimal.
b) Employee behavior is not controlled because the organization is too flexible.
c) Creativity within the organization is low.
d) Organizational goals are de-emphasized because the work environment is personalized.
(CIA Adapted)
Question 10: A substantial duplication of functions characterizes which of the following?
a) Simple structure
b) Divisional structure
c) Machine bureaucracy
d) Professional bureaucracy
(CIA Adapted)
Departmentation
Departmentation is the process of grouping related activities together into significant organizational
subsystems. This should promote the coordination between the different divisions of labor that are created
when a company breaks its operations into separate tasks. There are a number of different ways to establish
the departments of an organization.
• Departmentation by function is the most common form of departmentation. The most common
departments are marketing, production, and finance (or accounting). The advantage of this system
is specialization by those performing the different tasks, simplified training because of the reduced
breadth of job duties, and the representation of the primary functions in the top level of manage-
ment. Disadvantages are the lack of profit centers and a potential lack of coordination between the
different functions.
• Departmentation by territory is when the company is divided along geographic lines. This is
characteristic of multinational and national companies. This gives the companies a quicker reaction
time to local changes, greater familiarity with the local market and issues facing it, and cheaper dis-
tribution costs. On the other hand, there is a greater loss of control through delegation and there is a
duplication of service functions, because each department (geographic territory) will be performing
these tasks.
• Departmentation by product is growing in importance as more companies are using it to provide

greater control over a product or product line. This is the system that is most conducive to profit
centers because one department is going to produce and sell the product. There is a specialization of
assets and skills and it is easier to assess profitability for a department, but there is a need for more
managers, and staff functions are duplicated in the different departments.
• Departmentation by customer allows the organization to provide better service to customers, but
there is a need to have a large customer base. Therefore, it may be difficult to coordinate the ser-
vices offered to customers with the departments that will actually be performing the services.
• Departmentation by project may be used for one-time projects (e.g., ship building, military
contracts) and enables easy communication, but this requires reorganization at the end of each pro-
ject, which will lead to transitional difficulties from one project to another.
Matrix Organizations
A matrix organization occurs when any two of the above methods are combined in one company. This often
leads to one employee reporting to more than one manager. This potentially large issue needs to be resolved
by having a way of prioritizing between the different supervisors.
The flexibility that occurs in a matrix organization allows the best people to be assigned where they are most
needed, even if that is somewhere outside of their usual departments. This flexibility will enable the company
to eliminate, or at least reduce, the large changes in the number of people that are hired for various projects
and then fired afterward. The matrix system allows the organization to take people from other departments
temporarily for a larger project. The main disadvantage of the matrix system is that the unity of command
is broken because of the fact that a person has more than one boss at certain times.
Question 11: In what form of organization does an employee report to multiple managers?
a) Bureaucracy
b) Matrix
c) Departmental
d) Mechanistic
(CIA Adapted)
Span of Control
The span of control is the maximum number of subordinates that a manager can effectively supervise. The
classical view holds that this number is 5 or 6, while the behavioral school feels that it is better if this number
can be increased because of the benefits received by expanding the span of control.
Under the behavioral school, the more people that a manager supervises means that there is less time
available to supervise each individual subordinate. This will lead to the subordinate working with less close
supervision, thereby increasing their job satisfaction. Also, by having more subordinates for each manager,
there will be fewer levels in the organization, leading to more efficient communication through the
organization.
The modern approach holds that the number of subordinates is based upon factors such as the supervisor’s
training, abilities, time available to supervise and the subordinates’ interest in working with less supervision,
commitment to the job, training and attitudes. Also, the job itself and the environment of the company will
influence the number of subordinates that can be supervised.
Note: The size of the organization does not affect the span of control.
The span of control will affect the number of levels that exist in an organization; one with a narrow span of
control will be a taller organization because each manager is managing a fewer number of people. In a tall
organization, there is more room for advancement because there are more levels; on the other hand, because
of the additional levels, communications takes longer. If a company has a wide span of control, there will
be fewer levels and it will be a flat organization. A wide span of control is more appropriate when the tasks
performed are more standard and require little direct supervision by management. This is because there is a
greater risk that employees will perform complicated tasks incorrectly when there is less supervision, so in a
wide span system the activities should not require a lot of direct supervision.
Section C Business Process Analysis
Question 12: Which of the following is least likely to affect a manager's direct span of control?
a) Frequency of supervisor-subordinate contact.
b) The manager's willingness to delegate authority.
c) The manager's training and communication skills.
d) Number of people in the corporation.
(CIA Adapted)
Question 13: The optimal span of control of a manager is contingent upon several situational variables.
For instance, a manager supervising workers within the same work area who are performing identical
tasks that are simple and repetitive would best be able to supervise:
a) An unlimited number of employees.
b) Only a few workers (a narrow span of control).
c) A relatively large number of employees (a wide span of control).
d) Fewer workers than if the workers were geographically dispersed.
(CIA Adapted)
Business Process Analysis

All companies and organizations have a system of operation comprised of business processes. A process is
a sequence of related activities, or may be a sequence of related tasks that make up an activity. These
activities or tasks are usually interdependent, and there is a well-defined flow from one activity to another or
from one task to another. They are performed in sequence or in parallel to accomplish a specific goal. The
process may be manual or automated, and may comprise one or more activities or tasks.
A system of analyzing the operation plans and business strategies so improvements can be made is called
Business Process Analysis (BPA). The elements of a successful BPA project are:
• Focus on the institution’s core business processes
• Involve individuals most knowledgeable with the business process being analyzed
• Document the current business process via a flow diagram
• Identify bottlenecks, inefficiencies, and areas for improvement
• Determine changes required to the business process
• Plan for migration to the revised business process
Tools for Analyzing Business Processes

There are many different types of analysis, but the primary ones we will discuss are: 1) Workflow Analysis, 2)
Theory of Constraints (TOC), 3) Variance Analysis, 4) Value Chain Analysis, 5) Reengineering, and 6) Six
Sigma.
Business Process Analysis CIA Part 3
1) Workflow Analysis
Workflow analysis is the process by which organizations are able to identify and evaluate how well their
existing processes are achieving organizational goals. By understanding existing processes, internal auditors
are then in a position to recommend ways of streamlining and optimizing current processes.
Workflow analysis is accomplished by breaking down processes into their component parts. For
example, within the purchasing workflow there will be several components that include making the order,
approving the order, purchasing the actual goods, accepting the bill of goods, and finally receiving the goods.
These processes are mapped and evaluated.
Workflow analysis can be thought of as being similar to PERT/CPM. It can both map out a process and
calculate the cost associated with those processes. The primary difference between the two is that workflow
analysis is used to map current business processes, whereas PERT/CPM is used specifically in the manage-
ment of large projects.
2) Theory of Constraints (TOC) Analysis

Theory of Constraints (TOC) Analysis is a technique used to improve speed in manufacturing by increasing
throughput contribution while decreasing investments and operating costs. TOC maximizes operating
income when faced with a bottleneck. The bottleneck is the part of the process that has the smallest amount
of capacity. This makes it the slowest part of the process and where it is that production will be reduced if the
bottleneck process has a problem. This situation can be managed to receive the maximum amount of
contribution from the bottleneck by producing those items that will return the highest contribution per hour
(or other applicable measure of constraint) of the bottlenck.
Throughput time, or cycle time, is the time that elapses between the receipt of a customer order and the
shipment of the order. TOC helps reduce cycle times and therefore, operating costs. TOC defines three
measurements:
1) Throughput contribution is equal to revenues minus the (materials) costs of the goods sold.
2) Investments equals the sum of costs in direct materials, work-in-process and finished goods
inventories, R&D, and costs of equipment and buildings.
3) Operating costs are equal to all operating costs other than direct materials incurred to earn
throughput contribution. Operating costs include salaries and wages, rent, utilities and depreciation.
The following are the steps in managing bottleneck operations through the use of TOC analysis:
1) Recognize that the bottleneck operation determines throughput contribution of the system
as a whole, and identify the bottleneck by determining where total hours needed exceed the num-
ber of available hours. To identify where slack (extra, unused) hours of capacity exist and where
they are negative, analysis of the production process is prepared using hours required and hours
available for each procedure.
2) Calculate the best use of the bottleneck to maximize contribution. Determine the most
profitable product mix, given available capacity at the existing constraint. This will be the combina-
tion of products that maximizes total profits. Profitability for each product is determined by using the
throughput margin (product price less variable materials cost) per minute of the constraint. (Note
that the constraint may be something other than time. It could be, for example, a maximum number
of kilograms of an input material that are available. Whatever the constraint is, the throughput per
unit of that constraint must be calculated.) The product with the highest throughput margin per mi-
nute will be the most profitable, even though it may have a lower throughput margin.
3) Maximize the flow through the bottleneck by using the drum-buffer-rope (DBR) system, which
attempts to minimize the buildup of inventory at the bottleneck, but still keep the constraint produc-
ing at all times. Non-bottleneck operations are not permitted to produce more output than can be
processed by the bottleneck, as this would create excess inventory and doesn’t increase throughput
contribution. In DBR, the constrained process is the drum and the sequence of processes prior to
the constraint is the rope. The objective is to balance the flow of production through the rope by
timing and scheduling activity for all processes leading up to the drum. The buffer is a minimum
amount of work-in-process inventory waiting for completion by the constrained process −just enough
to ensure that the constrained process is busy at all times.
4) Increase the production capacity of the bottleneck by adding capacity. This may be a longer-
term project to consider, but the company must look at how to reduce the limitations of the con-
straint.
5) Analyze the system to see if there are improvements to make through redesigning or reordering
the processes. This is the most strategic response to the constraint.
A Theory of Constraints Report conveys throughput margin and selected operating data. It identifies each
product’s throughput margin per hour required for the binding constraint and the most profitable product(s).
It also enables monitoring to achieve maximum profitability given the existing constraints.
Question 14: Urban Blooms is a company that grows flowering plants and sells them in attractively
designed container arrangements to upscale hotels, restaurants and offices throughout the greater New
York City metropolitan area. When first established, the organization produced every aspect of its product
on site and handled all business functions from its facility, in either the greenhouses, production areas or
office. The only exception was importing expensive, large containers from Mexico. After five years in
business, Urban Blooms had become very profitable and increased its staff from 10 to 200 employees,
including horticulturalists, production/design workers, business managers and sales staff. However, the
owners found it increasingly difficult to keep up with the complexities and demands brought about by the
company’s continuing growth. Over time it became apparent that several areas of the business were
causing customer problems (caused by bottlenecks in the system) and were not performing to expecta-
tions. Management noticed over the course of time that the rate of customer dissatisfaction increased
dramatically, and because of this some customers started to go elsewhere.
Which of the following would be the best method to analyze the system?
a) Materials resource planning (MRP)
b) Activity-based costing (ABC)
c) Theory of Constraint Analysis (TOC)
d) Lean production
(HOCK)
3) Variance Analysis
Variance analysis is the process of comparing the actual expenses and revenues during a certain period to the
budgeted amounts for that same period. Variance analysis allows the company to determine why the actual
results were different from the budgeted amounts.
Variance analysis enables internal auditors to focus their efforts on the areas of the operations that have been
operating less efficiently than planned.
An important concept of variance analysis is standard costs, and the role that standard costs play in the
accounting and costing system. A standard cost is an estimate of the cost the company expects to incur in
the production process. Standard costs are established during the budgeting process. Without a standard
cost, the analysis of actual activities and results is very difficult because there is no standard against which to
measure the performance.
This standard cost is calculated at the beginning of the year and it is based on the estimated costs and
the expected level of activity or production. The standard cost is determined through the use of accounting
and production estimates. It should not be simply created by management.
The comparison of actual costs to standard costs allows the company to analyze its actual costs and also
enables some forms of controls of the costs to be done. A large variance between the standard cost and the
actual cost is an alert to management that something is possibly wrong and needs attention.
Note: A standard cost system may be used with either a job-order costing system or a process costing
system. Standard costs are best used with a flexible budgeting system in order to provide the most
useful variance analysis. The flexible budget will enable differences between actual and budgeted numbers
that were not the result of an actual level of production being different from expected. Flexible budgets are
covered in more depth in Section C.
Question 15: The process of establishing standard costs can involve different personnel from different
areas. Who of the following would be least likely to be involved in the process of establishing standard
costs?
a) Budgetary accountants
b) Industrial engineers
c) Senior management
d) Quality control personnel
(CMA adapted)
4) Value Chain Analysis

The value chain describes the company’s chain of activities for transforming inputs into the outputs that
customers value. This process of transformation includes all of the primary activities (business functions) as
well as support activities that add value to the product or service, as shown in the figure below.
Primary Activities
Inbound Operations Outbound Marketing Service

Logistics Logistics and Sales
Human
Corporate Technology
Procurement Resource
infrastructure development
Management
Support Activities
The primary activities create most, if not all, of the value within the value chain. The support activities
provide purchased inputs, human resources, technology and infrastructural functions to support the primary
activities. Even though this is an obvious point, you need to make sure not to overlook the importance of the
support activities. For example, the procurement department (support activity) has to purchase inputs of the
right quality, at the right time, and at the right price. If the department is unable to do this, the production
department might not be able to produce the quality of product required by customers, which could lead to
dissatisfied customers, in turning possibly leading to the company as a whole not achieving its profitability
objectives.
The margin is the excess that the customer is willing to pay over the cost to produce the product or service.
It represents the value created by the value activities themselves and by managing the linkages between
them, for example, the linkage between procurement and operations, etc.
Primary activities
• Inbound logistics. These are the activities that have to do with receiving and handling purchased
materials and components, and storing them until needed.
• Operations. These are the activities that are concerned with converting the purchased materials
and components into a product that customers will buy.
• Outbound logistics. These are the activities that are concerned with the storage of finished goods
before sale, and the distribution and delivery of goods (and services) to the customers.
• Marketing and Sales. These are the activities that help a company promote and sell its goods and
services (i.e., advertising, promotions, sales personnel).
• Service. These are the activities that occur after the point of sale (POS), such as installation, war-
ranties, repairs and maintenance, providing training to the employees of customers and after-sales
service.
Support Activities
• Corporate Infrastructure. This relates to the company’s structure and its management systems,
including planning and financial management, quality management and information systems man-
agement.
• Technology development. These are the activities related to any development in the technological
systems of the company, such as product design (research and development) and IT systems. This
is an important activity for innovation.
• Procurement. These are the activities that are concerned with buying the resources for the compa-
ny, including materials, plant, equipment and other assets.
• Human resource management. These are the activities concerned with recruiting, training and
rewarding people in the company.
Value chain analysis can help an organization gain competitive advantage by identifying what does or does
not increase value to the customers. Once those areas are identified, the organization can increase the
related benefits, or reduce (even eliminate) non value-added activities. The increase in value to the customer
and/or the decrease in production costs will make the company more competitive. There are three steps in
value chain analysis:
1) Identify the activities that bring value to the end product. These activities depend upon the
industry and what the company does (manufacturing, resale, etc.).
2) Identify the cost driver or cost drivers for each activity.
3) Build competitive advantage by either increasing value to the customer or reducing the costs of
production.
5) Business Process Reengineering (BPR)

Reengineering is a term that originally referred to the process of disassembling a product in order to redesign
it. The term was first mentioned in an article by Michael Hammer in the Harvard Business Review in 1990.
Subsequently, the term has been applied to the restructuring of organizations that is brought about by rapidly
changing technology and today’s competitive economy. For instance, instead of simply using computers to
automate an outdated process, technological advances bring opportunities to fundamentally and
dramatically change the process itself and the way that it is performed. In order to stay ahead of the
competition, an organization must be dynamic.
In applying the concept of process reengineering, management starts out with a clean sheet of paper and
then radically redesigns the processes used by the organization to accomplish its objectives. Operations that
have become obsolete are eliminated.
The three important elements that drive process reengineering are:
1) Fundamental. The redesign of a process should be fundamental and the “old assumptions” about
the process need to be questioned.
2) Dramatic. The improvements that are going to be made are not small. They are dramatic in terms
of lower cost, better quality, better service or improved speed of operations.
3) Radical. The redesign of a process is going to be completely different.
The steps in business process reengineering are:
• The organization must identify what it does better than the competition. These are the organi-
zation’s distinctive competencies. By clearly identifying its competencies, the organization
understands what activities are vital to its success.
• Management needs to determine what processes it uses to convert materials, capital, information
and labor into products or services that have value. The organization is viewed as a series of pro-
cesses, enabling management to determine to what degree each process adds value. This can
uncover a lot of legacy processes that are no longer needed and are only done because the proce-
dure was put into place long ago for some extinct purpose.
• The organization needs to focus on processes, not on functions. Reorganization should take
place around horizontal processes. This will require cutting out unnecessary middle management
levels, thus flattening the organization, because an excess of managers does not add value. Man-
agement is an indirect cost, and the necessary amount of management should be minimized.
Note: Reengineering is the process of starting over in the design and restructuring of a company’s
processes. This is different from the modification of an existing system in that, with reengineering, we start
again from a blank page.
It is possible that BPR could lead to the elimination of traditional control elements, such as segregation of
duties, accuracy of cross-checks, authorization, and verification. Because of this, internal auditing can assist
management by helping identify and evaluate significant risk exposures as a result of BPR and contribute to
the improvement of risk management and control systems that may have been compromised by the BPR
undertaking. However, the internal auditor must not draft, design, install, or operate the new system
connected with BPR, because this would impair objectivity.
Question 16: Business Process Reengineering (BPR) is the thorough analysis, fundamental rethinking, and
complete redesign of essential business processes. The intended result is a dramatic improvement in
service, quality, speed, and cost. An internal auditor’s involvement in BPR could include all of the
following except:
a) Determining whether the process has senior management’s support.
b) Developing audit plans for the new system.
c) Recommending areas for consideration.
d) Directing the implementation of the redesigned process.
(CIA adapted)
6) Six Sigma
We mentioned Six Sigma earlier as an approach to quality that strives to virtually eliminate defects. To
achieve Six Sigma, a process must produce no more than 3.4 defects per million opportunities. Although
it was originally applied to manufacturing operations and defects in products, it can also be applied to any
product, process or transaction.
Six Sigma was developed at Motorola in the 1980s as a result of an effort to bring about a ten-fold reduction
in product failure levels. The Motorola team concluded that the best way to prevent product breakdowns was
to ensure that the processes used in producing the products prevented defects from occurring. The result
was a goal of splitting each process into smaller and smaller sequences in order to examine each sequence for
its potential for errors and then to change the process to eliminate that potential. Breaking down and studying
processes makes it possible to discover the root cause of defects.
The aim of Six Sigma is to improve customer satisfaction by reducing and eliminating defects, which will
lead to greater profitability. There is a five-step “chain reaction:”
1) When quality is improved, costs decrease because rework decreases, there are fewer mistakes to
correct, fewer delays, and better use of time and materials.
2) Improved quality leads to higher productivity.
3) Better quality results in higher market share and gives the company the ability to raise its prices.
4) Higher prices coupled with lower costs increases the company’s profitability.
5) Higher profits create more jobs.
Six Sigma relies on the voice of the customer and objective data to improve business processes and uses a
hierarchy of people within the organization who are trained experts in the methodology. Each Six Sigma
project carried out follows a set of defined steps and has quantifiable financial target such as cost reduction or
profit increase.
In Six Sigma, process improvement and customer satisfaction are based on the following premises:
• Everything is a process;
• All processes have inherent variability; and
• Data is used to understand the variability and drive process improvement decisions.
This variability is the source of the name “Six Sigma.” The Greek letter for Sigma is (σ), which is used in
statistics to represent “standard deviation.” In statistics, the “mean” of a set of observations is its average or
its weighted average. The standard deviation of the set of observations is a measurement of how far any
particular measurement in the set is from the mean of the set. It tells us something about how much the
various values are dispersed around the mean. If a group of observations is normally distributed, 68% of the
values are expected to lie within one standard deviation (plus or minus) from the mean, 95% within two
standard deviations of the mean, and 99.7% within three standard deviations of the mean. And
99.9999998% of the values will lie in the interval created by the mean plus or minus six standard deviations.
Therefore, only 0.0000002% of the observations will lie outside the interval of six standard deviations from
the mean. That is the error rate that a Six Sigma program strives for.
If you divide 3.4 by 1,000,000, however, you do not get 0.0000002%. You get 0.00034%, which is a little
higher than 0.0000002%. The reason for this is what Six Sigma calls “shift.” Over the long term, processes do
not generally perform as well as they do in the short term. In manufacturing, shift results from things such as
mechanical wear and tear over time. When short-term results are at the six sigma quality level, long-term
results can be expected to be at the 4.5 sigma quality level, which corresponds to the goal of 3.4 defects per
1,000,000 opportunities.
Six Sigma has two methodologies, one for improving existing business processes and one for creating new
product or process designs. Each one consists of five steps.
The first one, which is used to improve an existing business process, is known by the mnemonic of
DMAIC — Define, Measure, Analyze, Improve and Control:
• Define process improvement goals: define the process output characteristics that customers see as
being critical to quality and that are consistent with the enterprise strategy; define how the process
output is not meeting requirements; define the project’s goal, based on improving critical-to-quality
requirements; define the process steps, inputs, outputs, customers and suppliers.
• Measure key aspects of the current process and collect relevant data: provide a clear definition of
defects and defect opportunity; collect process performance data and compare it to the project goal;
select, define and measure the factors that have the most influence on process performance.
• Analyze the data to verify cause-and-effect relationships: assemble a detailed process map and
analyze it for steps that can be eliminated, simplified, or standardized; list potential root causes; an-
alyze the process map and data gathered in the Measure phase for clues to confirm or refute the
root causes; narrow the list down to the most important root causes.
• Improve or optimize the process based upon data analysis: list possible solutions; narrow the list
down to the best and most feasible solutions; work out the bugs in a trial implementation.
• Control to ensure that deviations from target are corrected before they result in defects; continu-
ously monitor the process; standardize and document the improvements; develop a system to
monitor key output variables; minimize opportunities for error.
The second methodology, used for creating new product or process designs, has the mnemonic of
DMADV — Define, Measure, Analyze, Design and Verify:
• Define design goals that are consistent with customer demands and the enterprise strategy.
• Measure and identify characteristics that are critical to quality, product capabilities, production
process capability, and risks.
• Analyze to develop and design alternatives, create a high-level design and evaluate design capabil-
ity to select the best design.
• Design details, optimize the design, and plan for design verification. Simulations may be required.
• Verify the design, set up pilot runs, implement the production process and hand it over to the
process owners.
For Six Sigma to be successfully implemented, executive management’s support is an “absolute must.”
Executive leadership is responsible for casting the vision for Six Sigma and empowering other leaders to
explore new ideas for improvements. Management should have the attitude that mistakes, defects and poor
quality are not acceptable and need to be eliminated. Management should also create an environment where
employees are not afraid to report problems or recommend improvements. Achieving better quality requires
commitment from everyone in the company, and management must create that culture.
Martial arts terminology is used to define the key roles in Six Sigma implementation:
• Champions are members of upper management who are responsible for Six Sigma implementation
across the organization. They also act as mentors to Black Belts.
• Master Black Belts are coaches. They are devoted full-time to Six Sigma, assisting Champions and
guiding Black Belts and Green Belts. They ensure that Six Sigma is applied consistently in the vari-
ous functions and departments. Champions and Master Black Belts focus on identifying projects for
Six Sigma.
• Black Belts also serve full-time in their roles. They report to Master Black Belts and apply Six Sigma
methodology to specific projects.
• Green Belts are not full-time in their Six Sigma roles. They work on Six Sigma implementation
along with their other job responsibilities. They report to Black Belts and assist them.
• Yellow Belts are employees who have been trained in Six Sigma but have not yet completed a Six
Sigma project.
Section C Inventory Management Techniques & Concepts
A key part of Six Sigma is determining which process sub-steps contribute to the end result and which do not.
Not every process needs to attain Six Sigma performance in order to achieve the target defect rate in the
final product. The defect rate is going to be more sensitive to some factors than to others. Part of the work of
the measuring and analysis phases is identifying how much improvement is needed in each sub-step in
order to achieve the goal.
Six Sigma is not limited to manufacturing and it can be implemented throughout an organization. Companies
are applying it in areas such as purchasing, shipping/receiving, sales, administration, and finance.
Inventory Management Techniques & Concepts

Inventory management is a critical part of the accounting and management function of any company that
produces or sells a product. If a company is a seller of finished goods or a producer of goods, it is very
possible that inventory will be the largest, or one of the largest, items on the balance sheet. Therefore, a
small incremental percentage increase or decrease in the cost of inventory will translate into a very large
dollar amount of cost when it runs through the entire inventory that is produced or sold.
Inventory Costs
In order to maximize profits, a firm should minimize its total inventory costs. There are a number of different
costs associated with inventory and these costs of inventory are divided into the following three main
categories (not including the cost of the raw material).
Ordering Costs
Ordering costs include:
• The costs of placing an order (choosing a vendor, negotiating the contract, decision-making, etc.)
• The cost of receiving an order
• Transportation of materials ordered
• Setup costs
• Discounts lost by not ordering enough units
Carrying Costs
Carrying costs include:
• Storing the inventory
• Insuring and securing the inventory
• Inventory taxes
• Depreciation or rent of facilities
• Obsolescence and spoilage
• Opportunity cost of inventory investment. This is the cost of the capital that is invested in the
inventory and represents the amount of interest that is lost by investing cash in inventory instead of
in some other longer-term asset that provides dividends or interest.
In looking at carrying and ordering costs, it is important to remember that carrying costs vary with the
amount of inventory that a company holds, but ordering costs decrease on a per unit basis when there is an
increase in the number of units that are ordered at one time. Thus, as we will see later, the economic size of
an order of inventory requires a balance between carrying costs and ordering costs.
Inventory Management Techniques & Concepts CIA Part 3
Stockout Costs
These are the costs that are incurred through lost sales when a company does not have inventory available
for the customer when the customer wants to buy it. It includes both the cash and profit that is lost from
not being able to make that individual sale and also the cost of customer ill will. The cash cost of the lost
sale is probably a very small amount and not very crucial in the larger picture, but the cost of the customer ill
will is potentially very large. Unfortunately, this ill will is almost impossible to measure as it may cause the
customer not to return for future purchases, and may instigate the spread of negative information about the
company in the market place.
The cost of a stockout needs to be balanced against the cost of holding additional units.
Other Inventory Terms

The lead-time is the amount of time that the company must wait in order to receive the next shipment of
inventory after it places the order. The longer the lead-time, the greater the risk of stockouts for the company
because it will take longer for an order of inventory to be received.
The level of safety stock a company carries is one of its protections against stockouts. The safety stock is
the amount of inventory the company expects to still have on hand when the next shipment of inventory is
due to arrive. A high level of safety stock means that even if the next shipment is delayed, the company
should have sufficient levels of inventory to continue to operate while it waits for the shipment to arrive.
The amount of safety stock that needs to be held by a company is affected by:
• The variability of the lead time.
• The variability of the demand.
The more variable either of these items are, the more safety stock the company will have to hold to guard
against stockouts in the case of an unusually high demand or an unusually long lead time. If these items are
more consistent and predictable, the amount of safety stock that the company holds can be reduced because
there is a smaller chance of needing a large number of units in stock because of unusually long lead time or
unusually high demand.
The reorder point is the level of remaining inventory that indicates when the company needs to place the
order for inventory. It is calculated as follows:
Expected demand during the lead time

+ Amount of safety stock
= Reorder point
The average inventory that the company holds is calculated as the number of units ordered each time an
order is placed divided by two, plus the safety stock.
Example: If the safety stock is 10 and 50 units are ordered each time that inventory is ordered, the
average level of inventory will be 35 units. This is calculated as (50 / 2) + 10.
Note: Each unit of the company’s safety stock will increase its average inventory by one unit. This is
because both the maximum and minimum number of units that the company holds will both increase by
one unit.
The figure below demonstrates how the level of inventory moves over time and the role of the reorder point
and the safety stock.
Reorder Point and Safety Stock
Reorder Point
Safety
Stock Level
Lead Lead
Time Time Time
Question 17: The carrying costs associated with inventory management include:
a) Insurance costs, shipping costs, storage costs and obsolescence.
b) Storage costs, handling costs, capital invested and obsolescence.
c) Purchasing costs, shipping costs, set-up costs and quantity discount lost.
d) Obsolescence, set-up costs, capital invested and purchasing costs.
(CMA adapted)
Question 18: The ordering costs associated with inventory management include:
a) Insurance costs, purchasing costs, shipping costs and spoilage.
b) Obsolescence, setup costs, quantity discounts lost and storage costs.
c) Purchasing costs, shipping costs, setup costs and quantity discounts lost.
d) Shipping costs, obsolescence, setup costs and capital invested.
(CMA adapted)
Question 19: The optimal level of inventory is affected by all of the following except the:
a) Usage rate of inventory per time period.
b) Cost per unit of inventory.
c) Current level of inventory.
d) Cost of placing an order for merchandise.
(CMA adapted)
Question 20: In inventory management, the safety stock will tend to increase if the:
a) Carrying cost increases.
b) Cost of running out of stock decreases.
c) Variability of the lead time increases.
d) Variability of the usage rate decreases.
(CMA adapted)
Methods of Inventory Cost Management

A few different methods of inventory management are discussed below. You need to be familiar with the basic
elements of these different methods and the calculations related to EOQ.
Economic Order Quantity (EOQ)

The EOQ is the number of units that a company should order each time it orders inventory. The EOQ provides
for the minimum total cost for ordering and holding inventory. This is a traditional inventory management
approach and if used correctly, it can help reduce the inventory costs of a company.
The factors that are incorporated into the model are:
• The annual demand for inventory.
• The cost to carry one unit of inventory for one year (this includes the interest on funds invested in
inventory).
• The cost of placing an order.
For the EOQ calculation to work, the following assumptions are made:
• The annual demand for the item is known and constant.
• The cost per order is known and constant.
• The unit carrying costs are assumed to be known and constant throughout the period.
• There are no stockout costs included in the EOQ model because it is assumed that demand can be
determined and planned for.
Obviously these assumptions limit the usefulness of EOQ because we know that they are not always true in
reality. However, the model can provide a useful starting point for a company.
The EOQ is calculated as follows:
EOQ = 2aD
k
Where: a= Variable cost of placing an order
D= Periodic demand
k= Carrying cost per unit per period
Example: Assume that Medina Co. makes footballs and is trying to determine the quantity of leather that it
should order every time an order is placed. The relevant information is as follows: over the course of the
year 12,000 sq.m. of leather will be needed, the cost of storing 1 sq.m. of leather is $3 and the cost of
placing an order is $450.
The EOQ for inventory is calculated as follows:
2 * $450 * 12,000
All of this calculates to 1,897.3. This means that every time Medina orders inventory, it should order 1,898
sq.m. in order to minimize the costs of carrying and ordering inventory.
We can further use this number to determine the number of times that Medina will order inventory. Given
a demand of 12,000 units and an EOQ of 1,898, Medina will need to order inventory 7 times in order to
have enough leather for production.
EOQ questions are simply a matter of putting the information that is given in the question into the formula.
Just-in-Time (JIT) Inventory Management

Modern inventory management has departed from the EOQ approach in favor of the JIT approach. JIT
inventory systems are based on a manufacturing philosophy that combines purchasing, production and
inventory control into one function. This reduces the level of inventory that is held within the company at all
stages of production, and thereby also reduces the cost of carrying the inventory. However, this reduced level
of inventory carries with it an increased risk of stockout costs.
One of the main differences between JIT and traditional inventory systems is that JIT is a pull system rather
than a push system. The main idea of JIT is that nothing will be produced until the next process in the
assembly line needs it. This means essentially that nothing will be produced until a customer orders it.
However, we know that this is not actually possible so production is driven by the expected demand for the
product.
By contrast, in a push system, a department produces all that it can and sends those units to the next
department in the production process for further processing. This is repeated as each department produces as
much as it can and sends the units to the next department. Because the company is producing units without
knowing if those units will be sold, the company is taking the risk that it is producing useless units of
inventory that will need to be written off.
To implement JIT and to minimize inventory storage, the factory must be reorganized to permit what is
known as lean production. Under lean production, the plant layout is arranged by manufacturing cells
that each produce a product, or product type. Additionally, each worker is able to operate all machines, and
also perform supporting tasks within that manufacturing cell. This reduces the downtime resulting from
breakdowns or employee absences.
Because inventory levels are kept low in a JIT system, the company must have a very close relationship with
its suppliers to make certain that the supplier makes frequent deliveries of smaller amounts of inventory. It is
also critical that the inventory is of the required quality because there is no extra to use in place of any
defective units that are delivered.
Kanban
Kanban is a Japanese inventory system in which “cards” or “tickets” are used to keep track of inventory and
the movement of the inventory. Kanban is an integral part of a JIT system.
Other Inventory Systems

There are numerous systems designed to help companies keep track of their inventory and manage this
resource. The more common systems are:
• Computer Integrated Manufacturing (CIM). CIM integrates all office and factory functions by a
computer-based information network that permits hour-by-hour manufacturing management.
• Computer-aided design and manufacturing (CAD). CAD is system that utilizes computers in the
product development, analysis and design modifications stages, which leads to improvements in
quality and performance.
• Materials Requirement Planning (MRP). MRP is an approach that uses computer software to help
manage a manufacturing process. Its purpose is to reduce cash needed by the organization, which in
turn improves profitability and ROI. MRP creates the antithesis of the situation often found in old
manufacturing organizations where large amounts of cash gets tied up in inventory before products
can be assembled and sold. Instead, MRP aims to remedy this through careful planning and man-
agement. MRP software helps a sales or marketing group to estimate future product sales by
backdating the approximated time to assemble a product; it then breaks out the product into re-
quired parts, which can be ordered at times back-dated from the assembly dates. The planners then
develop cash flow for the ordering, assembly, shipping and payment process. This enables the sys-
tem to provide information regarding the parts needed to complete and ship an order − and to
request the parts quickly if the order is of high value.
• Manufacturing Resource Planning (MRP-II). MRP-II goes beyond MRP and integrates all facets
of a manufacturing business, including production, sales, inventories, schedules, and cash flows. Like
MRP, MRP-II is a “push through” system (unlike JIT, which is a demand “pull” system).
• Enterprise Resource Planning (ERP). ERP is a method of integrating processes in manufacturing,

logistics, distribution, accounting, finance and human resources into one system. Regarding invento-
ry management, an ERP system can handle everything from ordering, physical inventory count,
scheduling, shipping, receiving, purchasing, and supply chain planning. ERP is further dis-
cussed in Section F (Information Technology and Business Continuity).
• Robots, which are primarily used in manufacturing, are programmable and better at manual tasks
than humans because they don’t tire and easily adapt to changing conditions. Furthermore, they are
useful in environments that are unfit for humans, such as radioactive areas. Robots can have visual
perception, touch capability, dexterity, locomotion and navigation.
• Computer-aided manufacturing (CAM) plans, implements, and controls production through

automated workstations using robots or other electronically controlled machine tools.
ABC System
In an ABC system, the inventory is divided into three groups as follows:
• Group A – this group is about 10% of the total inventory, but includes high value items. Items in
this group may account for about 70% of total sales.
• Group B – this group is about 20% of the total inventory, and is made up of medium value items.
Items in this group may account for about 20% of total sales.
• Group C – this group is the remaining 70% of the inventory and is made up of low value items.
Items in this group would make up the remaining sales, or roughly 10% of total sales.
Because of the high value of Group A, Group A is reviewed regularly and more tightly controlled than the
other groups.
Section C Electronic Commerce
Electronic Commerce
Electronic commerce (e-commerce) is more than just buying and selling online. Broadly, it includes the entire
process of developing a product, marketing and selling it, delivering the product, servicing customers, paying
for products and services purchased, and receiving payment for products and services sold. All of this can be
transacted in the global marketplace by using the Internet, intranets, extranets and other technologies.
Business-To-Business (B2B)
Business-to-business (B2B) commerce refers to the connection of vendors, distributors and other businesses
through extranet e-commerce sites, and more recently the Internet. Before Internet B2B commerce, only the
largest companies were able to afford direct B2B commerce due to the high cost of creating the connections
between businesses. The Internet has played a critical role in the evolution of B2B commerce because
business information can be transferred instantly between businesses of almost any size. This means that
smaller businesses can compete more effectively with larger competitors. For example, because purchasing
can be done automatically through B2B Internet connections, purchasing costs can be reduced, regardless of
whether you are a large retailer or a small-town store.
In addition to direct links between businesses, there are e-commerce portals that provide auction, reverse
auction, and virtual marketplaces for multiple businesses. Buyers are able to seek bids on manufacturing
inputs and operating supplies (reverse auction). Likewise, sellers are able to reduce their selling and
advertising costs because the customers are brought together in one location.
Originally, B2B hubs were of two basic types: vertical and horizontal.
• Vertical B2B hubs provided products or services specific for the sellers, buyers and complementary
operations within a single industry or market. Their focus was primarily on the buying and selling of
manufacturing inputs.
• Horizontal B2B hubs provided business processes across different industries. Their focus was more
on the buying and selling of operating supplies.
These B2B hubs originally earned their revenues from transaction fees, subscription fees and advertising.
After the dot-com bubble burst in 2000, many of these e-marketplaces went out of business. Those that
remain have become less oriented toward either the vertical or horizontal models. Some have become service
exchanges, concentrating on helping businesses collaborate with one another. Others have focused on just
one business process. Still others have changed their focus from transactions to solutions, while some provide
value by creating and disseminating information that helps the members improve their businesses processes.
Revenue for these B2B hubs comes not only from transaction fees, subscription fees and advertising, but also
from consulting, product maintenance, software licensing, application hosting and other related services.
Note: E-commerce can bring together groups of vendors and purchasers, enabling purchasers to have
vendors compete by bidding online for their orders.
Electronic Data Interchange (EDI)

Electronic Data Interchange was the earliest type of B2B (business-to-business) e-commerce. EDI automates
repetitive transactions and is the process of the connecting different companies’ networks to transmit data for
common business documents using a standardized EDI format. For example, EDI can automatically monitor
inventory levels, trigger orders, confirm delivery, and process the invoice. In this way, EDI assists in the
process of just-in-time inventory management. This automation works both up and down the supply chain —
for both raw materials from suppliers as well as finished goods being delivered to vendors.
EDI has increasingly moved to the Internet instead of using dedicated lines. Transmission over the Internet
may be done by means of a secure virtual private network, or through use of a third-party service bureau.
Electronic Commerce CIA Part 3
For a fee, the EDI service bureau can provide smaller suppliers with the translation software capability so that
they do not have to make an investment in software and/or hardware of their own.
A value-added network (VAN) service may also be used by a large company to connect with its suppliers.
A VAN service acts as an EDI message center. Any member can connect to the VAN and leave or pick up
messages from other members. In addition to routing messages, a VAN also provides translation software,
encrypts and authenticates messages, and checks for message completeness and authorization.
Benefits of EDI include:
• Survival; many smaller organizations have been forced to implement EDI in order to continue doing
business with larger organizations. This is possible for small businesses because of the Internet and
third-party processors.
• Conflicts have been reduced between trading partners and communication has been improved.
Suppliers may be given access to information about what is selling and what is not, which can enable
the supplier to forecast customer demand and thus be more responsive to the needs of its customer.
• Data is timely and accurate and thus forecasting, analysis, and cash management are improved.
• Processes are streamlined, reducing costs of entering data manually and preparing and then faxing
or mailing purchase orders and other documents.
• Accuracy is increased because data does not have to be entered manually.
Costs of EDI include:
• Time spent to negotiate contracts between the parties and/or VAN providers.
• Employee training in the use of the system.
• Reengineering the affected applications.
• Hardware and software required for the system to work.
• Added costs for security and control procedures.
Audit and Control considerations with EDI include:
• Proper authorization of transactions is required. Since signatures are not utilized for authorization,
there has to be some other way of authenticating that a message is authorized by a person who has
the proper level of authority. Digital signatures may be used.
• Making sure that the message is actually sent to the party that is intended to receive it.
• Controls must be in place to ensure that a clerical error in incoming data is not replicated in the
input to the receiver’s system.
• Program change controls and physical security of the computer system are more important, because
the computer will be initiating and authenticating the messages.
• If a third party or value-added network is used as an intermediary between the two parties, controls
must be in place to ensure correct translating and routing of messages, and security procedures
must prevent compromise of confidential data.
• Data encryption (cryptography) may be required to protect the data during transmission.
• An EDI system eliminates much of the paperwork that used to exist for orders, so there are addi-
tional issues for an auditor in performing an audit. Because the record of transactions may not exist
for a long period of time, the auditor may need to perform auditing procedures more often and need
to seek other sources to confirm the transactions and the validity of the transactions.
• The auditor will need to test the controls that are in place to ensure that only authorized transactions
are performed.
• Continuous auditing may be built into the system through embedded audit modules that trigger
an alert to the auditor whenever suspect data is transmitted or if there is an attempt to access the
system without authorization.
Section C Electronic Commerce
Question 21: E-commerce portals create marketplaces that facilitate all of the following activities except:
a) Data storage.
b) Selling at negotiated prices.
c) Shopping from electronic catalogs.
d) Bidding for the business of a buyer.
(CMA Adapted)
Business-To-Consumer (B2C)
The retail sector of e-commerce is growing steadily, and many retailers have expanded into e-commerce in
addition to their traditional marketing methods. Online catalogs feature multimedia, virtual models, online
chat with customer service representatives and secure electronic payment systems. Amazon.com is perhaps
the best example of a large, highly successful online B2C store.
When an order is placed via the Internet, the consumer is provided with entry boxes to complete. As the
consumer fills out the form, the data is captured and transmitted to the seller. Fulfillment of orders placed on
the Internet may be done by means of shipping merchandise, or it may be in electronic format, forwarded
over the Internet to the consumer, or downloaded by the consumer from the seller’s website.
Consumer-To-Consumer (C2C)
Consumers can even sell to one another through online auctions such as eBay. Both B2B and B2C e-
commerce participants may participate in consumer or business auctions online.
Online Transaction Processing (OLTP)

Online transaction processing can refer to systems that process electronic commerce transactions. For
example, an Internet merchant contracts with a credit card processing service to process credit card
transactions. When a sale is made and the customer uses a credit card, the system transmits the credit card
number to an automatic credit card verification system where the transaction is either approved or
disapproved, based on stated guidelines. If it is approved, the transaction to charge the customer’s card is
automatically transmitted to the credit card issuer and the funds are deposited into the seller’s bank account.
The seller’s inventory, customer and sales databases are updated and the information is transmitted to the
order processing and shipping departments to complete the process. An automated confirmation is usually
sent to the customer, often with tracking information so the customer can track his or her purchase.
Online transaction processing can also refer to a real-time system that performs processing activities at data
entry terminals. An automated teller machine (ATM) or a computerized reservation system is an online
transaction processing system.
Advantages of OLTP include:
• Less paperwork is generated when transactions are performed online and there are fewer errors
made from re-entry of transaction data.
• Timely updating of accounts allows for faster business decisions. For example, inventory levels can
be automatically adjusted with each purchase, eliminating the need to perform an inventory count.
• OLTP systems are generally available 24/7 and can run without direct human interaction. For exam-
ple, most online stores are available any time of the day, without the need for a 24-hour sales staff.
Electronic Commerce CIA Part 3
Disadvantages of OLTP include:
• Because the OLTP systems is accessible via the Internet, security is a constant concern. Online
stores must maintain careful controls to prevent hackers from stealing customer information.
• Potential for lost revenue due to disruptions in service. When an online store is down, sales stop and
some customers may buy from a competitor. In addition to equipment failure, a Denial of Service
(DOS), which floods servers with bogus requests and slows them down, can also disrupt online sales.
Electronic Payment Processing

There are a variety of online payment systems. Most B2C e-commerce systems rely on credit card
processing as described above. Many B2B e-commerce systems utilize a more complex process based on
purchase orders. Both types of e-commerce typically use an electronic shopping cart that lets customers
select their purchases from the online catalog and put them in a virtual shopping basket for later checkout
and processing.
Electronic Funds Transfer (EFT)

Electronic Funds Transfer (EFT) systems are used for electronic payments, as well. EFT systems use various
technologies to capture and process money transfers between banks and businesses and their customers.
Through EFT, money can be transferred electronically from a customer’s account to a vendor’s account. Credit
card and utility companies allow their customers to pay their bills using EFT. In addition, many retailers have
point-of-sale terminals in their stores, which are networked to bank EFT systems, enabling a consumer to use
a debit card to instantly pay for gas, groceries or other retail purchases. Internal auditors should ensure that
online payment and EFT systems have adequate and effective controls, including both General Controls and
Application Controls (discussed earlier in this section). Any outside vendors providing EFT services should also
have comparable controls.
Question 22: Companies now can use electronic transfers to conduct regular business transactions. Which
of the following terms best describes a system in which an agreement is made between two or more
parties to electronically transfer purchase orders, sales orders, invoices and /or other financial docu-
ments?
a) Electronic mail (e-mail).
b) Electronic funds transfer (EFT).
c) Electronic data interchange (EDI).
d) Electronic data processing (EDP).
(CIA adapted)
Question 23: Which of the following are essential elements of the audit trail in an electronic data
interchange (EDI) system?
a) Network and sender/recipient acknowledgements.
b) Message directories and header segments.
c) Contingency and disaster recovery plans.
d) Trading partner security and mailbox codes.
(CIA adapted)
Section C Business Development Life Cycles
Business Development Life Cycles

The life cycle of a business has four distinct stages: start-up, growth, maturity and decline. This is very
similar to the product life cycle, except for a product the start-up stage is called the introduction stage. The
objective of every business is to keep itself from entering the decline stage. However, in order to keep this
from happening, it is necessary for businesses to recognize the first signs of an upcoming decline and then do
something to prevent the decline from happening. If management is able to detect the early symptoms of
decline, they are in a better position to change direction and save the company. The most obvious reasons for
decline are:
• Declining sales relative to competitors,
• Declining profit margins, and
• Having a debt load that grows from year to year.
Unfortunately, by the time decline is recognized, the company is probably already in trouble. In these cases,
good leadership is vital to get the business back on course.
The figure below is the different stages of the business development life cycle.
Business Development Life Cycle
Revenues
Start-up Growth Maturity Decline
Time
1. Start-up Stage
This stage covers the early period of the company and it lasts from when the company’s existence begins
through to the legal registration of the company. In this stage the company starts producing a product or
offering a service. Generally in this stage the company is operating in the red (losing money) because of
heavy costs in advertising and marketing and low revenues as the business is starting.
• Challenge for the company – To survive with what funds it has and to focus on effectively manag-
ing its cash flows.
• Market focus – To get the product or service to market as quickly as possible, without delay. The
company then needs to concentrate on establishing its customer base.
• Control focus – In this phase, controls tend to be very lax. The company is developing a control
framework, but management is more interested in making sales then in controls.
• Internal auditing – In this phase, companies are not likely to have an in-house internal auditing
function. However, it is possible that the function could be outsourced.
Business Development Life Cycles CIA Part 3
2. Growth Stage
During this stage, revenues are rising, the number of customers is growing, and there are many new
opportunities and issues. It is in this stage that the company starts to generate significant profits, but the
profits may not be enough to meet its financing needs that arise from the need to support the growth. In this
case, the company may seek external financing in the form of venture capital, or if the company is
extremely successful, it may be able to issue publicly traded securities. Securities markets generally
provide financing that is lower cost than venture capital. However, companies in this stage do need to be
careful because strong competition may begin putting pressure on the company to control costs.
• Challenge for the company – During the start-up stage it was the entrepreneurs who made the
decisions for the company. During the growth stage, it becomes necessary for the entrepreneurs to
hire professional managers to run and grow the company. This means that the owners (entrepre-
neurs) have to give up a great deal of authority and responsibility. The challenge for management is
to make sure the right people are in the right positions.
• Market focus – Markets are growing rapidly during this stage. The focus of the company is to make
sure that it is able to keep up with customer demand, because if it cannot then it is possible the
company could lose ground to the competition.
• Control focus – Better accounting and management systems have to be set up. New employees will
have to be hired and trained to deal with increased sales. Companies need to make sure they have
the controls in place so that they hire the right personnel. During this phase, internal control sys-
tems become much more formal, as does the planning process. The company starts to develop
comprehensive strategic plans.
• Internal auditing – The primary function of internal auditing is to make sure controls systems have
integrity and work properly.
3. Maturity Stage
By this stage, the company has matured into a thriving company with market position and loyal customers.
However, sales growth starts to slow down. Life within the company has become much more routine. The
majority of companies are in this stage.
• Challenge for the company – To maintain its market position and profit margins through the
introduction of new products or services.
• Market focus – The company needs to be focused on maintaining their market share. It can do this
by expanding into new markets, or expanding its product line in its existing markets. The company
may have to lower prices to retain customers.
• Control focus – The focus is on increasing productivity, profitability and cash flows, which means
that there needs to be tight controls over processes. In order to compete in the market place, man-
agement should be looking at automating its business processes, which could include some
outsourcing of non-vital support services, such as payroll, IT, etc.
• Internal auditing – Internal auditing is concerned with maintaining the integrity of controls. Inter-
nal auditors need to be aware that in order to maintain profit margins, management may try to cut
costs, which could endanger the segregation of duties.
Section C Business Development Life Cycles
4. Decline Stage
The decline stage is marked by declining sales and an erosion of profit margins. Decline in demand can be the
result of product obsolescence, stiffer competition, economic conditions, or even organizational atrophy.
Atrophy happens in companies that are large in size and where management becomes complacent with the
way things are. This can cause employees to lose trust in leadership. The company slowly ceases to grow or
develop and does not properly respond to the challenges facing the company.
• Challenge for the company – To decide how long it is able to sustain declining sales and profits, or
possibly even negative cash flows. At this point, management may consider substantial layoffs, or
even finding an exit strategy.
• Market focus – Companies could reduce the product line so it can concentrate only on those prod-
ucts that are profitable. The company could also try to rejuvenate surviving products by adding
some new features or changing the outside of the product to make them look new. However, rejuve-
nating products would take additional capital investment.
• Control focus – Management needs to find new ways of streamlining control processes so that they
become more effective and efficient. If layoffs do happen, then management needs to make sure
that there is still proper segregation of duties.
• Internal auditing – By the decline phase, internal auditing should be well entrenched in the com-
pany. At this point, internal auditing should be concentrating on operational efficiency by trying to
eliminate waste. With eroding profitability, internal auditors need to be aware that management
might try to manipulate financial information in order to hide losses.
Question 24: During which stage of the business life cycle is it most likely for there to be a change in
leadership?
a) Start-up stage
b) Growth stage
c) Maturity stage
d) Decline stage
(HOCK)
Question 25: In which stage of an entity’s development is it most likely to seek and obtain external equity
financing in the form of venture capital?
a) Start-up stage
b) Growth stage
c) Maturity stage
d) Decline stage
(CIA adapted)
The International Organization for Standards (ISO) CIA Part 3
The International Organization for Standards (ISO)

The International Organization of Standardization introduced the ISO 9000 quality assurance standards.
These standards do not have the force of law, but have been adopted by the EU. Even though they may not
be a legal requirement, because they are widely recognized, if a company fails to obtain these standards, it
runs the risk of losing business due to perceived lack of quality.
These standards are not set to assure the quality of an individual product, but to assure that the
quality is the same throughout the company’s entire product line.
Note: At least 610,000 organizations in 160 countries currently implement ISO 9000.
ISO 9000 comprises five individual but related standards on quality management. In addition, there are two
standards that relate to auditing and measuring (ISO 10000). These standards state only what should be
achieved, but do not state how to achieve quality. They are a target rather than specific instructions. The
seven standards are:
• ISO 9000 describes fundamental quality concepts and provides guidelines as to which standard is
appropriate for a particular company.
• ISO 9001 provides a model for quality assurance in design and development, production, instal-
lation and servicing.
• ISO 9002 provides a model for quality assurance in production and installation. It also addresses the
prevention, detection, and correction of problems in industries in which work is based on
designs and specifications supplied by customers.
• ISO 9003 provides a model for quality assurance in final inspection and testing.
• ISO 9004 helps a company develop and implement an internal quality system or evaluate an
existing system.
• ISO 10011 contains guidelines for auditing quality systems.
• ISO 10012 contains quality assurance requirements for measurement processes and measuring
equipment.
The ISO has also published a set of environmental standards known as ISO 14000. These standards are
similar to the ISO 9000 standards but concern environmental quality systems.
ISO 19011 was issued in 2002 as guidance for auditors of ISO 9000 and ISO 14000 compliance.
An important ISO 9000 compliance requirement is the establishment of an internal audit system. Participating
corporations must hire an external auditor to insure that they are meeting all the ISO 9000 standards.
There is no legal requirement for companies to adopt the ISO standards, but many companies have done so
in order to be able to compete internationally.
Outsourcing Business Processes

One reason that companies outsource is so the company can concentrate on its core competences. If it
concentrates on its core competences then it may be able to gain competitive advantage. Companies should
outsource only those activities that are not vital for its existence, such as accounting, payroll, and maybe
some IT functions.
A potentially serious problem with outsourcing is that when a company outsources, it loses control of the
function. It is then more difficult to correct problems, or possibly to bring the function back in-house since
management may not have the expertise in the field.
Section D Section D – Communication
Section D – Communication
The Importance of Communications
For management to be successful, it must clearly and effectively communicate its objectives and deadlines
clearly. Without effective communication, an organization endangers productivity, compromises its ability to
efficiently implement management decisions, and risks causing confusion. Since every function and activity in
the organization involves some form of communication, whether in planning, organizing, directing or leading,
no management decision can succeed unless it is fully understood by those responsible for implementing
them.
The Importance of Having Good Stakeholder Relationships

As was discussed in the “Corporate Governance” section, organizations must safeguard the interests of both
its shareholders and also other stakeholders who have an interest in its activities. This part discusses
stakeholders in greater depth, including the ways in which they can impact the organization.
As you study for this section, remember that it makes up only 5–10% of the exam, so it should not be the
main focus of your attention. Many questions can be answered by common sense and from your own
experience working as an internal auditor. We recommend that you read through the material, make sure you
understand the general concepts, and use ExamSuccess to become familiar with what has been asked in the
past.
HOCK international books are licensed only for individual use and may not be lent,
copied, sold, or otherwise distributed without permission directly from HOCK
international.
If you did not download this book directly from HOCK international, it is not a
genuine HOCK book. Using genuine HOCK books assures that you have complete, accurate,
and up-to-date materials. Books from unauthorized sources are likely outdated and will not
include access to our online study materials or access to HOCK teachers.
Hard copy books purchased from HOCK international or from an authorized training
center should have an individually numbered orange hologram with the HOCK globe
logo on a color cover. If your book does not have a color cover or does not have this
hologram, it is not a genuine HOCK book.
Communication CIA Part 3
Communication
The Communication Process
Communication is a process in which two or more people share information and meaning. We know that this
process is not always simple or clear-cut. In some cases, communication is fraught with miscommunication.
We will look at the basic elements of the communication process shown in the diagram below.
The Communication Process model
Transmitted Receiver
Encoding Message
on Medium decodes
Sender Noise Receiver
Source Transmitted
Message Encoding
decodes on Medium
Feedback Loop
Source: Adapted from Kreitner R. & Kinicki A.,

Organizational Behavior, 5th edition, pg. 480
• The sender can be any entity – an individual, a group, an organization or an individual acting as the
representative of a group or organization – that has something to communicate to another entity.
• Encoding is the process by which the message is put into symbols that can be transmitted. These
symbols can be words, numbers, sounds, body language and facial expression. Emotions may be a
part of the message, affecting the encoding process. Tone of voice can be used to convey urgency,
for example.
• Transmission is the process by which the symbols carrying the message are sent to the entity that
is intended to receive the message.
• The medium is the path that the transmission follows. If two people are talking, the medium is
sound waves. Other media are the telephone, email or voicemail. Mass media includes printed me-
dia, broadcast media and the Internet. The medium can affect the message. For instance, a
telephone call is more personal than a letter and is likely to receive a different response. It is im-
portant that the sender select a medium that is compatible with the message.
• Decoding the message occurs when the receiver interprets the meaning of the message. In the
decoding phase, the receiver is active. The receiver attaches meaning to the symbols transmitted
from the sender. If the meaning the receiver attaches to the message is different from the meaning
the sender attached to it, a communication breakdown has occurred.
• The receiver, like the source, can be any entity: an individual, a group, an organization or an
individual acting as the representative of a group or organization. The receiver decides whether to
make an effort to decode the message and whether to respond. Emotions can affect the receiver’s
receipt of the message. For example, when a manager asks an employee to perform a task, the em-
ployee may not want to understand a manager’s meaning and thus will not receive the message.
Section D Communication
• Feedback is the way the receiver responds to the message. Feedback tells the source whether the
message was received and understood. In the example above, the employee could respond verbally
by letting the manager know that he has not understood the message. The employee could also give
nonverbal feedback by simply not complying with the manager’s request.
• Noise is anything that interferes with communication. We are all familiar with radio static and
“snow” and “ghost images” on television. This is channel noise. In personal communication, emo-
tions can be a type of noise, because they can interfere with the encoding or decoding process.
Complete communication must include a response from the receiver. Without a response, the sender cannot
know whether the message has been communicated. An example of no response is a voicemail message left
or an email sent. Without a response back, the sender has no idea whether the message has been received.
This entire process works best when the sender and the receiver share the same points of reference and
background. When they have different backgrounds, the sender needs to make sure that the message is sent
in a way that the receiver can receive and understand it. This means that the sender needs to take into
account any cultural, educational or other differences that may distort their message, creating noise.
Because so much of what a manager does involves communication in one form or another, the ability to
communication effectively is critical to success as a manager. A manager who is a poor communicator will
have difficulty being an effective manager because it is this communication that ties the individuals of the
organization together into a cohesive unit.
Interpersonal Communication
Interpersonal communication may be oral (spoken), written or nonverbal.
• Oral communication includes one-on-one conversations, speeches, group discussions and the infor-
mal rumor mill, or grapevine. Oral communication is less formal, less accurate and also much less
permanent than written communication. This is also the method that managers use to communicate
most often. An advantage to oral communication is that it enables immediate feedback.
• Written communication includes memos, letters, email, faxes, employee newsletters, bulletin board
notices or any other means of communicating in writing. Written communications have the ad-
vantage of being tangible. The sender and the receiver both have a written record of what was
communicated. If there are any questions, the written record can be referred to. Although written
communications are more precise than oral communications, they have the disadvantage of being
time-consuming to create. Another disadvantage is that there is no immediate feedback.
• Nonverbal communication is transmitted along with every verbal message we give. The nonverbal
message may be even stronger than the verbal message. Nonverbal communication includes body
language, the emphasis or inflection we give to words and the tone of our voice, our facial expres-
sion, and the physical distance between the sender and the receiver. We usually transmit nonverbal
messages unconsciously. Nonverbal messages can convey the relative status between sender and
receiver, and whether one of the individuals likes the other and is interested in the other’s opinions.
The receiver needs to be alert to nonverbal communication as well as the verbal message, especially
when the nonverbal message contradicts the verbal message.
Channels of Communication in Organizations

Organizational channels of communication can be formal or informal (the grapevine) networks. As a group
works together, task-related communications develop so that people can get the information they need and
coordinate their work with that of others. Over a period of time, communication networks develop into a
sophisticated social system.
Communication within a company may be upward, downward or horizontal (from one peer to another
within the same level).
• Downward communication usually flows along reporting lines from superior to subordinate and
provides directions such as job descriptions, official memos, and procedures manuals.
• Upward communication is vertical communication that provides feedback to management such as
surveys, suggestion systems, informal meetings, exit interviews, and conferences.
• Horizontal communication crosses traditional reporting lines and involves employees getting the
information they need to perform their jobs. Horizontal communication is faster than either upward
or downward communication, because it does not follow any organizational “chain of command.”
Formal Communications
Formal communication is the communication that occurs within the formal structure of the company.
Communications networks form spontaneously as part of the interactions among workers.
There are five basic patterns:
1) A wheel network has one person who is central to the group, and communications flow back and
forth between that person and every other person in the group. If a team has a strong leader, this is
the type of network you would expect to find, although participants may have a low level of satisfac-
tion. A wheel network is fast and accurate.
2) A chain network relies on the chain of command to relay messages. Each member communicates
only with the person above and below him.
3) In a circle network, each person in the network communicates only with the people on either side.
4) In a Y network, the information is highly centralized, with a central supervisor through whom most
of the information is communicated. The network is in the shape of Y, and the central supervisor is
positioned at the junction. Satisfaction among participants is low. As in a wheel network, the net-
work is fast and accurate and facilitates emergence of a leader.
5) In an all-channel network, all members communicate with all the other members. Formal, all-
channel networks are most often used by self-managed teams when all the members contribute
equally and no one person is the leader. Member satisfaction is relatively high.
Informal Communications
Informal communication takes place outside the formal communication structures of an organization. The
grapevine is the informal communication network, and it operates like an all-channel network. The
grapevine is an important source of information for employees.
Characteristics of the grapevine are:
• Management does not control the grapevine.

• Employees often perceive the grapevine as being more accurate and reliable than the formal com-
munications they receive from management. In actual studies, the grapevine has been shown to be
about 75% accurate, which means about 25% of the information is inaccurate.
• Participants use the grapevine to serve their own self-interests. Rumors are a response to situations
that are important to people and that cause anxiety because the situation is not clear.
Studies have shown that only a small subset of grapevine members (about 10%) actually pass on information
that they receive from the grapevine.
Because the grapevine can identify issues that employees consider important and that cause them anxiety,
managers are well advised to pay attention to it.
Roles in Communication Networks

Employees and managers play different roles in the various communication networks they participate in. The
people in these roles facilitate the functioning of the network and of the organization’s communications as a
whole.
• A gatekeeper controls information moving through the channels by virtue of the strategic position
that he or she holds. If a manager wants to make sure the CEO receives some information, the gate-
keeper is the one to approach.
• A liaison serves as a bridge between groups. The liaison facilitates communication flow in order to
integrate group activities.
• The cosmopolite links the group to the outside, perhaps by attending meetings and trade shows and
generally keeping up with developments in the field. This person often functions as the opinion
leader in the group.
• The isolate is a person who tends to work alone and has little contact with others. The isolated
dyad consists of two employees who have contact with each other but little contact with any others.
If an employee who is an isolate has technical information that is needed for a project, a manager
may need to make a special effort to integrate that person into the communication network for the
duration of the project.
Question 26: A company is rumored to be considering downsizing. Because a manager stops the use of all
temporary employees, the staff concludes that some jobs will be lost. Which of the following is true about
the manager's communication about job losses?
a) The staff decoded the formal communication sent by the manager correctly.
b) The manager properly encoded the idea in a message.
c) The lack of a formal message had a negative impact on staff.
d) The channel through which the message was sent was appropriate.
(CIA adapted)
Question 27: Communication plays a major role in the successful operation of all organizations. Which of
the following statements concerning organizational communications is false?
a) Communication involves at least two people: a sender and a receiver.
b) Communication is what the sender says, not what the receiver understands.
c) Every act of communication influences the organization in some way.
d) Management spends the majority of its time communicating with other members of the organiza-
tion.
(CIA adapted)
Question 28: Studies of managerial communications have indicated that:
a) Most managers are excellent communicators.
b) Managers spend most of their time communicating.
c) Written communication takes more of a manager's time than oral communication.
d) Most effective communicators will be good managers.
(CIA adapted)
Question 29: Which of the following is least appropriate with regard to management's approach to
informal group or grapevine communication? Management should:
a) Use it to supplement communication channels of the formal organization.
b) Try to suppress it as a possible source of conflicting information.
c) Take advantage of it as a device to correct misinformation.
d) Make use of it as a means of transmitting information not appropriate for formal communication
channels.
(CIA adapted)
Question 30: A purchasing agent placed a rush telephone order with a supplier. The clerk in the supplier's
office repeated the order specifications back to the purchasing agent. No written confirmations were
exchanged. When the shipment arrived, it was late and of the wrong quantity. However, the purchasing
agent was unable to prove that the shipment was unsatisfactory. What link of the communication chain
has failed in this scenario?
a) Encoding
b) Decoding
c) Medium
d) Feedback
(CIA adapted)
Question 31: The supervisor of purchasing reviewed a memorandum prepared for a buyer in the
department. The memo read, "Effective September 30, the corporation has determined that your
functions will be absorbed into our parent company's small-unit purchasing function. This will reduce
operating costs, improve communications, and facilitate production-engineering changes. You will be
provided with outplacement support." "That should cover the situation," thought the supervisor. "It's too
bad that I am leaving on vacation before the buyer returns from vacation, but this memo will give the
buyer the general idea."
What link in the communications chain is defective?
a) The meaning of the message would be unclear to the buyer.
b) The supervisor chose the wrong channel for the communication.
c) The supervisor should not be the source of this type of communication.
d) The supervisor did not account for the noise in the communication chain.
(CIA adapted)
Problems in Communication
There are a number of things that can cause communication to break down. Some of them are discussed
below.
• Filtering means putting a “spin” on a message. The sender purposely presents the information so it
will be received favorably. This may mean telling only part of the information or telling only what the
receiver wants to hear. Some filtering is expected when the sender is of lower status than the receiv-
er, due to the sender’s desire to please the boss and fear of being the bearer of bad news.
• Selective perception refers to the receiver being selective in what he or she hears due to needs,
motivations, bias or other personal matters. Receivers decode messages according to their own inter-
ests and expectations.
• Information overload occurs when information comes in at a rate that exceeds our ability to
process it. When people have more information than they can use, they may stop processing until the
overload situation is over, or they pass over some of the information. The result is lost information.
• Language varies among cultural backgrounds, age groups and educational levels. People interpret
words differently, and the way the message is interpreted may be quite different from what the send-
er intended. Semantic problems can occur when people attribute different meanings to the same
word.
• Jargon, which is a specialized language of a given trade or profession, can aid communication among
members of that trade or profession. However, sometimes people use jargon that people are not
comfortable with, and as a result communication breaks down.
• Communication apprehension affects many people. It refers to anxiety they feel at communi-
cating, either orally or in writing, or both.
• Status barriers can impede communication if, for example, the CEO pays no attention to communi-
cations from employees far down in the hierarchy, and employees disregard communications from the
CEO.
• Gender barriers can create communication problems between men and women. In general, men
and women have different conversational styles. Research has indicated that men use talk to empha-
size status, whereas women use talk to create connections. Men are more direct than women and
tend to be more boastful. These differences can lead to misunderstandings.
• Poor channel selection results if the sender uses the wrong medium of communication. For in-
stance, if you were trying to convey something to someone over the telephone, a gesture would not
be communicated.
• Noise in the communication channel is any disturbance that prevents the receiver from receiving
the message, or it may be confusion created by the sender as a result of communicating something
at an inappropriate time or in an inappropriate setting. Emotions that affect the receipt of a commu-
nication because of the way the receiver is feeling are a type of noise. The grapevine is even a form
a noise, because the grapevine can distort communication.
Question 32: In some organizations, first-line supervisors withhold or alter unfavorable information that
they do not want higher management to know. This selective withholding of information is widely known
as:
a) Selective reception
b) Filtering
c) Regulating information flow
d) Perceptual defense
(CIA adapted)
Question 33: Which of the following is unlikely to cause changes in attitudes?
a) Make sure that the message is credible.
b) Present many different issues in as short a time as possible.
c) Shape the argument to the listener.
d) Focus the presentation on its ultimate objective.
(CIA adapted)
Methods to Improve Communication

There are a number of things that can be done in an attempt to solve these communication problems:
• Reduce noise by eliminating distractions. If the grapevine is causing noise because of inaccurate
information, management can reduce the distortion by using the grapevine to disseminate accurate
information and by monitoring it for accuracy.
• Encourage informal communication, which is more open than formal communications. Open
communication fosters trust and sometimes permits information to be communicated in a timelier
manner than does the formal information system.
• Balance information load with information-processing capacity. The formal information

system can generate more information than anyone can digest. Organizations should take care to
limit the information sent out to an amount that can be comprehended and used.
• Feedback is a very important part of communication. Feedback verifies to the source of the mes-
sage that the message has been received and verifies to the recipient that he or she has interpreted
the message correctly. Without feedback, if the source needs to send another message that depends
upon receipt of the first, the source will not send the second message or may re-send the first mes-
sage. And if the receiver of the message acts on the message without first verifying that he or she
has received it correctly, the action taken may be inappropriate. The source must ask for feedback,
and the receiver must supply the feedback.
• Trying to understand each other’s perspective will help the source and the receiver overcome per-
ception problems, because we may be able to eliminate some of the problems by knowing how the
other person is approaching the exchange.
Listening
Having proper listening skills plays an important role for employees involved in sales, customer service, or
management because these people have to listen to others. Based on surveys, the typical manager spends
about 9% of a working day reading, 16% writing, 30% talking, and 45% listening. But, listening is not just
about hearing a message, it is also involves the process of decoding and interpreting the messages.
Typically a problem with listening has to do with the fact that people generally can process information at a
much faster rate than most people talk. Researchers have found that the average speaker communicates
about 125 words per minute, but is able to comprehend about 500 words per minute. The difference between
communication and comprehension is called an information-processing gap. A poor listener will use this
information-processing gap to daydream and think about other things, thereby not comprehending what is
being said.
The Keys to Effective Listening

The following are recommendations to become a more effective listener by avoiding the 10 habits of bad
listeners while cultivating the 10 good listening habits.
Keys to Effective
The Good Listener The Bad Listener
Listening
1. Capitalize on thought The good listener will stay with The bad listener tends to daydream
speed the speaker, mentally summariz-
ing the speaker, weighing
evidence, and listening between
the lines
2. Listen for ideas Listens for central or overall ideas Listens for facts
3. Find an area of interest Listens for any useful information Tunes out dry speakers or subjects
4. Judge content, not Assesses content by listening to Tunes out dry or monotone speakers
delivery entire message before making
judgments
5. Hold your fire Withholds judgment until Gets too emotional or worked up by
comprehension is complete something said by the speaker and
enters into an argument
6. Work at listening Gives the speaker full attention Does not expend energy on listening
7. Resist distractions Fights distractions and Is easily distracted

concentrates on the speaker
8. Hear what is said Listens to both favorable and Shuts out or denies unfavorable
unfavorable information information
9. Challenge yourself Treats complex presentations as Resists listening to presentations of

exercise for the mind difficult subject matter
10. Use handouts, Takes notes as required and uses Does not take notes or pay attention
overheads, or other visual visual aids to enhance under- to visual aids
aids standing of the presentation
Source: Adapted from Kreitner R. & Kinicki A.,

Organizational Behavior, 5th edition, pg. 494
Question 34: Which of the following is the best indicator of the effectiveness of a communication on a
receiver?
a) Understanding of message received
b) Clarity of message
c) Change in receiver's attitude
d) Change in receiver's behavior
(CIA adapted)
Question 35: An advisable strategy for a participant in a meeting of employees would be to:
a) Read the agenda and supporting materials for the meeting during the early part of the meeting to
prepare for later discussion.
b) Present strong opinions on one side of a proposal right away.
c) Present views as trial balloons that can be researched later.
d) Consider the opinions and information needs of other participants before speaking.
(CIA adapted)
Question 36: Studies have shown that the typical manager spends about 9% of a working day reading,
16% writing, 30% talking, and 45% listening. Listening effectiveness is best increased by
a) Resisting both internal and external distractions.
b) Waiting to review key concepts until the speaker is through talking.
c) Tuning out messages that do not seem to fit the meeting purpose.
d) Factoring in biases to evaluate the information being given.
(CIA adapted)
Electronic Communications
Electronic communications has changed the way individuals, managers, and businesses receive, process and
send information. This change gives businesses the opportunity to use “IT as a lever to improve productivity
and customer and employee satisfaction.” 6 Ultimately, these changes have meant that mangers at all levels
of the organization are able to stay on top of their jobs.
The five key components of IT that impact communication patterns within the workplace are:
1) The Internet is a global computer networking system that, in essence, is able to connect everything
together from supercomputers to personal computers. Included within the Internet system are Intra-
nets and Extranets.
• Intranet is a firm’s private Internet, and

• Extranet is what connects internal employees with customers and suppliers.
A primary benefit of an Internet/Intranet/Extranet system is its ability to allow employees find, cre-
ate, manage and distribute information. But, the effectiveness of the system is going to depend
100% on how well the organization is set-up and managed, and how well the employees are able to
use the information because information by itself is unable to solve anything. 7
2) E-mail is a method of composing, sending, storing, and receiving messages over electronic communica-
tion systems. The term email applies both to the Internet email system and to Intranet systems allowing
users within one company or organization to send messages to each other. Some of the primary bene-
fits of email are:
• Its ability to reduce cost of having to distribute information to a large number of employees.
• Its ability to increase teamwork by enabling employees to quickly send out messages to col-
leagues, whether they are in the same building, or in another country.
• Its ability to be flexible. This is particularly true for employees with laptop computers.
Despite the potential benefits from using emails, there are some disadvantages, including:
• The potential to waste time and effort. Using email can distract employees from more important
work.
• The potential for information overload. The problem used to be a lack of information, but today
the problem is with junk mail, bad jokes, and useless memos. Companies today need to have a con-
certed effort to control the use of email, so employees can stay more focused on the achievement of
company goals and objectives.
• The potential to reduce communication effectiveness. With the advent of email, there is less
face-to-face communication, which can lead to employees feeling less connected.
3) Videoconferencing allows two or more locations to interact via two-way video and audio transmissions
simultaneously. Videoconferencing enables people at different locations to conduct a meeting without
having to travel, reducing travel costs and time required to travel.
4) Cell phones are another means that people can communicate at a reasonable cost. Cell phones allows
for timely, flexible and convenient communications.
6
Kreitner R. & Kinicki A., Organizational Behavior, 5th edition, pg. 501.
7
Ibid., 503.
5) Telecommuting is a work arrangement in which employees enjoy limited flexibility in working location
and hours. Therefore, the daily commute to the office is replaced by telecommunication links.
Potential benefits of telecommuting are:
• Reduction of costs by not having to pay for office space and other support costs, and
• Increased flexibility and autonomy for workers, which eases the working parent’s burden, increases
employee productivity, and reduces absenteeism.
The drawbacks to telecommuting can include the following:
• Telecommuting employees have a tendency to fall behind in their fields of specialization, and thus,
further job advancement may be more difficult to achieve.
• Intranet access for the telecommuter may be slower due to telephone or modem connections and
may be blocked for security reasons.
• Work hours at home can either be not enough or too much, and there may be too many distractions
at home.
• Employers risk the potential loss of data confidentiality and integrity because of the lack of access
control in the home office.
• Certain office functions such as corporate culture, loyalty, communication, access to people, and
managerial control have yet to be replaced by the virtual office.
Question 37: Which of the following is considered a disadvantage of electronic communication?
I. Information overload.
II. Misrepresentation of feelings and emotions.
III. Reduced transmission time.
IV. Lack of paper trail.
a) I and II only
b) II and IV only
c) I, II, and III only
d) I, II, III, and IV
(IIA adapted)
Section D Stakeholder Relationships
Stakeholder Relationships
A stakeholder is an individual or entity who has a material interest in a company’s achievements, validated
through some form of investment, and who thereby expect a benefit in return. The specific benefit that a
stakeholder aims to receive varies depending on the nature of the interest and investment. That said, any
significant investment confers a certain degree of power or influence upon the stakeholder, and that
leverage can be used to exert pressure on decisions that a company might make. Generally speaking,
stakeholders can be divided into two categories: internal stakeholders and external stakeholders.
Internal stakeholders are those people who operated under the employment of the company, directly invest
capital, or who are otherwise connected to the daily operations:
• Directors invest time and talents and expect personal advancement, remuneration, and status.
• Senior management invests time and talent and expects personal advancement, remuneration,
and status.
• Employees invest labor and talents and expect pay and, where applicable, benefits.
• Trade unions or staff associations invest time and resources and expect to negotiate benefits
and concessions from the company on behalf of organization members.
• Shareholders invest capital and expect to receive a return on their investment.
External stakeholders, although not directly employed by or investing in the company, nevertheless have
significant interests in the company’s performance:
• Customers “invest” money by way of purchasing goods and services; they expect to have use and
satisfactory enjoyment from the products and services they acquire.
• Suppliers invest their goods and services and expect to be paid and, in certain circumstances,
develop working relationship with the company to which it provides supplies.
• Contractors and subcontractors invest resources to create specialized services and expect to be
compensated by companies who work with them.
• Distribution networks invest money in transportation infrastructure or other delivery systems and
expect to be compensated by the company for the use of their resources.
• Communities invest their social, economic, and environmental interests and expect employment
and economic prosperity from the company that operates in their locations.
• The general public and government invest public resources and, in certain instances, create
laws, regulations, and incentives (such as tax abatements or special rezoning) in exchange for em-
ployment and economic prosperity.
In the course of exercising prudent corporate governance, management must oversee the varying and
sometimes incongruous expectations of internal and external stakeholders. For instance, there are occasions
where the desires of company directors may openly conflict with the desires of shareholders, and such
opposing objectives must be mediated if the company is to succeed. One way of managing these competing
expectations is the enlightened shareholder view (or stakeholder theory), which is a corporate
governance strategy whereby the board of directors governs the company in the interest of shareholders but
at the same time recognizing the interest of the other stakeholder groups.
Stakeholder Relationships CIA Part 3
Managing Stakeholders
An organization’s stakeholder relationships must be managed in accordance with their bargaining strength,
influence, power and degree of interest. Mendelow summarizes the possibilities in his stakeholder map,
which can be used to understand who has the power and influence over the organization. Business
organizations should manage its stakeholders, particularly those with the greatest influence.
Mendelow classifies stakeholders on a matrix by showing the level of interest and the amount of power
stakeholders have in the organization’s activities. These factors will help define the type of relationship the
organization should seek with its stakeholders. Mendelow’s power/interest matrix is shown below.
Interest is horizontal, and power is vertical. The four quadrants are: Ignore, Keep informed, Keep
satisfied, and Key players.
Mendelow’s Power/Interest Matrix
Level of Interest
Low High
Weak Ignore Keep Informed

Level of
Power
Strong Keep Satisfied Key Players
• Ignore quadrant – Stakeholders who are in this category can be ignored by the company. In this
quadrant might be the government, some smaller shareholders, or employees who really don’t have
any power or interest. However, this strategy does not take into account any moral or ethical con-
siderations in respect to the stakeholders. It is simply the stance to take with some stakeholders if
strategic positioning is the most important objective.
• Keep Informed – Most shareholders would fall into this quadrant. You need to keep shareholders
informed of what’s going on (e.g., annual report), but they don’t exert much power. However,
stakeholders in this quadrant can increase their overall influence by forming coalitions with other
stakeholders in order to exert a greater pressure and thereby make themselves more powerful.
• Keep Satisfied – In this quadrant the stakeholder doesn’t have much interest but does have strong
power over the company. All these stakeholders need to do to become influential is to re-awaken
their interest. This will move them across to the right and into the high influence sector, and so the
management strategy for these stakeholders is to ‘keep satisfied.’
• Key players – Key players are those who have the greatest influence on the company. The question
here is how many competing stakeholders reside in this quadrant of the map. If there is only one
(e.g., management) then there is unlikely to be any conflict in any given decision-making situation.
If there are several, then there are likely to be difficulties in decision-making and ambiguity over
strategic direction.
Stakeholder mapping is use to assess the significance of stakeholder groups. This in turn has implications
for the organization.
• The framework of corporate governance should recognize stakeholders’ levels of interest and
power.
• It may be appropriate to seek to reposition certain stakeholders and discourage others from reposi-
tioning themselves, depending on their attitudes.
• Key blockers and facilitators of change must be identified.
Section E Section E – Management and Leadership Principles
Section E – Management and Leadership Principles

There are five major topics covered in Section E.
1) Strategic Management
Strategic management differs from operational planning in that it takes a longer-term planning view. This
means that it focuses more on where the company wants to go and less on how it will get there.
2) Organizational Behavior
There are two primary topics discussed in organizational behavior:
• Motivation. What motivates an individual or a group to accomplish something is a highly debated

topic and one that cannot be easily answered. Is the motivation money, security, status, prestige of
position or something else? In this section we will review the various theories concerning the motiva-
tion of employees within an organization.
• Organizational theory. In this part we look at the organizing function of management. Of particu-
lar interest is the contingency approach to organizational design which assumes that no design will
fit all organizations. The greater the amount of environmental uncertainty the organization faces, the
more adaptive the organization needs to be.
3) Management Skills and Leadership Styles

This area primarily has to do with leadership. Leadership is using one’s influence to direct and coordinate a
group’s work in order to achieve a goal.
4) Conflict Management
There are two topics here – conflicts and negotiations. Every organization at some point has conflict. So, how
can the organization manage the conflict? Also, every organization has to negotiate. Negotiation involves
examining the facts of the situation and then bargaining to resolve issues, if possible.
5) Project Management and Change Management

• Project management. Project management is the process of planning, managing and controlling
large projects. If large projects are not properly controlled, then it could have serious consequences
for the whole organization.
• Change management. Every company at some point has to go through change. The change may
be the result of growing the business, or it may be the result of declining sales so the organization
has to reorganize itself in order to survive.
Section E makes up 10 – 20% of the exam, so you do need to spend adequate time on this section. We
recommend you read through the material, make sure you understand the general concepts, and use
ExamSuccess to become familiar with what has been asked in the past.
Strategic Management CIA Part 3
Strategic Management
Strategic management takes a long-term planning view, covering periods longer than one year. Strategic
management is the process of specifying the organization’s objectives, developing policies and plans to
achieve the objectives and allocating resources so the plans can be implemented.
A characteristic of strategic planning is that it is done at the highest level of management, usually involving
the Chief Executive Officer (CEO) and other members of the executive team. The strategic plan is what
provides overall direction to the entire company. It does this by matching the company’s overall strategic
advantages to the business environment the firm faces. A good strategy is able to integrate the firm’s goals,
policies, and action sequences into a cohesive whole, and must be based on business realities.
Note: Strategic planning is directional, rather than operational. This means it focuses on where the
organization wants to go instead of specifically how it will get there. On the other hand, operational
plans are short-term plans that are usually quantitative (numerical) and often revolve around production,
expenditures, inventory and other common activities in the company.
Whether we talk about strategic planning or operational planning, the ultimate goal of any company is to
achieve superior performance in comparison with its competitors. It is expected that when superior
performance is achieved, company profitability will increase, thereby increasing shareholder wealth.
The result of attaining superior performance will be competitive advantage. A company is said to have
competitive advantage when it is more profitable than the average company in its industry.
Shareholders want profitable growth, looking for both high profitability as well as sustained profit growth.
The general rule is that a company with profits, but whose profits are not growing, will not be valued as
highly by shareholders as a company with profitability and profit growth. Attaining these two objectives is one
of the greatest challenges facing managers.
Profitability can be measured by means of the return earned on invested capital. Return on Invested Capital
(ROIC) is Net After-Tax Profit ÷ Capital Invested. Thus, profitability is the measure of how efficiently and
effectively the company’s management has used the capital that they have in producing goods and/or
services that satisfy the needs of customers.
Profit growth can be measured by the increase in Net After-Tax Profit over a period of time. Profit growth
comes from sales made in markets that are growing rapidly; from taking market share from competitors;
from increasing the sales made to existing customers; or from expansion into new markets or diversification
into new lines of business.
Strategic leaders are responsible for effectively managing the company’s strategy-making process to increase
company performance and maximize shareholder value. The strategies that a company’s management follows
will determine the company’s performance in relation to the performance of its competitors.
In order to increase profitability and sustain growth, managers need to formulate strategies that will give
their company a competitive advantage. This is where strategic planning comes into play. The strategies
that managers pursue create the activities that together can set the company apart from its competitors and
cause it to consistently outperform them.
However, remember that even under the best of circumstances, it is not unusual for a business to fail despite
having “excellent” strategies because there are external influences that the company failed to take in to
account. Strategy must connect with vision, purpose and likely future trends.
Section E Strategic Management
The strategy-making process is a combination of strategy formulation and strategy implementation.
• Strategy formulation involves assessing existing strategies, organization, and environment to

develop new strategies and strategic plans capable of delivering future competitive advantage. 8
• Strategy implementation involves successfully acting upon the strategy to achieve the desired
results. 9 In other words, to put the strategy into action.
The diagram below outlines these two strategic-making processes. As we can see, strategy formulation and
strategy implementation is not static; it is an “on-going, never-ending, integrated process requiring
continuous reassessment and reformation.”
Strategy Formulation Strategy Implementation

Creating strategies Putting strategies into action
1) Identify 2) Analyze: 3) Revise 4) Implement 5) Evaluate

current Mission and mission and strategic plans: results and
mission objectives. objectives • Mobilize renew
objectives Values and and select resources. strategic
and corporate new • Utilize management
strategies. culture. strategies: management process.
Internal • Corporate systems and
strengths and • Business practices.
weaknesses. • Functional
Environmental
opportunities
and threats.
Strategic Control
Source: Adapted from Montana & Charnov, Management (2000)
Note: There are two parts to strategic control: monitoring the effectiveness of the strategies and actions,
and taking corrective action when required.
As we see, for strategy to work it must be closely aligned with purpose. Purpose is what gives
management direction, which drives performance, which drives the bottom line. But, as Dr. Patrick Dixon 10 so
famously said about strategy: “What is the point [of strategy] if no one cares?”
The Strategy Hierarchy

Strategy is not formulated at only one level, but can be thought of as a corporate-wide effort, where each
level is somehow involved in strategy formulation and implementation. These levels are:
• Corporate level
• Business unit level
• Functional or departmental level
A good way to understand these strategic levels is to think of corporate level strategy as being “responsible
for market definition, business-unit level strategy as being responsible for market navigation, and
functional level strategy as the foundation that supports both of these.”
8
Patrick Montana & Bruce Charnov (2000), Management, 3rd Edition, pg. 137.
9
Ibid., pg. 137.
10
Dr. Patrick Dixon was ranked in 2005 as one of the 20 most influential business thinkers alive today (Thinkers 50 2005)
and is often described in the media as Europe’s leading Futurist (www.globalchange.com).
Level of Strategy Definition Example
Corporate Strategy Market definition Diversification into new product or geographic

markets.
Business Strategy Market navigation Attempts to secure competitive advantage in

existing product or geographic markets.
Functional Strategy Support of corporate Information systems, human resource practices,

and business strategy and production processes that facilitate
achievement of corporate and business strategy.
Corporate Level
It is at the corporate level that the overall corporate strategic plan is developed. This is the highest level of
strategic management where decisions are made on resource allocation for each division as well as which
businesses to start or terminate. This gives top management the “big picture” view of the organization.
Thus, the critical questions answered at this level would include:
• What businesses should the company compete in?
• How should the company allocate its resources?
• What level of diversification should the company pursue, i.e., which businesses represent the future?
• What is the competitive advantage of the company as a whole?
• How should the company be structured?
• Where should the boundaries of the company be drawn and how will these boundaries affect rela-
tionships across businesses, with suppliers, customers and other constituents?
• Do the organizational components such as research and development, finance, marketing, and
customer service fit together?
• Are the responsibilities of each business unit clearly identified and is accountability established?
• Should the company enter into strategic alliances – cooperative, mutually beneficial relationships
with other companies? If so, for what reasons? If not, what impact might this have on future profita-
bility?
As these questions indicate, corporate strategies put in place the long-term direction of the business, but
these strategies have to have the flexibility to change as conditions within the company or industry change.
Top management is directly responsible for the development of corporate strategy and reports to the board of
directors. It is then the board’s responsibility to make sure that management is actually representing the
shareholders’ interest when making these strategic decisions.
Business Unit Level

The business unit level strategy may be for a division, product line, or other profit center. Business units are
generally planned independently from the other business units of the organization. At the business level, the
strategic issues have less to do about the coordination of the operating units and more about developing and
maintaining the firm’s competitive advantage. This is done by:
• Positioning the business against rivals.
• Anticipating changes in demand and technologies and adjusting the strategy to accommodate them.
• Influencing the nature of competition through strategic actions such as vertical integration and
through political actions such as lobbying.
Functional or Departmental Level

Each product level, line or brand within its business unit creates a functional plan to accomplish its objectives
in its specific product market. Functional strategies concentrate on the short and medium term. These
strategies include marketing strategies, new product development strategies, human resource strategies,
financial strategies, legal strategies, and information technology management strategies.
These strategies are limited to the domain of each department’s functional responsibility, but each functional
department attempts to do its part in meeting the overall corporate objectives.
Example: Advertising for a new product could be expected to begin sixty days prior to the shipment of the
first product. Production could then start thirty days before shipping begins. Raw materials, for instance,
may require that orders are placed at least two weeks before production is to start. These are all functional
questions and thus, functional strategies have a shorter time orientation than either business-level or
corporate-level strategies.
Business Portfolio Concepts

In strategic management and marketing, a business portfolio is “the collection of products, services, or
brands that are offered for sale by a company.” A good business portfolio adjusts the company’s
strengths and weaknesses to current market opportunities. It helps the company decide which of its
businesses must receive more or less investment and helps the company develop strategies for growth by
adding new products, services or businesses to the portfolio.
Through business portfolio analysis, management identifies the company’s key businesses, which are
called the strategic business units (SBUs). Each of these SBUs is treated as though they are a separate,
independent business, having their own mission and objectives (i.e., a marketing plan to support their
products or services). It is critical that the company understands how to best use its strengths to take
advantage of lucrative opportunities in the marketplace. Therefore, most portfolio analysis methods evaluate
SBUs on:
• The attractiveness of the SBU’s market or industry.
• The SBU’s current position of strength in that market or industry.
Synergy
Strategic management within different parts of an organization is enhanced with when managers are able to
think synergistically. Synergy refers to the “phenomenon in which two or more discrete influences or agents
acting together create an effect greater than the sum of the effects each is able to create independently.” This
positive synergy is referred to as the 2 + 2 = 5 effect.
The following are synergies that are typically found in businesses.
• Market synergy occurs when products or services can positively complement each other. Shopping
malls would be an example of market synergy where different stores generate sales for each other.
• Cost synergy has to do when combined entities are able to reduce or eliminate expenses. For
example, costs could be reduced by the joint production, delivery or marketing of different products.
• Technological synergy has to do with the transfer of technology from one application to another.
An example of very high-level technological synergy is the transfer of technology that is developed
for the space program to civilian uses.
• Management synergy has to do with the transfer of knowledge between parts of the organization.
For example, if a department lacks specific managerial skills it may be able to access skills in other
departments to fill its needs.
On the other hand, combining organizations can sometimes cause negative synergy. In these cases the
combination of the organization’s efforts results in less output than what they would have achieved if they
had each worked alone. This negative synergy can be called the 2 + 2 = 3 effect. The causes of negative
synergy can be from the result of inefficient committees, business units that lack strategic fit, or from poorly
functioning joint efforts.
Question 38: Which of the following best describes a market synergy?
a) Technology transfer from one product to another.
b) Bundling of products distributed through the same channels.
c) Production of multiple products at one facility.
d) Use of complementary management skills to achieve entry into a new market.
(IIA adapted)
Question 39: The alignment of strategic initiatives is a corporate-wide effort. Which of the following
strategies best addresses the entire scope of the organization?
a) Functional or departmental strategy.
b) Corporate level strategy.
c) Business-unit strategy.
d) None of the above.
(HOCK)
The diagram below shows the different levels of strategy:
Corporate
Level (HQ)
SBU 1 SBU 2 SBU 3
Finance HR Marketing Marketing Sales Finance
• The highest level is the corporate strategy. It is at this level that the scope and direction for the
whole company is decided.
• The next level is the business strategy. If a company has more than one independent business
unit, then these are referred to as Strategic Business Units (SBUs). Each of these SBUs helps the
company achieve its corporate strategy.
• The last level is the functional or departmental strategies. The purpose of strategies at this level
is to support the business strategies and corporate strategies.
Market Structures and How it Impacts Pricing

Typically, we think of an industry as any grouping of businesses that share a common method of generating
profits, such as the “oil industry,” “automobile industry,” or “airline industry,” etc. However, this is only one of
the ways in which industries may be classified.
Another method of classifying an industry is based on its competitive structure, which is the nature of the
market in which the businesses operate.
Competitive Structure of Industries

You need to be familiar with the following four competitive structures:
1) Perfect Competition (kiosks) – 0% control of the market.
2) Monopolistic Competition (restaurants in a city).
3) Oligopoly (oil and steel industries).
4) Pure and Natural Monopoly (government-regulated power monopolies) – 100% control of the
market.
All companies want to earn the highest possible profits. One way to accomplish this is to increase the price for
their product. However, depending on the competitive structure of their industry, they may have very little
influence over prices, and if they were to raise their prices, they may lose their customers to other
businesses. The more market control firms have, the more they are able to change the price that they
charge. However, even in a situation where there is only one provider (meaning that competition will not limit
the price that they charge), consumers will provide the final control by reducing demand as prices increase.
You need to be familiar with the characteristics of the different market structures and how they affect the
ability of the organization to control prices.
Perfect Competition
A perfectly competitive market (an example is kiosks) will exist if the following assumptions are true:
• There are many independent buyers and sellers.
• Customers are indifferent as to which supplier they buy from.
• The market is for a standardized product or products.
• There are no barriers restricting organizations from entering or exiting the market.
• Perfect information exists in the market.
• There is no non-price competition.
Additionally, the assumptions above imply that competitive organizations are price-takers. This means
that an individual can’t set prices higher or lower than the market equilibrium price.
Note: In perfect competition, every organization sells their output at the same price – the market price. As
a single competitive organization expands output, the extra, or marginal, revenue received from producing
each additional unit is equal to the market price. Since organizations expand production as long as the
marginal revenue of making another unit is at least as high as the marginal cost, perfectly competitive
organizations will stop producing at the point where the cost of producing one more unit (the marginal
cost) is equal to the revenue from producing one more unit (the marginal revenue).
Monopolistic Competition
The assumptions for monopolistic competition (example is restaurants in a city) are:
• There are many non-collusive organizations operating within the market (non-collusive means
that they operate independently of each other).
• The market is for a product or products that can be differentiated (a differentiated product is one
that is similar to, but not exactly like, other products – it is a close substitute, but not a perfect sub-
stitute).
• There are only minimal barriers restricting organizations from entering or exiting the market.
• The organizations only have “limited” control over price, because of the presence of so many
other organizations producing a similar product. They do have “some” control, because the product
they produce is unique, so they can charge a different price from what other organizations are
charging; there is not a single price that will prevail in this market, unlike perfect competition.
• There is a considerable amount of non-price competition such as advertising, service after the
sale, and emphasis on trademark quality.
• There is a highly elastic demand curve (if they raise their price a little bit, they will suffer a larger
decrease in demand than the increase in price).
Oligopoly
The oligopoly structure (examples are the car, steel or oil industries) is not as clearly defined as the other
market structures, but generally it will exist under the following conditions:
• There are only a few organizations operating in the market, but each is affected by the decisions
of the others (it is like a club, with a limited number of members).
• The market can be for either standardized, or differentiated products.
• Prices may be rigid (meaning that they do not change) due to the organizations’ mutual interde-
pendence. This price rigidity causes something called a “Kinked Demand Curve.” This kink is
caused by the fact that in an oligopolistic market an individual organization will not raise the price of
its product because the other organizations will not follow suit. Thus, the company that raises its
price will lose customers to their now cheaper competitors. Similarly, an individual organization will
not will reduce their price because if they do, the other organizations will follow and no market share
will be gained and they will have reduced the price they receive from their customers.
• Significant natural or created barriers to entry may exist.
• Demand is static in the short term, or has limited growth opportunities. This means that a
new organization is unable to obtain customers as a result of the market simply getting bigger. In
order for a new organization to attract customers, it would need to take them from an existing or-
ganization. This is also true in respect to the few companies in the oligopoly – the only way to
increase their customer base is to take customers from another organization.
Entry is difficult because an oligopolistic industry usually has substantial economies of scale. In addition,
because of the small number of organizations, collusion is possible; organizations may attempt to
cooperate, or collaborate and manipulate price so as to make it unprofitable for new organizations to enter.
Additionally, economies of scale may make it difficult for new organizations to enter, since they would have to
enter producing at a large scale in order to have average costs comparable to the existing organizations.
Other barriers, such as existing organizations’ control of technology or raw materials, the need for substantial
advertising, or costly licensing requirements can also make entry difficult.
Note: A natural barrier to entry usually equates to an absolute cost advantage, while created entry
barriers are ongoing advertising, patent rights or some other external factor that the already existing
companies have that a new organization would not share.
Natural Monopoly
A natural monopoly exists because economic and technical conditions are present in the industry or economy
that permit only one efficient supplier in a location. A common example of a natural monopoly is an
electric company. It is simply not efficient for more than one electrical grid to be built in a specific area. These
electric companies may be local or regional monopolies, rather than national, but they are monopolies within
their geographic area of business.
A natural monopoly exists when economies of scale are very great. This means that only large-scale
operations can achieve a low enough unit cost to profitably supply the product. In a natural monopoly, the
unit cost (the long-term average cost) of meeting the entire market demand is minimized when the industry
consists of only one organization.
Thus, competition would be undesirable in this market, because the presence of two or more organizations
would prevent the realization of the necessary economies of scale. Multiple organizations, each taking a
portion of the market demand, would each be producing at a higher average cost than a single organization
servicing the entire market; therefore, the presence of multiple organizations might result in a higher price in
the market to cover these higher average costs.
The characteristics of a pure monopoly are:
• A single organization and the market is for a unique product, or products, that have no close
substitutes,
• There are barriers of entry that restrict organizations from entering or exiting the market (exam-
ples are a patented item or extremely high initial capital costs), and
• The first two conditions above suggest that the monopoly will have “control over price” in the sense
that it will be able to select a price that maximizes profit, as opposed to competitive companies that
have no control over price, but must sell their output at the “prevailing market price.”
Note: Organizations that are not in perfect competition are not bound to sell their output at one
competitively determined market price. As a result, relative to competitive organizations, non-competitive
organizations will tend to restrict output in order to maintain higher levels of prices. This lower level of
output creates a shortage in the market relative to what would be observed under competition. In these
non-competitive situations consumers have fewer goods to choose from and the price that they pay for
those goods is more than in a perfectly competitive environment.
Porter’s Five Forces Model

A leading consultant in the field of strategic management is Michael E. Porter 11, who developed a model for
industrial and competitive analysis. This 5 forces model is just one part of the complete Porter strategic
models. The other elements are value chain and generic strategies (covered later).
Porter’s theory is still widely used by business analysts, whether they are examining a whole industry or a
single, individual company. These forces determine the attractiveness of a market. Porter referred to these
forces (buyers, suppliers, competitors, new entrants) as the microenvironment, contrasting it with the more
general term macroenvironment. These forces affect the ability of all players within an industry to set prices
and make a profit. But, a change in any one of these forces requires the organizations to re-assess the
marketplace.
The diagram below shows the interconnection of the five forces.
Porter’s Five Forces Model
Threat from
New Entrants
Intensity of
Suppliers’ Competitive Buyers’
Power Power
Rivalry
Threat from
Power of other
Substitutes
Stakeholders
Source: Adapted from Michael E. Porter, Competitive

Strategy: Techniques for Analyzing Industries and
Competitors (1980)
On the next page is a discussion of each of the forces. For the most part, the stronger the individual force,
the more it limits the industry’s organizations’ ability to set price and make profits. Stronger forces are
threats because they are likely to reduce profits. Weaker forces are opportunities because they allow
organizations the chance to earn greater profits.
11
Michael E. Porter is a University Professor at Harvard Business School. Porter is considered the leading authority on
Strategic Management.
1. Threat from New Entrants

Long-term profitability will depend on how easy or difficult is it for new entrants to start competing. Prices
need to be kept low if new entrants are able to easily come into the market. However, when it is more difficult
for new entrants to break into the market the company will be able to keep prices higher.
Factors that might help to create high barriers to entry:
• Economies of scale. Economies of scale are reductions in average costs that are achieved by
producing and selling an item in large quantities. If the economies of scale in a particular industry are
large, and the biggest organizations can achieve substantially lower costs than smaller producers,
then it is much more difficult for a new organization to enter the market.
• Capital investment requirements. If the new entrant is going to have to make a sizable capital
investment, this will deter organizations from entering the market.
• Switching costs. Switching costs are costs that a buyer has to incur in switching from one supplier
to another. Depending on the industry, these switching costs might be high, thus, it might be difficult
for new entrants to break into the market.
• Access to distribution channels. Some markets might have only a limited number of distribution
channels, thus, it might be more difficult for a new entrant to gain access to these distribution chan-
nels. In this case, the barriers to entry will be high.
• Government regulations. The principal role of the government is to preserve competition through
anti-trust actions, but government also restricts competition through the granting of monopolies and
through regulation, e.g., utilities are considered to be natural monopolies because it is more efficient
to have one electric company provide power to the locality than to permit many electric companies to
compete in a local market.
2. Intensity of Competitive Rivalry

Competition within an industry is enhanced when there is rivalry between competitors. Strong competition
forces rival companies to keep prices low (relative to product quality) and thus keeps profitability fairly low as
well.
Factors that can determine the intensity of the rivalry include the following:
• The structure of the competition. The rivalry will be more intense if there are lots of small and
equally sized competitors. The rivalry will be less intense if the industry has a clear market leader.
• The structure of industry costs. High fixed cost relative to variable cost indicates that the rivalry
will be more intense. This cost structure encourages companies to produce at full capacity by cutting
prices, if needed.
• The degree of product differentiation. Industries where there is little product differentiation tend
to have greater rivalry.
• Switching costs. Industries that have high switching cost will have less rivalry.
• Stage of industry lifecycle. If competitors pursue more aggressive growth strategies, rivalry will be
more intense. If competitors are merely “milking” profits in a mature industry, the degree of rivalry
will be less.
• Exit barriers. When barriers to leaving the industry are high, competitors tend to exhibit greater
rivalry.
3. Threat from Substitute Products

Substitutes are types of products that have the same purposes and can be substituted for one another. If
there is a strong substitute, prices will have to be kept low to prevent current customers for switching to the
substitute product.
Factors that can determine the threat of substitutes include the following:
• Quality of substitute.
• Buyers’ willingness to substitute. If buyers’ are easily able to substitute products (services), the
more likely that demand is elastic and the greater the threat of substitution.
• The relative price and performance of substitutes.
• The costs of switching to substitutes.
4. Bargaining Power of Buyers

From the buyer’s perspective, they want lower prices, better quality products, and more services. The
stronger the bargaining power of buyers, the lower prices will need to be kept.
Factors that can determine the buyer’s bargaining power include the following:
• Concentration of buyers. When there are a number of dominant buyers, their bargaining power is
greater.
• Differentiation of product. Bargaining power is greater if products are undifferentiated.
• Switching costs. Bargaining power is increased (decreased) when there are high (low) switching
costs.
• Threat of backward and forward integration into the industry. Bargaining power is increased
when supply capacity is acquired.
• Profitability of buyers. Bargaining power is likely to be greater when buyers are forced to be tough.
• Role of quality and service. Bargaining power is likely to be greater (less) when the supplier’s
product is less (more) important.
5. Bargaining Power of Suppliers

The stronger the bargaining power of suppliers, the more the company will have to pay to buy the inouts.
This will reduce profits. Factors that can determine the supplier’s bargaining power include the following:
• Concentration of suppliers. When there are few suppliers, their bargaining power is increased.
• Branding. A well-known brand increases the suppliers’ bargaining power.
• Threat of forward integration into the industry. Bargaining power is increased when suppliers
vertically integrate their operations, e.g., brand manufacturer sets up their own retail outlets.
• Prices of substitutes. Bargaining power is greater when prices of substitutes are high.
• Switching costs. Bargaining power is increased the easier it is for suppliers to find new customers.
Question 40: Factors that can increase the intensity of a competitive rivalry include all of the following
except
a) Price cutting
b) Large marketing promotions
c) Degree of product differentiation
d) Inelastic demand
(HOCK)
Question 41: Which of the following factors can influence the buyer’s bargaining power?
I. Concentration of buyers.
II. Profitability of buyers.
III. Threat of backward and forward integration into the industry.
a) I only
b) II only
c) I and III
d) I, III and III
(HOCK)
There are some that would argue that a sixth force should be added to Porter’s list to include a variety of
stakeholder groups from the task environment. This sixth force is referred to as Power of the other
Stakeholders. Examples of these other stakeholders are government, local communities, creditors, and
shareholders.
Strategic Groups
The development of a successful marketing strategy requires that the company not only study its own
customers and prospects, but it must also study and understand its competition. After identifying its primary
competitors, a company needs to understand their strategies, goals and objectives, strengths and
weaknesses and behavior or reaction patterns.
Porter’s Five Forces determines the attractiveness of a market in broad industry-wide terms. It is possible to
refine this by considering strategic groups. A strategic group is a group of companies that follows a similar
strategy in the same target market. A strategic group will have one or more competitive characteristics in
common:
• Sell in same price / quality range.
• Cover the same geographic area.
• Have comparable product line breadth.
• Emphasize same type of distribution channels.
• Offer buyers similar services.
• Use identical technological approaches.
Example: It might be possible to classify market position in terms of price and quality. Some organiza-
tions will offer lower-priced products, but their quality is probability not as good. Some organizations might
offer higher-quality products for a higher price.
The strategic groups in a market might be mapped according to price and quality in the following way:
Price
Group 4
Group 3
Group 2
Group 1
Quality
This map indicates that there are four strategic groups, each in a different market position in relation to price
and quality. The largest group (Group 2) sells products in the middle price and quality range price.
The closer the strategic groups are on the map, the stronger the competitive rivalry among member
organizations tends to be, e.g., Group 3 could be a rival for Group 4 and Group 2, but it is highly unlikely that
Group 2 and Group 4 would be rivals, or Group 1 and Group 3 or 4.
Question 42: Which of the following would not be a characteristic of a strategic group?
a) A group of companies with similar marketing strategies.
b) A group of companies with similar operating profit margins.
c) A group of companies with similar pricing policies.
d) A group of companies covering the same geographic area.
(HOCK)
Analysis of Competitors
Successful strategists make a large investment into scouting competitors. They do this by:
• Understanding their strategies.
• Watching their actions.
• Evaluating their vulnerability to driving forces and competitive pressures.
• Sizing up their strengths and weaknesses.
• Anticipating their next move. Anticipating their next move involves:
– Analyzing current competitive positions.
– Examining public pronouncements about the competitor’s discussion of the industry.
– Examining public pronouncements about the competitor’s discussion of its own position.
– Gathering information from the grapevine about current activities and potential changes.
– Studying past actions and current leadership.
– Determining who has flexibility to make major changes and who is locked into same strategy.
Note: Strategic groups are not to be confused with Porter’s generic strategies which are internal strategies
and do not reflect the diversity of strategic styles within an industry.
SWOT Analysis
Another commonly used model for strategic management and planning process is SWOT analysis. A SWOT
analysis is an evaluation of the company’s:
• Strengths
• Weaknesses
• Opportunities
• Threats
This analysis takes places after the business unit has clearly defined its mission in the marketplace, and the
SWOT analysis process must consider and complement the larger mission of the organization.
Strengths and Weaknesses

A company’s strengths are the resources and capabilities it can use to develop a competitive advantage.
These strengths include things like patents and trademarks, brand equity (which is the positive effect that
familiarity with the brand name has on customer response to a product or service), cost advantages from
proprietary processes, access to distribution networks, access to capital markets, and reputation.
If a company does not have a certain strength, that would be considered a weakness. In other words, if it
does not have any patents, does not have brand equity, has high costs or limited access to capital because of
previous poor performance, etc., those are weaknesses.
Strengths and weaknesses generally exist in the company’s internal environment and impact the company’s
ability to pursue opportunities. SWOT analysis helps the company determine whether to limit its opportunities
based on whether it has the required strengths, or whether it needs to acquire and develop new strengths
(therefore overcoming some of its weaknesses) in order to pursue emerging market opportunities. Another
example of an internal strength or weakness is the company’s overall ability or lack of ability to work together
as a team, leveraging interdepartmental working relationships to pursue new opportunities. The same is true
for analyzing whether the company has the competencies and capabilities to create a new product or service.
Opportunities and Threats

Opportunities and threats reside, in general, in the external environment, so it is important to identify
macro-environmental elements as well as micro-environmental entities that have the potential to create
opportunities and threats.
Macro-environmental elements include demographic-economic factors, socio-cultural factors, political-legal

factors and technological factors. Micro-environmental entities include suppliers, customers, distributors
and competitors.
Marketing opportunities include new areas where customer wants or needs or interests exist, and the
company needs to continually identify these areas. Opportunities may arise in many areas such as fulfilling
informational needs, enhancing the buying process for customers, offering products or services to customers
at a lower price, delivering products more quickly, etc.
Marketing threats exist in the external environment and usually require some type of defensive marketing
action to ward off an adverse trend or development that could lead to deterioration in sales or erode
profitability. Threats pose various levels of severity and probability of occurrence. Therefore, they are best
detected in advance through SWOT analysis so that the organization can determine whether they are major
or minor threats, and then deal with them appropriately before damage occurs to the company. Typical
threats include changes brought about by new legislation, prolonged economic depression, development of a
superior product by a competitor, etc.
Consideration and monitoring of both the macro-environmental and micro-environmental factors that can
introduce opportunities and threats will influence the company’s ability to gain and sustain profitability.
Once the company has analyzed its strengths, weaknesses, opportunities and threats, it can:
• Create a plan that has a low level of threats but a high level of opportunities (this is the ideal situa-
tion), or
• Create a plan that is low in both opportunities and threats because this is a already mature business
that wants to maintain its position, or
• Move toward a plan that is low in major opportunities but high in threats because it is a troubled
business that may require drastic change, or
• Even consider a speculative business plan that is high in major opportunities, yet may also have a
high level of threats.
Section E Competitive Strategies
Competitive Strategies
There are two competitive strategies that we want to examine. The first, the generic strategy model, was
developed by Michael Porter. The second is referred to as market-based strategies.
1. Generic Strategy Model

Porter’s generic model shown below consists of three general types of strategies that are applicable in most
situations. They are cost leadership, differentiation, and market segmentation. Market segmentation
tends to be narrow in scope, while cost leadership and differentiation are relatively broader in scope.
Porter’s Generic Strategies
Narrow
Market Segmentation
Scope Strategy
Broad
Market Differentiation Cost Leader-
Scope
Strategy ship Strategy
Uniqueness Low Cost

competency competency
Source: Adapted from Michael E. Porter, Competitive

Strategy: Techniques for Analyzing Industries and
Competitors (1980)
Cost Leadership Strategy

This strategy, as its name would suggest, emphasizes cost savings through efficiency. A company hopes to
take advantage of its economies of scale by producing its product at a lower cost than its suppliers and
making it available to a broader customer base at a lower price.
In order for this strategy to be successful, it usually requires considerable market share advantage or
preferential access to raw materials, components, labor, or some other important input. Without one or more
of these advantages, it makes it easier for the strategy to be copied by the competition by reducing their
costs as well.
Companies that successfully implement this strategy also benefit from:
• Having an efficient supply and distribution channel.
• Having access to large, inexpensive capital.
• Having process engineering skills.
• Having close supervision of labor.
• Having tight cost controls.
Competitive Strategies CIA Part 3
Differentiation Strategy
This strategy entails producing a unique product or service. Porter believes that the “unique features or
benefits should provide superior value for the customer if this strategy is to be successful.” Differentiation can
allow organizations to earn higher profits because customers see the product as unrivaled and unequaled.
Thus, the price elasticity of demand tends to be reduced and customers tend to be more brand loyal. This can
give the company some insulation from the competition. However, there are generally some additional costs
associated with differentiating product features and this could require a premium pricing strategy.
Generally, organizations that are successful typically have the following strengths:
• Strong and effective R&D skills.
• Strong and effective engineering skills.
• Strong creativity skills.
• Good cooperation with distribution channels.
• Strong marketing skills, with the ability to communicate the importance of the differentiating product
characteristics.
• Stress continuous improvement and innovation.
• Are able to attract highly skilled, creative people.
Segmentation Strategy
Segmentation strategy is simply where the organization concentrates on a selected few target markets. This
is also called a focus strategy or niche market. By focusing its marketing efforts on one or two narrow
market segments and tailoring its marketing mix to these specialized markets, the organization believes that
it is better able to meet the needs of that target market.
Organizations that have this type of strategy look to gain competitive advantage through effectiveness rather
than efficiency (lower cost). Although, this strategy is more suitable for smaller organizations, it can also be
used by any size company. Companies use this strategy in markets that are less vulnerable to substitutes, or
where competition is weakest.
Criticism of Generic Strategies

Based on Porter’s assessment, companies that try to combine generic strategies may get “caught in the
middle” and not achieve success with either strategy. He believes that these companies would not be able to
maintain their competitive advantage because they are trying to accomplish more than one goal. For
example, according to Porter, a company that tries to pursue cost leadership and differentiation may not be
able to reach either objective. In addition, even if the company did manage to succeed by following multiple
strategies, the result could be a confusing public image.
In Porter’s opinion, a company that does try to follow multiple strategies will be more successful if it creates
SBUs to implement each strategy.
However, there are those that question Porter’s notion of being “caught in the middle.” These critics claim
that there can be a middle ground between strategies. There are examples of companies that have entered a
market as a niche player, and gradually expanded.
Question 43: A manufacturing company produces plastic utensils for a particular segment at the lowest
possible costs. The company is pursuing a cost
a) Cost leadership strategy
b) Focus strategy
c) Differentiation strategy
d) Containment strategy
(IIA adapted)
Question 44: Which basic force(s) drive(s) industry competition and the ultimate profit potential of the
industry?
I. Threat of new entrants.
II. Bargaining power of suppliers.
III. Favorable access to raw materials and labor.
IV. Product differentiation.
a) I only
b) I and II only
c) III and IV only
d) I, II, III, and IV
(IIA adapted)
Question 45: Which of the following is a favorable condition for a company competing in a profitable,
expanding industry?
a) The company does not have a strong customer base.
b) A few suppliers who can restrict supply.
c) Competitors find it difficult to acquire the company’s customers.
d) The company has high costs relative to other companies in the industry.
(IIA adapted)
2. Marketing-Based Strategies
Having discussed Porter’s generic strategies, which assessed strategy on the dimension of strategic scope and
strategic strength, we want to turn our attention now to marketing-based strategies, which are marketing
strategies based on market dominance, or market share.
Market dominance is how strong the company’s brand, product and service is relative to the competition.
However, in measuring market dominance, you must keep in mind that there is also be a geographical
element to the competitive landscape. Therefore, you must see to what extent does the product have control
over a given geographical area or region.
For the most part, there are several ways of calculating market dominance, but the most common method is
to measure its market share. Market share is simply the percentage of the total market that is serviced by
the organization. For example, the organization may have a 50% share, the next largest may have a 25%
share, the next a 12% share, the next a 7% share, and all of the remaining organizations combined may
have the remaining 6%.
Note: Historically, the top three brands in a product category occupy market share in the ratio of 4:2:1.
This means that the number 1 brand has twice the market share of number 2, which as twice the market
share of number 3.
An organization has to be careful when using market share in determining its market dominance because it
may not be the perfect description of market dominance. Companies also need to take into account the
influences of the customers, suppliers, competitors in related industries, and government regulations on that
market share. This is a measure of how easily lost the market share is, or how loyal the customers are to the
company’s brand or product.
Although, there are no absolute rules governing the relationship between market share and market
dominance, the following are general criteria:
• A company has market power and market dominance when its brand, product, or service has a
market share exceeding 60%.
• A company has market strength, but not necessarily dominance when its brand, product, or service
has market share over 35%, but less than 60%.
• A company has neither market strength nor dominance when its brand, product, or service has
market share less than 35%. But, we need to mention that companies that meet this last criterion
are not apt to raise anti-monopoly concerns of government regulators, whereas the first two might.
Typically, there are four types of market dominance strategies that a company will consider: market leader,
market challenger, market follower, and market nicher. In the following pages we will discuss these
strategies in more detail.
Market Leader
Note: This is the first of the four market dominance strategies.
Quite simply, the market leader is the dominant player in the industry. A market leader exhibits the following
characteristics:
• It has a dominant market share and often-extensive distribution arrangements with retailers.
• It is the industry leader in developing innovative new business models and new products.
• It tends to be on the cutting edge of new technologies and new production processes.
• It sometimes has some market power in determining either price or output.
However, being the market leader is not always the absolute best position for the company to be in. It is
possible that the company could be the target of competitive threats and government anti-monopoly actions
if the market share is too strong or too dominant. These actions may cause the company to lose market share
or spend so much money defending their business that they would actually have been better off occupying a
slightly smaller position in the market and avoiding the legal issues that arose from being too dominant.
Most managers used to believe that market leadership was the only way to go and that it was the most
profitable strategy for the company to undertake. It used to be that if you could not get enough market share
to be a major player, then you should not be in the business; you would be better off to concentrate your
resources where you can take advantage of economies of scale and increased bargaining power to gain
dominant market share in another market. This is a business philosophy that was, and still is, emphasized by
some companies. Jack Welch, former head of GE, was convinced this was the only way to go and wanted GE
to exit from businesses where it was not a market leader or major player in the market. But, today’s
managers realize that it may be better to be less dominating, but be more profitable. For example, overall
profits may decline if market share is gained by increasing promotional expenditures or by decreasing price.
Market leaders have the following three objectives:
1) Expand total market share by finding:
• New users for the existing product or service.
• New uses for the existing product or service.
• More overall usage of the product, or service. For example, this can be done by planned obsoles-
cence, which means that the company will cause the product to become obsolete and force
consumers to buy the new product.
2) Defend existing market share through offensive and defensive actions.
Offensive actions are intended to strengthen the company’s position, thereby making it harder for others to
take their existing market share. Common offensive strategies are:
• Improving its product or service.
• Improving its distribution effectiveness.
• Reducing costs.
Defensive actions are intended to protect the market share that a company already has by protecting the
status quo. Commonly used defense strategies are:
• Position defense generally involves building fortifications around your markets, such as barriers to
market entry around a product, brand, product line, etc. Methods to achieve this could include exclu-
sive distribution contracts, or patent protection.
• Mobile defense generally involves the leader proactively and aggressively defending its market
while at the same time exploring new market opportunities. This can be done by introducing new
products or services, modifying existing products, changing market segments, repositioning prod-
ucts, or changing promotional focus. But, in order to accomplish this the company has to be very
flexible, with strong marketing, product development, and marketing research skills.
• Flanking defense involves the company watching its weaker flank (areas of its business that are
not as strong). This is done by the company strengthening its competitive position by introducing
new products in areas that may provide an entry into a more beneficial market.
• Counter offensive defense involves countering an attack with an offense of your own. For exam-
ple, the company might respond to a price cut in one market by a competitor with a price cut of its
own in another market that is of equal, if not greater, importance to the competitor.
• Pre-emptive defense involves striking the competitor before they can move against the company.
Product or brand proliferation (the production of new products or brands) is a form of pre-emptive
defense.
• Contraction defense involves the company giving up weaker positions so it can concentrate its
resources on stronger ones.
3) Expand market share even if market size remains the same. A company does this by:
• Winning customers away from competitors through expensive and innovative initiatives.
• Targeting the competitors, but without drawing the attention of government regulators.
• Winning the loyalty of new customers through loyalty programs that reward the customer for contin-
ued use of the company’s products and services.
Market Challenger
Note: This is the second of the four market dominance strategies.
A characteristic of a market challenger is that the organization is strong, but not the dominant player in the
market. A market challenger is typically a company who is number 2, or possibly number 3, in the market. In
these cases, an offensive marketing strategy is appropriate to try to improve that position.
Note: Offensive marketing warfare strategies are a type of strategy that uses military metaphors to craft a
business strategy. Al Ries and Jack Trout popularized the terms in their book Marketing Warfare.
The three principles of an offensive strategy are:
• The challenger’s concern should be to assess the strength of the leader’s position, not the
challenger’s own strengths and weaknesses.
• The challenger should find a weakness in the leader’s strength, not simply a weakness in the
leader’s position.
• Launch an attack on as narrow a front as possible. The challenger should avoid a broad attack.
There are five general attack strategies that can be used against the competitors. These strategies are:
1) Frontal attack involves a head-on attack, such as price-cutting. Generally, frontal assaults are
expensive and thus rare. This strategy can work if there is no price retaliation by the targeted com-
pany.
2) Flanking attack involves the company not attacking on head-on, but seeking to identify and attack
the competitor’s weak points. This strategy typically works when:
• The market is segmented.
• Some of the segments are not well penetrated by existing competitors.
• The target competitor has relatively strong resources and is well able to withstand a head-on at-
tack.
• The challenger has fairly strong resources, enough to successfully defend several niches.
3) Encirclement attack involves the challenger attacking from all sides. This strategy typically works
when:
• The market is loosely segmented.
• Some of the segments are relatively free of well-endowed competitors.
• The challenger has strong product development resources.
• The challenger has enough resources to operate in multiple segments simultaneously.
4) Bypass attack involves the challenger bypassing the competitor and targeting easier markets. This
often involves diversifying into unrelated products or new geographic markets.
Pepsi used a bypass strategy against Coke in China when it located its bottling plants in the interior
provinces rather than in the larger cities where Coke was already established.
5) Guerrilla attack is typically more conducive for smaller organizations. The guerrilla marketer must
have flexibility so that it can change tactics very quickly. This may mean abandoning a market seg-
ment, product, product line, brand, business model, or objective. A common trait of guerrilla
marketers is that they are not ashamed to change direction, or make a strategic withdrawal. This
strategy typically works well when:
• The target competitor has relatively strong resources and is well able to withstand a head-on at-
tack.
• The challenger has moderately weak resources.
Which strategy should the challenger choose? The challenger should use a combination of several
strategies to improve market share over time. These strategies might include:
• Price discounting is more effective when buyers are price sensitive, the products or services are
similar to the leader’s, and the discounts are not matched. When implementing price discounting or
price-cutting strategies, the company has to be conscious of the legal aspects of its actions.
• Line extensions can be used to extend an existing line rather than starting a completely new one.
• Producing high quality prestige goods that can be sold at high prices.
• Improving service results in greater customer satisfaction.
• Other specific strategies can include changing or developing new distribution channels, intensifying
promotional activity, or reducing costs.
Market Follower
Note: This is the third of the four market dominance strategies.
Companies that are not wishing to challenge the leader adopt a follower strategy. The follower can also be
a major player, but has made the conscious decision not to directly attack the leader because it knows that
doing so could lead to a costly price war that it cannot win. Instead it maintains its position by following the
market leader. If the leader increases its prices, the follower will do the same. If the leader develops a new
product, so does the follower. Over the long-term, the relative market shares of the two companies tend to
remain constant. This “play it safe” strategy is how Burger King retains its position behind McDonalds.
Followers tend to be imitators, not innovators. For example, Sony is a product innovator and market
leader, whereas, Panasonic is a product imitator, and thus, a market follower. Theodore Levitt argued in his
article “Innovative Imitation” that a product imitation strategy might be just as profitable as a product
innovation strategy.
There are four broad follower strategies. These strategies are:
1) Counterfeiter produces illegal products sold on the black market.
2) Cloner replicates the leader’s strategies. Examples are IBM clones.
3) Imitator copies some things from the leader, but differentiates itself with packaging, advertising,
pricing and service. Car manufacturers imitate the style of one another.
4) Adapter builds upon the leader’s products and marketing programs, often improving upon them.
Japanese organizations are excellent adapters initially before developing into challengers and even-
tually leaders.
Market Nicher
Note: This is the fourth of the four market dominance strategies.
A market nicher does not compete directly with the market leader. Instead the organization will focus its
markets efforts where the standard products and services of the market leader cannot satisfy the needs of
the customer. It has identified its position of relative strength and it concentrates its efforts in that area.
A company must spend considerable time developing its niche strategy. It should consider alternatives and
determine how each would affect its market share and profitability. It is only when it has completed this work
that it move on and develop a marketing plan.
The characteristics of the successful nichers are:
• They tend to have higher profit margins then high-volume sellers.
• They tend to be highly focused on their specific market segment.
• They tend to market high-end products or services, and thus are able to have a premium pricing
strategy.
• They tend to keep expenses down by spending less on R&D, advertising, and selling.
The essence of niching is specialization, however, Dr. Philip Kotler believes that “a company should ‘stick to
its niching’ but not necessarily to its niche. This is why multiple niching is preferable to single niching. By
developing strength in two or more niches the company increases its chances for survival.”
The major risk faced by nichers is that larger companies may attack them once they notice the nichers are
becoming successful.
Question 46: When businesses compete in different geographical locations or have multiple product lines
that do not necessarily overlap, the most effective way of responding to an aggressive move by a
competitor without directly triggering destructive moves and countermoves is to
a) Mislead the competitor into taking or not taking an action.
b) Make prior announcement of intended moves.
c) Initiate a move in the market where the competitor is strong.
d) Initiate direct aggressive moves.
(IIA adapted)
Question 47: A market leader is defined as being the dominant player in an industry. Leaders tend to take
on a more defensive strategy then market challengers. Which of the following best describes an action
taken by a company that is using a flanking defense?
a) The company promotes trade barriers to keep the competition out.
b) The company introduces a new product.
c) The company introduces a price cut in the competitors market.
d) The company expands its line of product.
(HOCK)
Question 48: The market challenger’s strategic objective is to gain market share and eventually become
the leader. It does this using a variety of attack strategies. A characteristic of a flank attack is that
a) The company attacks the leader head-on. It can do this by having sufficient fire and staying power.
b) The company attacks the leader at many fronts at the same time. It can do this if it has superior
resources.
c) The company diversifies into unrelated products or markets neglected by the leader.
d) The company identifies and attacks the leader’s weak points.
(HOCK)
Question 49: A business that is trying to increase its market share to become a market leader is often
referred to as a
a) Market challenger
b) Market follower
c) Market nicher
d) Market leader
(HOCK)
Competitor Analysis CIA Part 3
Competitor Analysis
A part of strategic management is assessing the strengths and weaknesses of current and potential
competitors. This is called competitor analysis (or competitive analysis). Competitor analysis is important
because managers who fail to study competitors take the risk of being blindsided by “surprise” actions on part
of the competitor.
Competitive Intelligence
A term that is often viewed as synonymous with competitive analysis is competitive intelligence. Ian
Gordon in 1989 published “Beat the Competition,” which was one of the first books on competitive
intelligence. Gordon described competitive intelligence as the “process of obtaining and analyzing competitive
information to help achieve the objectives of the organization.”
Competitive intelligence (CI) is different from industrial espionage, because CI entails collecting, analyzing
and disseminating information ethically, in accordance with legal guidelines. Today, a lot of large
companies have CI functions, and in some cases the CI staff can be members of professional organizations,
such as The Society of Competitive Intelligence Professionals.
An effective CI is a continuous process, whose steps include:
• Planning and directing the system involves working with the decision-makers to discover and
hone their intelligence needs.
• Collecting information should be done ethically and legally. Information can be collected from a
variety of sources, including:
– The company’s own sales agents, distributors, and suppliers.
– Market researches and trade associations.
– Published sources that information can be collected from, including Dun & Bradstreet, Moody’s,
Standard & Poor’s, etc.
– The Internet is probably the most frequently used in the CI process. For example a business
Web site generally contains a vast amount of information usually including company history,
business visions, product overviews, financial data, sales figures, annual reports, press releases,
biographies of top executives, location of offices, and hiring ads.
• Analysis entails interpreting data and compiling recommended actions.
• Information dissemination presents findings to the decision-makers.
• Feedback is the final step of establishing a CI program, and it entails taking into account the re-
sponse of the decision-makers and their need for continuous intelligence.
A CI program will allow a company to develop a competitive strategy that targets the appropriate markets
and appropriate competitors.
Section E Competitor Analysis
Customer Value Analysis

A model that is used in targeting competitors is something called Customer Value Analysis (CVA). As its name
would indicate, CVA focuses on creating and exchanging value with customers. CVA is driven by understand-
ing how customers receive value from the products or services they receive. In exchange for delivering value
to the customer, the company receives something in return – profit. Thus, the main objective of CVA is to find
solutions that will drive profit growth.
Profit growth = Change in Revenue – Change in Cost
This CVA methodology can be explained by examining the relationship between the perceived benefits
customers identify with a product or service and their willingness to pay for those benefits. Benefits and
associated costs are grouped and analyzed to develop a single “value” measure that is both relative to
competition and empirically linked to business performance.
Thus,
Customer Value (CV) = Customer Benefits – Customer Costs
The benefits that a customer receives from a product or service, i.e., the satisfaction they gain from it,
determines the value that they place on the product or service. Thus, benefit is not the same thing as the
price of the good or service.
Regardless of what pricing a company chooses, the price the company charges has to be equal to or less than
the benefit that its customers place on the good or service.
If a company is able to lower its costs, then it can create more value for its customers. Or, alternatively, if the
company makes a product or service more valuable through superior design, performance, quality and
service, the company is also creating more value for its customers. When customers assign more value to a
product or service, they are willing to pay a higher price. Thus, a company has a competitive advantage if it
can create more value for its customers than its competitors.
Below, the Customer Value model illustrates this concept.
Product Offering • Customers buy on perceived value

• Value = benefits relative to cost
• Benefits = all non-cost attributes
Customer Service
• Benefits, costs, and value are perceived
relative to competition
Relationship
Image Benefits
CUSTOMER
VALUE
Total Cost
Buy Price
Other Source: Adapted from Bradley T. Gale,

Managing Customer Value
Based on the results of the CVA, the company can target a class of competitors. For example:
• A company may decide that the best and cheapest way to gain market share is by targeting the
weaker competitors. However, this same company may decide instead that targeting the stronger
competitors would force it to have to improve its own product or service, thus being the more ap-
propriate strategy.
• Direct competitors are the most often targeted, e.g., Ford Taurus and Toyota Camry are direct
competitors, but indirect competitors can also be threats, e.g., coffee and mineral water are indi-
rect competitors.
Question 50: What is the proper order of steps in the establishment of a competitive intelligence system?
I. Data collection
II. Information dissemination
III. Planning and directing the system
IV. Feedback
V. Data Analysis
a) III, I, V, II and IV
b) III, II, I, V and IV
c) I, II, III, IV and V
d) II, III, IV, V and I
(HOCK)
Question 51: A company may decide that it is best for it to target a strong competitor. A viable reason
that a company may implement this type of strategy is because
a) It would be cheaper than targeting weaker competitors.
b) It would be forced to improve its own brand of product.
c) It wants to disturb the competitive equilibrium.
d) None of the answers are viable reasons to target a stronger competitor.
(HOCK)
Portfolio Techniques of Competitive Analysis

In strategic management, portfolio analysis describes the approach to analyzing markets, their future
potential for growth and profitability, and the position of the companies in the market.
There are number of portfolio models that are used for strategic management, but we will cover only two:
1) The BCG growth-share matrix
2) GE multifactor analysis
BCG growth-share matrix

One of the most frequently used portfolio models used for competitive analysis was created by the Boston
Consulting Group (BCG). This matrix provides a framework for senior management in allocating resources
among their business units in a diversified organization by:
• Balancing cash flows among business units, and
• Balancing stages in the product life cycle (PLC).
This model has two variables: the market growth rate (MGR) is on the vertical axis, and the company’s
relative market share (RMS) on the horizontal axis.
The growth-share matrix has four quadrants: Stars, Question Marks, Cash Cows and Dogs.
The firm’s SBUs are commonly plotted on the matrix as a circle. The size of the circle is directly proportional
to the SBU’s sales volume. Thus, a large circle represents a SBU with large annual sales.
BCG Growth-Share Matrix

Relative Market Share (Cash Generation)
High Low
STARS QUESTION MARKS

Market Growth Rate (Cash Usage)
High
Low
CASH COWS DOGS
Resources are allocated to SBUs according to where they are situated on the grid.
• Cash Cows are business units that have large market share in a mature, slow growth industry. Cash
cows, as its name indicates, generate good cash flow. This cash can then be invested in other busi-
ness units.
• Stars are business units that have large market share in a fast growing industry. Stars generate
good cash flow, but because the market is growing fast, these companies require high investment in
order to maintain their lead. If these companies become successful, a star can become a cash cow
when the industry matures. If they fail to hold market share, they become dogs.
• Question Marks are business units that have small market share in a high-growth market. Question
Marks can become cash traps and gambles. They have high cash needs because of their growth, but
their cash flow is low because their market share is low.
• Dogs are business units that have a small market share in a mature market. A dog may not require
much cash to sustain it, but it ties up capital that could be better spent on other higher-growth pro-
jects.
Strategies and Products

The BCG matrix model is useful for management because it can help formulate strategies to achieve
objectives, depending on where it is on the matrix. The primary strategies are:
• Hold strategy. This strategy is used to defend and maintain market share. It is a strategy that is
typically used by cash cows.
• Build strategy. This strategy is used when there is a chance that a question mark can become a
star. With this strategy there is a need for a lot of investment to increase market share.
• Harvest strategy. This strategy is typical for companies that hope to maximize their short-term
cash flows. This generally means that companies cut out all unnecessary cash disbursements, such
as cutting its marketing expenses, reducing R&D, not replacing needed facilities, etc.
• Divest strategy. This strategy is typically used for companies that are question marks, or dogs. The
purpose of divesting is to be able to take the proceeds of the sale, or liquidation and invest them in
more favorable business units.
GE/McKinsey Multifactor Matrix

This GE/McKinsey multifactor matrix was developed by General Electric’s planners, but was drawn on
McKinsey’s approaches. The matrix is conceptually similar to the BCG growth-share matrix, but it is somewhat
more complicated. Each SBU is classified jointly by market attractiveness and the strength of the competitive
position. This matrix is sometimes called a nine-block matrix because each of the two dimensions is divided
into three levels. Business strength is on one axis, and industry attractiveness is on the other. Business
strength is classified as strong, medium, or weak and industry attractiveness as high, medium, or low.
The SBUs are shown on the matrix as circles. The size of the circles is proportional to the size of the related
market and the circles may have a shaded portion that represents the SBU’s market share.
Industry Attractiveness
High Medium Low

5.00
Protect Invest to Build
Strong
Position Build selectively

Business Strengths
3.67
Build Selectively / Limited
Medium
Selectively Manage for expansion or

earnings harvest
2.33
Protect and Manage for Divest
Weak
Refocus earnings
1.00
5.00 3.67 2.33 1.00

Source: GE & McKinsey & Co.
Invest/Grow
Selectivity /
Earnings
Harvest /
Divest
The GE matrix is particularly useful when developing 3-5 year forecast. These forecast can be made to
estimate each of the SBU’s position given the current strategy, the stage of product life style, competitor
actions, and other events.
Question 52: A SBU has a relative market share of 2.5x, and a market growth rate of 15%. Based on
BCG’s growth-share matrix, the SBU would be in which quadrant?
a) Cash cow
b) Star
c) Question mark
d) Dog
(HOCK)
Question 53: A SBU has a industry attractiveness of 3.80x, and a business strength of 3.15x. Based on
GE/McKinsey multifactor matrix, the SBU would be in which quadrant?
a) Invest to build
b) Protect position
c) Build selectively
d) Selectively/manage for earnings
(HOCK)
Question 54: Which of the following would best describe a cash cow?
a) Have a small market share in a mature industry.
b) Have a large market share in a fast growing industry.
c) Have a small market share in a high growth market.
d) Have a large market share in a mature, slow growth industry.
(HOCK)
Section E Market Signals
Market Signals
According to Michael Porter, a market signal is “any action by a competitor that provides a direct or indirect
indication of its intentions, motives, goals or internal situation.”
Thus, market signals become the means of communicating to the market place and are an essential input in
competitive analysis and in the development of competitive strategies.
Example: A smaller company would signal that it does not intend to build market share if it decided to
reduce its capacity that would limit the amount of a larger company’s demand that it can steal.
Companies need to keep in mind that not all signals are accurate and, in fact, some signals may be
misleading. Therefore, it’s imperative for companies to have some kind-of understanding of their competitors,
as not to become deceived by, or ignore their signals.
Market signals can be classified as either true signals, or as bluffs.
• When the competitor carries through with its intent, this is referred to as a true signal.
• A bluff, on the other hand, is the intent to mislead or deceive the competition. For example, a
company may issue a threat to a competitor in order to stop its actions even though following
through with the threat would be unbeneficial to the company. But, a company has to be careful
about playing the bluff game because there is always a chance that the company could lose credita-
bility for future announcements.
The major types of market signals are:
• Prior announcements of moves. These are formal communications made by a competitor that
indicates that it will, or will not take some action, such as building a plant, or possibly change its
price. These prior formal communications can serve many functions:
– They can be attempts to preempt other competitors by seeking to get buyers to make a com-
mitment to wait for its new product instead.
– They may be announcements of possible threats of action if the competitor chooses to follow
through with a planned move.
– They can test the competitor’s sentiment by taking advantage of the fact that they do not nec-
essarily need to be carried out.
– They can be a means of communicating pleasure or displeasure with the competitor’s actions.
– They can be a way of minimizing provocation of a forthcoming strategic adjustment.
– They can help to avoid costly simultaneous moves, such as capacity expansion, where the addi-
tion of new plants might cause overcapacity in the industry.
– They can be communicated to the financial community, for example, to boost stock price or im-
prove the reputation of the company.
– Or, they may sometimes be used to gain internal support for a move. For example, a company
may announce something publicly as a means of cutting off internal debate.
An important distinction to make is to discern whether the prior announcement is an attempt at

preemption or is a conciliatory move.
When announcements are made far in advance, they tend to be conciliatory. This has to do with the
timing of the announcement.
On the other hand, the form of media can play a big part in how the announcement is perceived.
For example, an announcement in a specialized trade journal is likely to be noticed only by competi-
tors or other industry participants. This may carry a different connotation from an announcement
that was made, say, to a group of security analyst, or to a national press corps.
Market Signals CIA Part 3
• Public discussion of the industry by competitors. It is not unusual for competitors to discuss
their thoughts on the condition of the industry, i.e., forecasts of demand and prices, forecast of fu-
ture capacity, material cost increases, etc. These discussions may be an attempt by the company
making the comments to interpret industry conditions in such a way as to improve its own competi-
tive position.
• Competitors’ discussions of their own moves. Competitors who discuss their own moves may be
trying to signal that a move is appropriate and not provocative. This kind of signal is conciliatory.
• Divergence from industry precedent. These signals are usually aggressive signals and could alert
the competition in a change in strategy or direction. For example, if the company were to start offer-
ing discounts, or other promotional schemes that are not industry norm, this could alert the
competition of the intent to take a more aggressive marketing position.
• Cross-parry. This is a situation when a company initiates a move into one area and a competitor
responds in a different area that affects the initiating company. By responding indirectly, the defend-
ing company may well be trying not to trigger a set of destructive moves and countermoves in the
encroached-upon market, but yet clearly to signal displeasure and raise the threat of serious retalia-
tion later.
• Fighting brand. A company introduces a fighting brand when it feels threatened by a competitor. In
these cases, the threatened company introduces a brand that has the effect of punishing or threat-
ening to punish the source of the threat. For example, Coca-Cola introduced a new soft drink called
Mr. Pibb in the mid-1970s, which tasted somewhat like Dr. Pepper. Dr. Pepper was gaining market
share and Coca-Cola wanted to slow down or reduce Dr. Pepper’s share.
• Private antitrust suits. Governmental antitrust suits are, of course, more serious than private
suits. In a private suit, the plaintiff can dismiss the suit at any time and may be an indication of dis-
pleasure with a company’s competitive price cut. But, a suit filed by a large company against a small
company can have a negative impact on the small company, regardless of the outcome. For exam-
ple, the legal costs of the suit might be a long-term distraction for the small company.
An aspect of competitive analysis is the use of history as a basis to improve one’s ability to read signals
accurately. This can be done by studying the historical relationship between the company’s announcements
and its moves. But, the danger is that this relationship may not always hold true.
Question 55: A marketing scheme that is not generally seen in the industry is an example of a
a) Divergence from industry norms.
b) Divergence from objectives
c) Bluff.
(HOCK)
Question 56: The danger of a bluff is that it could
a) Alert the competition to a change in strategy/direction.
b) Alert the competition of its own intent.
c) Hurt the creditability of the company for future announcements.
(HOCK)
Section E Industry Evolution
Industry Evolution
As we discussed earlier, the five forces model that was designed by Porter is a business strategy tool used
to make an analysis of the attractiveness (value) of an industry structure. The main fundamental forces that
affect structure and influence the attractiveness of the market are:
• Entry of competitors. This is how easy or difficult is it for new entrants to start competing, and
what the existing barriers to entry are.
• Threat of substitutes. How easy a product or service be substituted for another product.
• Bargaining power of buyers. How strong is the position of the buyers.
• Bargaining power of suppliers. This is how strong is the position of the sellers. For example, does
a supplier enjoy monopolistic power?
• Rivalry among the existing players. What is the strength of the competition between the existing
companies? Is one company more dominant than the others, or are they all about the same strength
and size?
However, Porter recognized that the company’s structure and competitive advantage would evolve over time.
Therefore, in order for a company to maintain its competitive advantage, it is essential that it has the ability
to recognize changes early on and can make prompt adjustment in its strategies. The sooner these
adjustments can be made, the lower the cost of the adjustment and greater the benefits to the company.
Evolutionary Processes
In his book, Competitive Strategy, Porter talks about evolutionary processes as being the “incentives and
pressures” that cause an industry to change over time. The rapid change of today’s technology has only
added to the speed at which these changes are occurring, thus making sound strategic management even
more crucial for company success.
The major types of evolutionary processes described by Porter are listed below. Although, these evolutionary
processes tend to be common to all industries, the speed and direction of change may vary.
• Long- run changes in growth rate. This factor has perhaps the greatest effect on the evolution of
an industry. The greater (lesser) perceived growth potential of an industry, the greater (lesser) af-
fect it will have on competition, expansion, and supply. The following factors are why long-run
industry growth changes:
– Demographics - Distribution of age groups, income elasticity, geographic changes, disposable

income.
– Trends in needs - Changes in lifestyle, tastes, philosophies, and social conditions of the buyer
population.
– Changes in the relative position of substitutes – A company must identify all the substitute
products that can meet the needs of the product consumers.
– Changes in the position of complementary products – For example, mobile homes to mo-
bile parks, credit at prevailing interest rates to purchases of durable goods, mining engineers to
coal miners.
– Sales to new customers (market penetration) – An industry must essentially reach complete
penetration. The industry’s growth rate is then determined by its replacement demand.
– Product change – Product innovation allows the industry to serve new needs and improve the
industry’s position against substitutes, and it can eliminate or reduce the necessity of scarce or
costly complementary products.
Industry Evolution CIA Part 3
• Changes in buyer segments served. This occurs when new segments are created, or old seg-
ments are dissolved. Thus, industry structure evolves to meet the needs of new customers. For
example, light aircraft were initially sold to the military and later to private and commercial users.
• Learning by buyers. As buyers become better informed and more sophisticated in the products
they buy, there tends to be a decrease in product differentiation. This is because buyers increasingly
demand products with similar quality and service. Thus, to overcome this effect, there can be chang-
es in the products or its marketing, or to market to less informed and sophisticated buyers.
• Reduction of uncertainty. A reduction in uncertainty and risk can lead to the attraction of new and
larger competitors, particularly if the market potential is large.
• Diffusion of proprietary knowledge. Proprietary knowledge can dispersed in a number of ways.

For example, dispersion may be the result of the expiration of a patent, spin-off of an operating
segment, or personnel leaving to new organizations. Thus, new competitors may emerge as proprie-
tary knowledge is dispersed through the industry.
• Accumulation of experience. The learning curve is where manufacturing costs per unit decreases
as personnel become more experienced and efficient in the production of goods. Though, the effect
of the learning curve may not be as significant due to the diffusion of proprietary knowledge.
• Expansion (or contraction) of industry scale. Expanding industries tend to experience greater
economies of scale, but capital needs are greater as well, making it harder for market entry. Also, in
these circumstances, suppliers and customers tend to gain bargaining power. A contracting industry
would have the opposite effect of an expanding industry.
• Changes in input costs, quality and exchange rates. Changing input costs has a great impact
on consumer demand by affecting cost and price of the product. These changing costs affect the
economies of scale, and may encourage the substitution of inputs. Changes in quality and exchange
rates can have similar effects on competition.
• Product innovation. This involves the introduction of a new goods or services that are new or
substantially improved. Product innovation can be from external or internal sources. Many innova-
tions flow vertically, originated by customers and suppliers, where the industry is an important
customer or source of inputs.
• Marketing innovation. Marketing innovation is the development of new marketing methods with
improvement in product design or packaging, product promotion or pricing. This can lead to in-
creased sales by appealing to new buyers, or lowering costs.
• Process innovation. This involves the implementation of a new or significantly improved production
or delivery method.
• Structural change in adjacent industries (buyers and suppliers). Structural changes in these
industries have a direct impact on their bargaining power. For example, when there are a number of
dominant buyers, their bargaining power is greater. On the hand, when there are only a few suppli-
ers, their bargaining power is likely to be less.
• Government policy change. The government can have a profound effect on industry evolution by
regulating entry, competitive practices, licensing, and pricing. Government policies also have an ef-
fect on global competition through the use of tariffs, import quotas, and embargoes.
• Entry and Exit. Changes in either one of these factors will affect the ability of companies to enter or
exit an industry, which has an effect on competition. Firms enter an industry when they believe the
growth potential and profits justify the costs of entry. On the other hand, the exit of firms from the
industry is caused by diminishing returns on investments. The exit of firms will improve the strategic
position of the other remaining firms, but exit barriers may sometimes prevent a firm from leaving a
market.
Key Relationships in Industry Evolution

An industry is an interrelated system; thus, a change in one element of an industry’s structure tends to
trigger changes in other areas. For example, marketing innovation (improved design or packaging) can
lead to a new buyer segment, and then serving this new segment can trigger changes in manufactur-
ing methods, which can increase economies of scale. Therefore, we can see that the system became
more efficient and effective simply by improvements in marketing.
The tendency is for industries to consolidate over time, but this may not always be the case. Whether
an industry consolidates or not can depend on the following factors:
• Industry concentration and mobility barriers move together. Therefore, it is possible to predict
increases in industry concentration if mobility barriers are high, or are increasing.
• If mobility barriers are low or falling, no concentration is expected to take place.
• Exit barriers deter concentration by keeping less successful firms in the industry.
Question 57: Porter described several evolutionary processes. Which one has the effect of lowering
manufacturing cost, as personnel become more experienced and efficient in performing their jobs?
a) Changes in input costs.
b) Learning curve effect.
c) Structural changes in suppliers’ and customers’ industries.
d) Government policies.
(HOCK)
Product Life Cycle

Product life cycle is another useful concept in the analysis of industry evolution. Products tend to go through
five stages as shown below. The five stages are: product development, introduction, growth, maturity,
and decline.
The Product Life Cycle
Sales
Development Introduction Growth Maturity Decline
$0 Time
Profit and Loss
Industry Evolution CIA Part 3
Development Stage
In essence, this is the incubation stage of the product life cycle. As indicated by the chart, there are no sales
and the firm is preparing to introduce the product. It is in this stage that R&D, market research and product
testing are conducted.
Introduction Stage
The introduction stage of the product life occurs when the product first enters the market. In this stage, sales
grow slowly, and profit is generally negative. This negative profit is the result of additional costs associated
with the initial distribution of the product. In addition, advertising costs are going to be higher in order to
increase customer awareness of the product.
Growth Stage
The growth stage is the third stage of the product life cycle. Growth is characterized by dramatic increases in
sales, and it is generally in this stage that new competition appears. In addition, cost per customer decreases,
new product models and features are introduced, and promotion spending declines or remains stable.
The pricing strategy during the growth stage is to maintain prices as the company is enjoying little
competition, with high demand.
Maturity Stage
Maturity is characterized by a leveling off of sales. During this stage competition has appeared with similar
products. The primary objective of the company is to maintain market share while maximizing profit.
The pricing strategy during this stage is to defend market share. This may mean lowering prices in order to
retain its customer base. Today, the majority of products are in the maturity stages.
Decline Stage
The decline stage is really the beginning of the end of the product. During this stage, sales and profits
steadily decline. In some cases, the product enters this stage not so much because of a wrong strategy, but
because of environmental changes. New technology plays a huge role in the decline of many products. For
example, the introduction of CD players led to the decline of record players, and new video cameras led to the
discontinuation of 8 mm movie cameras.
To handle the declining product, management will follow one of three strategies:
• Discontinuing the product. This is the most drastic option.
• Harvesting the product. This is when the company retains the product but reduces support costs.
The purpose of this option is to maintain the ability to meet customer needs.
• Maintain the product. The company may be able to rejuvenate the product by adding new features
and finding new uses.
The decline stage is often the most difficult for a company to address. But, products in decline often tend to
consume a disproportionate share of management time and financial resources relative to their worth.
Question 58: Brands, products and technologies have life cycles with product life-cycle stages, each
requiring different strategies. Which of following is false?
a) Introduction stage: slow growth, low profits, but if successful, the product enters the growth stage.
The majority of products today are in this stage.
b) Growth stage: rapid sales, increasing profits.
c) Maturity stage: sales growth levels off or slows down, profits stabilize.
d) Decline stage: all aspects decline.
(HOCK)
Question 59: In the product life cycle, the first symptom of the decline stage is a decline in the
a) Firm’s inventory levels
b) Product sales
c) Product’s production cost
d) Product’s prices
(IIA adapted)
Question 60: At the introduction stage of an innovative product, profit growth is normally slow due to
a) Expensive sales promotion
b) High competition
c) A mass market
d) Available alternatives
(IIA adapted)
Question 61: During the growth stage of a product’s life cycle:
a) The quality of products is poor.
b) New product models and features are introduced.
c) There is little difference between competing products.
d) The quality of the products becomes more variable and products are less differentiated.
(IIA adapted)
Question 62: While auditing a marketing department, the internal auditor discovered that the product life
cycle model was used to structure the marketing mix. Under such a philosophy, the price charged on a
consistent basis for a specific product would probably be lowest during which life cycle stage?
a) Introduction stage
b) Growth stage
c) Maturity stage
d) Decline stage
(IIA adapted)
Industry Environment CIA Part 3
cycle model was used to structure the marketing mix. The manager has asked the auditor for advice
about increasing advertising of various products. During which stage of the life cycle would it be
appropriate to advertise that the company product is the lowest price and best quality of all competitors?
b) Growth stage
c) Maturity stage
d) Decline stage
(IIA adapted)
cycle model was used to structure the marketing mix. Under such a philosophy, the opportunity for cost
reductions would be greatest in which stage of the life cycle?
b) Growth stage
c) Maturity stage
d) Decline stage
(IIA adapted)
Industry Environment
In the previous section on Industry Evolution, we discussed a product’s life cycle. Now, we will cover
competitive strategies related to fragmented industries, emerging industries and declining industries.
Fragmented Industries
According to Michael Porter, in his book Competitive Strategy, fragmented industries have many small
competitors and have structural factors that inhibit concentration.
Note: As a rule of thumb, an industry is considered to be concentrated if five or fewer firms control 60%
or more of market share. If the two largest firms have market shares within 10% of each other, then the
industry is balanced.
Examples of fragmented industries include the book publishing industry, restaurant industry, clothing
retailers, barbers, furniture, agriculture, computer components/hardware retail, and construction. It is these
industries that most closely approximate what economists call pure competition.
The economic reasons for fragmentation may include:
• Low barriers to entry needs to exist in order for competition to remain strong.
• Economies of scale and the effect of the learning curve are generally not present in fragment-
ed industries. This is because operations tend to be simpler or less labor intensive.
• High transportation costs may offset the effects of economies of scale, thus, giving smaller firms
an equal chance to compete.
Section E Industry Environment
• High inventory costs, like high transportation costs, may also offset the effects of economies of
scale.
• Bargaining power of suppliers and buyers may be so strong that the size of the firm may not
provide any additional advantage.
• Lack of standardization, or lack of need for it usually favors fragmentation by keeping entry
barriers low.
• Exit barriers minimize concentration by keeping firms in the industry.
• Local regulatory requirements make each geographic area unique. These can act as an impedi-
ment to concentration.
• Government anti-trust regulations act as an impediment to concentration.
• Newness of industry means that firms have not yet had the ability to concentrate.
Overcoming Fragmentation
The payoff of overcoming fragmentation can be high, given that the costs to entry are, by definition, low
and there tends to be small and relatively weak competitors who offer little threat of retaliation.
If the factors that prevent consolidation of the industry can be overcome, the industry structure will change.
The factors that can overcome fragmentation are:
• Using technology to create economies of scale.
• Standardize diverse market needs may come about from the creation of a new product that coalesc-
es buyers’ taste. Another possibility is that a design change might dramatically lower the cost of the
standardized variety, and thus, leading to buyers judging the standardized product as a better value
than the expensive, custom variety.
• Neutralize, or split off the aspects most responsible for fragmentation. A good example of this is the
fast food industry, where the industry relies on having the need for tight local control and maintains
good service. These needs were isolated or neutralized by franchising to local owners. The franchisor
is responsible for national marketing, centralized purchasing, and other services that can provide
significant economies of scale, leading to industry consolidation.
• Another approach might be when there are numerous buyer segments, or where there is extreme
product differentiation is for the firm to use multiple brand names to appeal to the tastes of different
customers.
• Acquisitions can allow firms to expand even if they find it difficult to compete against local firms
because of their contacts and image.
• Recognize industry trends early. As industries mature they tend to naturally consolidate, particularly
if the primary source of fragmentation is due to the newness of the industry. Exogenous factors,
such as technology changes, can lead to consolidation by altering the causes of fragmentation.
• Industries that are “stuck” for reasons other than underlying economic factors.
o Existing firms lack the resources, skills, or other factors that are needed for consolidation.
o Existing firms are myopic or complacent.
o Outside firms to do not recognize the opportunity offered by the industry because the firms
thought to be “stuck” in a fragmented state are new, small or obscure.
Coping with Fragmentation

If the reason for the industry’s fragmentation is caused by underlying economics, strategic positioning of
the firm is of particular significance. The challenge is to cope with fragmentation and become successful, even
if the firm is able to garner only a modest market. Strategies to cope with fragmentation include:
• Tightly managed decentralization might be an appropriate strategy to cope with fragmentation

when local management, tight control, and personal service are the critical success factors.
• Formula facilities are a matter of standardizing products in order to reduce costs and improve
operating revenue.
• If products or services cannot be significantly differentiated, then the best way to increase value
added may be to provide more service with the sale, such as assembly of components before they
are sold to the customer.
• Specialization by product type, or product segment is a focus strategy. A focus strategy can
enhance the bargaining power with suppliers, but the downside of this strategy is that it does not of-
fer many growth opportunities. Other focus strategies might include specialization by customer type,
type of order, or geographic areas.
• Bare bones, no frills cost strategy is characterized by low overhead, tight cost control, and low
payroll.
Potential Strategic Traps

• A firm seeking dominance is usually a futile strategy unless there is a basic change in the indus-
try’s structure.
• Lack of strategic discipline can cause a firm to stray from an appropriate strategy.
• Overcentralization can often be a problem in an intensely fragmented industry where local man-
agement, tight control and personal service are critical success factors. A centralized structure is
counterproductive in most cases because it slows response time, lowers the incentives of those at
the local level, and can drive away skilled individuals necessary to perform many personal services.
• Assumptions that are wrong can cause the wrong strategy to be implemented, e.g., an assump-
tion might be that competitors have the same overhead and objectives. Small, privately owned firms
may have noneconomic reasons for being in business, so assuming that these competitors will have
an overhead structure or objectives of a corporation may be a serious error.
Formulating Strategy
Porter developed the following steps for formulating competitive strategy in fragmented industries.
• Determine the industry’s structure and understand who are the industry’s primary competitors.
• Create a list of the main reasons for the industry’s fragmentation.
• Conduct analysis to determine whether fragmentation can be overcome, and how it can be over-
come.
• Assuming that the fragmentation can be overcome by developing a new structure, need to analyze
as to whether the new structure can provide acceptable results, i.e., profit and market share.
• If fragmentation is inevitable, then the firm needs to select the best strategy to operate in the
fragmented industry.
Question 65: In which of the following industry environments would an internal auditor be most likely to
recommend strategies such as franchising and horizontal mergers?
a) Emerging industries
b) Declining industries
c) Fragmented industries
d) Mature industries
(IIA adapted)
Question 66: The opportunity for franchising comes from the ability to
a) Develop products
b) Differentiate products
c) Standardize products
d) Diversify products
(IIA adapted)
Question 67: The characteristics of fragmented industries include the following:
I. Absence of visible market leaders.
II. Low entry barriers.
III. Absence of scale economies.
IV. High transportation costs.
a) I, II and III
b) I, III and IV
c) II, III and IV
d) I, II, III and IV
(HOCK)
Emerging Industries
An emerging industry is a “newly recognized group of firms selling similar products or services to an
identifiable set of customers.” An emerging industry is either evolving from:
• An established industry, or
• Coming into existence from the development of new technology, or
• From a new business concern that meets a need.
Porter observed that “no rules of the game” exist for an emerging industry, a condition that creates risks,
as well as opportunities. Features of an emerging industry are:
• There is strategic uncertainty about how fast demand for the product will grow and how big the
market will get.
• There is technology uncertainty in the products and production method, but there is an opportuni-
ty to gain from technological know-how. Also, there can be rapid improvement in the first-
generation products.
• The market of an emerging industry is generally new and unproven (embryonic companies).
• Entry barriers tend to be low.
• The learning curve effect allows for significant costs reductions as volume builds.
• The customers, by definition, are first-time users. The marketing task involves inducing initial
purchase and overcoming customer concerns.
• Government subsidy. In cases where the technology is radically different there might be subsidies
for new entrants. But, subsidies based on political factors can cause instability by interfering in the
market.
Limits on Industry Development

Limitations on industry development can arise because the product is new and customers must still be
convinced to buy the product. Some problems constraining industry development might include:
• Inability to secure raw materials and components. Raw materials may be scarce because new
suppliers must be found or they may have to modify or expand their existing production output.
• Period of rapid escalation of raw material prices. Suppliers may increase prices to keep up with
demand.
• Absence of available infrastructure. The infrastructure might not be developed in regards to

distribution channels, service center and skilled labor.
• Absence of product or technological standardization. The lack of standardization may cause

problems with the supply of raw materials and can impede cost improvements.
• Perceived likelihood of obsolescence. Sales may slow if buyers have the perception that rapid
obsolescence in the industry will occur.
• Customers’ confusion. Customer confusion can be from the result of uncertainty in technology,
conflicting claims, and counterclaims by competitors. Confusion can cause buyers to postpone pur-
chases.
• Lack of consistent product quality. Quality problems could be from the lack of agreed-upon
technical standards, or because there are a number of new firms.
• Image and credibility with financial community. If the industry is suffering an image and
credibility problem, financial institutions may be unwilling to provide capital at reasonable rates, and
thus, customers may have trouble getting credit.
• Regulatory approval. Approval may be difficult to obtain, thus, stunting growth. On the other
hand, a favorable government policy may help to get the industry off the ground, for example, when
the use of safety products becomes mandatory.
• Firms often run short of funds for R&D and start-up. Firms may underestimate the initial start-
up costs, thus, creating risk for the industry.
• Response of threatened entities. Entities may respond if they feel threatened. For example,
construction unions fought bitterly against modular housing.
Early and Late Markets

Assessment of early and late markets is necessary because it can shape product development and
marketing efforts and can help forecast structural evolution. Markets, market segments and particular buyers
within the segment may greatly differ on the receptivity of a new product. Factors that affect this receptivity
are listed below:
• The nature of the benefits for buyers. Benefits to the buyer may be in the form of a perfor-
mance advantage not found in other methods, or the benefit may be purely a cost advantage.
Generally, early market purchases are because of performance advantages.
• Technical performance required to obtain significant benefit. In order to gain significant

benefit by early adoption, the buyer may require a different level of development for the product.
• Cost of product failure. The higher the cost of product failure, the later the buyers will adopt.
• Switching costs. Switching costs will vary among buyers, e.g., purchase and disposal of equip-
ment, service support requirements, etc.
• Cost of obsolescence. The cost of obsolescence is less if buyers can be convinced that their needs
can be met with initial purchases.
• Governmental, regulatory, or labor barriers. Each buyer will face different constraints, or barri-
ers.
• Perception of technological change. The perception of change will depend on the sophistication
of the buyer. For example, some may perceive change as a threat, whereas others might see change
as an opportunity.
• Personal risk to the decision maker. The greater the risk to the decision maker, the less likely of
early adoption.
Strategic Choices
• The firm should try to win the race for industry leadership by employing a bold, creative strategy on
such matters as pricing and marketing.
• To appeal to first-time buyers, the firm should set in motion the ability to:
o Improve the production process and product quality.
o Develop attractive performance features that will attract new customers.
o Shape the rules of competition.
• Be aware and try to take advantage of the changing role of suppliers and distribution channels.
They may become more accommodating as the industry grows.
• Shift advertising focus from building product awareness to increasing frequency of use and creating
brand loyalty. The firm may want to use price-cuts to attract price-sensitive buyers.
• Move quickly when the firm’s technological advantage disappears. The firm may not be able to rely
on proprietary technology as an advantage. Thus, it may be necessary to respond by making large
capital investments.
Businesses that develop a successful strategy in an emerging industry have the following common
characteristics:
• They employ the concept of Bold Entrepreneurship. As mentioned above, the firm employs a bold,
creative strategy.
• They are willing to be a pioneer and take risks.
• They have an intuitive feel for what buyers will like and how they will use the product.
• They are able to quickly respond to new developments.
• They have an opportunistic strategy-making way of thinking.
Question 68: Features of an emerging industry might include all of the following except
a) High entry barriers
b) Few producers
c) Underdeveloped markets
d) Difficulty in procuring raw materials
(HOCK)
Question 69: What would be considered to be limitations to an emerging industry?
I. Difficulty in procuring raw materials.

II. Lack of consistent product quality.
III. Lack of available infrastructure.
a) I only
b) II only.
c) II and III
d) I, II and III
(HOCK)
Declining Industries
A declining industry is one that experiences an absolute decline in demand for its products over the long run.
As competition intensifies over time, the number of competitors usually decline and the larger companies in
the industry often increase their market share.
Note: The railroad industry is a good example of a declining industry. This industry experienced decreased
demand, largely due to newer and faster means of transporting goods, primarily air transport and trucking,
and it also failed to remain competitive in pricing, compared to the benefits of faster and more efficient
transport provided by airlines and trucking services.
Michael Porter has the view that industries in decline will not exactly correspond to the decline stage in the
product life cycle. The general prescription for decline is the harvest strategy, but Porter suggests that the
nature of the competition, as well as the range of strategic choices available to companies during the decline
phase are widely diverse and vary from industry to industry. It just might be possible for some industries to
deal with the decline without the intense rivalry, long-term excess capacity, and large operating losses. While
some firms might be inclined to exit the industry, some might not harvest at all. The more common
characteristics of a declining industry might include:
• Consumer demand may be steadily evaporating.
• The depletion of a natural resource may be occurring.
• There may be emergent substitutes because of technological innovation.
Structural Determinants of Competition in Decline

The reality of a declining industry is that as demand decreases, profitability is eroded. This leads to more
intensive competition among the active players. But, there are a number of conditions that will influence the
extent of this erosion.
1) Conditions of demand. Competition for remaining sales will be heavily influenced by the conditions of
demand and the nature of the market segments.
• Uncertainty about demand will influence whether a firm will try to hold onto its position and remain
in the industry, or get out. For example, if a firm believes that industry demand will continue to de-
cline, it will facilitate the process of withdrawing capacity from the market.
• Rate and Pattern of decline has a direct influence on uncertainty.
• Structure of remaining demand pockets has a major influence in determining whether the
remaining competitors can be profitable.
• Causes of decline of industry demand will depend on a number of different factors. These factors
include:
o Technological substitution. This is where the source of decline is created through technologi-
cal substitution, e.g., electronic calculators for slide rules.
o Demographics. This is where there is a decline in the size of the customer base.
o Shifts in needs. This is where there is a decline in demand for reasons that change the buyers’
needs or taste.
2) Exit barriers. These barriers are an important factor in determining how much capacity leaves the
market. High exit barriers can keep companies competing in declining industries even though these
companies might be earning below normal returns on investment. Exit barriers might be due to a num-
ber of fundamental sources, including:
• Durable and specialized assets. If the assets to be sold (fixed or working capital) are highly
specialized, then the liquidation value of the company’s investment is diminished.
• Fixed costs of exit. If fixed costs of exiting are substantial then this can reduce the effective
liquidation value of the business.
• Strategic exit barriers. A company that is highly diversified may face barriers if the part that is to
be liquidated is important to the firm, e.g., important to the company’s image, relationship with dis-
tributors, etc.
• Information barriers. This would be applicable if the business to be liquidated shares assets or has
buyer – seller relationships that make it difficult to get clear information about the true performance
of the business.
• Managerial or emotional barriers. Sometimes the factors that go into making the decision to exit
a business go beyond just economic considerations. There might be a managerial or emotional at-
tachment to the business that keeps it from liquidating.
• Governmental and social barriers. In some situations there might be governmental and social
barriers that keep a company from exiting a business. For example, it might be impossible for a
company to exit a business because the government is concerned about the potential for lost jobs
and impact on the local community.
• Mechanism for asset disposition. The method in which assets are disposed can greatly influence
the profitability of a declining business. For example, if a business is sold at a discount, the lower in-
vestment base might allow the new managers to make decisions on pricing and other aspects of
strategy that are rational to them, but would be ruinous to the remaining companies.
3) Volatility of Rivalry. Rivalry can be much fiercer in a declining industry. This rivalry is more intense in
the following situations:
• The product is viewed as a commodity.
• Fixed costs are high.
• Exit barriers are high.
• Companies perceive an importance of maintaining their position in the industry.
• Companies are equally balanced so no one firm is able to win the competitive battle.
• Companies are tempted to take ill-advised efforts when they are uncertain about their competitive
positions.
Strategic Alternatives in Decline

• Businesses could pursue a leadership strategy that it believes will allow it to increase market share
and become the dominant player. This type of strategy entails having aggressive pricing and market-
ing schemes. It might also mean investing more in the sector, thereby, raising the stakes for the
competition.
• Pursue a focus strategy by exploiting growth segments within the industry. This could include
going after a niche segment.
• Pursue a harvest strategy that allows the business to have a controlled, gradual liquidation. Taking
on this type of strategy can let the business maximize cash flow by minimizing costs on such items
as advertising, R&D, maintenance, etc.
• Have a quick divestment strategy that allows the business to have the highest net recovery. But,
businesses do need to be careful about divesting too soon. Business could be wrong in their assess-
ment as to the onset of the decline stage.
Choosing a Strategy for Decline

The process of choosing a strategy for decline is to match the desire of remaining in the industry with the
firm’s current position. The framework for viewing the company’s choice of strategies is shown below.
Has Strengths Relative Lacks Strengths Relative

to Competitors for to Competitors for
Remaining Pockets Remaining Pockets
Favorable
Leadership Harvest
Industry
Structure
Or Or
for Decline Niche Divest Quickly
Unfavorable Niche
Industry Divest Quickly
Or
Structure
for Decline
Harvest
Firm’s Strategic
Needs to Remain
in the Business
Source: Adapted from Michael E. Porter, Competitive Strategy
Question 70: Which of the following is not a characteristic of a mature industry environment?
a) Consolidation
b) Competitive interdependence
c) Declining demand
d) Strategic focus on deterring entry of new competitors into the marketplace
(IIA adapted)
Competition in Global Industries CIA Part 3
Competition in Global Industries

Porter defines a global industry as “one in which the strategic positions of competitors in major
geographic or national markets are fundamentally affected by their overall global positions.”
Today, people around the globe are becoming increasingly connected to each other as never before. Now, you
can send an email anywhere, instantly, or be part of the 3.0 billion viewers watching World Cup games. Being
connected means that information and money flows more quickly. It also means that goods and services
produced in one part of the world are available in all parts of the world. For example, tuna caught in the North
Atlantic can be served the next day at a Sushi bar in Japan. We refer to this phenomenon as “globalization.”
The International Monetary Fund (IMF) defines globalization as “the growing economic interdependence
of countries worldwide through increasing volume and variety of cross-border transactions in goods and
services, free international capital flows, and more rapid and widespread diffusion of technology.”
What this globalization means for businesses is that their competitive analysis must often address
the issues of global competition, whether the company is global or domestic.
• A true global industry is considered to be one in which companies have to sell internationally. If
non multinationals are able to compete in the local or national market then the industry is not con-
sidered to be global. A good example of a true global industry is the automobile industry, where all
businesses within the industry do compete internationally.
• Even though there are differences between global and domestic competition (e.g., government
policies vary from country to country, as well as cost structure, availability of resources, market con-
ditions and other factors), Porter’s five forces model is still a workable model that can effectively
address foreign competition.
• The issue for companies is to decide whether to compete globally and the extent of the threat from
global competition.
There are several ways that individual companies will use to enter a foreign market. These methods are
discussed in more detail in Section H (Global Business Environment), but in brief they include licensing,
indirect and direct exporting, foreign direct investment (FDI), local component assembly and joint
ventures. Which participation method a company chooses will depend on its willingness to commit financial,
physical, and managerial resources.
Sources of global competitive advantage are discussed first, and then the impediments to global competition.
Both these factors affect how, and how fast, an industry will evolve.
Sources of Global Competitive Advantage

• Economies of Scale in production (centralized) can make it feasible to export to another coun-
try if the output exceeds local demand. In these cases, the business can experience increased
economies of scale.
• Logistical economies of scale can be realized if businesses are able to improve their logistical
systems, e.g., Wal-Mart.
• Marketing economies of scale can be realized if businesses are able to market products in multi-
ple national markets without having to customize advertising, increase sales department, etc.
• Purchasing economies of scale can be realized if a global business is able to exert bargaining
power over suppliers.
• Global experience. As a business gains experience in the global market place, it can get maximum
cost benefit, which can help it gain cost advantage when similar products are sold in multiple mar-
kets.
Section E Competition in Global Industries
• Product differentiation incorporates differentiating features that cause buyers to prefer a compa-
ny’s product or service to rivals’ brand. It is possible that selling globally can enhance the company’s
national brand.
• Proprietary technology may be applicable in several national markets, thereby giving the business
a competitive advantage. Also, marketing globally the firm has a better chance of staying in touch
with changing technology.
• Mobility of production lets a firm achieve economies of scale by being able to move production to
nations where input costs are lower.
Impediments to Global Competition

Many companies have tried and failed their hand in international marketing. Some of the impediments to
global competition include:
• High storage and transportation cost could offset other cost advantages that the company
enjoys. To counter these higher costs, the company might have to build in-country facilities, thus in-
creasing costs and eroding profitability.
• Low worker productivity might offset the company’s lower wage rates.
• Customization of product might entail having to redesign the product based on different needs,
values, customs, and languages. Customization increases cost, eroding the company’s competitive
advantage.
• Limitations to established distribution channels could act as a market entry barrier. These
barriers might be resolved only if substantial concessions are made in order to induce the channel to
substitute the product for a domestic producer. These concessions might cause diseconomy of scale.
• Government impediments are designed to protect local jobs and businesses. Impediments might
include quotas, tariffs, and country content rules. Higher government taxes on foreign operations
would benefit local businesses as well.
• Financial resource limitations might mean that the company has to commit financial resources,
e.g., build a plant, etc., that otherwise were not part of the firm’s finance plan.
• Complexity of global competition might cause the company to think twice about entering the
global arena.
Competition in Global Industries CIA Part 3
Evolution of Global Markets

The global market environment is not static; it is ever changing and evolving. Typically, domestic companies
stay in their home market until the market becomes saturated and the time comes to expand globally.
Expansion also gives businesses the opportunity to further improve their competitiveness.
The next step in the evolution is for companies to start exporting. Exporting a product requires placing the
product in the distribution system of another country. Exporting can be either indirect or direct.
• Indirect exporting, or marketing through an intermediary, involves the least amount of commit-
ment and risk, but will probably return the least profit.
• Direct exporting is when a company handles its own exports directly, without an intermediary.
Direct exporting is riskier than indirect exporting, but it also opens the door to increased profits.
The second stage generally the establishment of a specific export department within the company.
The last step in the evolution is for the company to become truly a transnational corporation, or a company
that is globally oriented to marketing its products. A transnational corporation runs its business and makes its
decisions based on all the possible choices in the world, not simply favoring domestic operations because they
seem to be convenient.
Evolution of Global Marketing
Home Market Production
Exporting
Transnational
Section E Competition in Global Industries
Strategic alternatives
There are three main distinctions between international strategies: multi-domestic, global and glocal.
1) Multi-domestic strategies refer to those companies that address competition in each country or
region on an individual basis.
• Product is customized for each market.
• Decentralized control – local decision making.
• Effective when large differences exist between countries.
• Advantages: product differentiation, local responsiveness, minimized political risk, minimized

exchange rate risk.
2) Global strategy refers to addressing competition in an integrated and holistic manner across
country and regional boundaries.
• Product is the same in all countries (Coca-Cola, Levi’s jeans, etc.).
• Centralized control – little decision-making authority on the local level.
• Effective when differences between countries are small.
• Advantages: cost, coordinated activities, faster product development.
3) Glocal strategy refers to companies who are willing and able to “think globally and act locally.”
For example, the Internet is a global phenomenon, but it allows people to make websites in their na-
tive language.
Trends affecting Competition

Even though there is strong opposition to globalization, there is no evidence that it will diminish in the near
future. Globalization affects the growth of trade and investment, and finally the integration of economies
around the world.
• Increased influence of emerging markets. The emerging economies are gaining economic
strength and influence. These emerging economies include countries like China, Russia, India, Ma-
laysia, countries in Eastern Europe, and parts of Africa and Latin America. The trend is to narrow the
economic differences between developed and emerging countries.
• New large-scale markets are emerging, such as Brazil, Russia, India and China (the BRIC coun-
tries).
• Freer flow of technology allows even less developed countries the opportunity to invest and
develop in world-class facilities.
• More aggressive industrial policies is being implemented by some countries in order to gain
world status, e.g., Russia, Venezuela, Iran, etc.
• Government protection of distinctive national assets. Governments have tended to play a

more active role in the protection of natural assets, i.e., oil and gas industry, etc.
Strategic Decisions CIA Part 3
Question 71: Which of the following would be a source of global competitive advantage?
a) Low fixed costs
b) Production economies of scale
c) Weak copyright protection
d) Intensive local service requirements
(IIA adapted)
Question 72: Governments restrict trade in order to:
I. Foster national security.
II. Develop new industries.
III. Protect declining industries.
IV. Increase tax revenues.
a) I and IV only
b) II and III only
c) I, II and III only
d) II, III and IV only
(IIA adapted)
Strategic Decisions
Strategic decisions are those choices that impact future operations, such as expanding into a new market or
launching a new product line. This section discusses various strategic decisions management can make to
ensure the long-term survival and profitability of the company.
Analysis of Integration Strategies

In Michael Porter’s generic model, he argued that a firm’s strength ultimately falls into one of two categories:
cost advantage and differentiation. Integration strategies, either horizontal or vertical, can be methods of
gaining cost advantage and differentiation. These methods are discussed below.
Horizontal Integration
Horizontal integration is a type of ownership and control whereby a firm acquires additional business activities
at the same level of the value chain. Horizontal growth can be achieved by internal expansion or by external
expansion through mergers and acquisitions of firms offering similar products and services. A firm may also
grow horizontally by diversifying into unrelated businesses.
Example: The GAP Inc. retail clothing corporation is a good example of a business that practices
horizontal integration. GAP Inc. controls three distinct companies, Banana Republic, Old Navy, and the GAP
brand itself. Each company has stores that market clothes tailored to the needs of a different group. For
example, Banana Republic sells more expensive clothes with a more “upscale” image, whereas, the GAP
sells “moderately” priced clothes that appeal to middle-aged men and women. On the other hand, Old
Navy sells “inexpensive” clothes geared towards children and teenagers. Thus, by using these three
different companies, GAP Inc. controls a large segment of the retail clothing industry.
Section E Strategic Decisions
Benefits of Horizontal Integration

• Economies of scale are achieved when per unit cost of product is reduced by selling more of the
same product.
• Synergy is achieved when “two or more discrete influences or agents acting together create an
effect greater than the sum of the effects each is able to create independently.” For example, syner-
gy can be achieved by using the same brand to promote multiple products.
• Increased market power over suppliers and downstream channel members.
• Reduction of cost of international trade by operating factories in foreign markets.
Drawbacks of Horizontal Integration

• The potential possibility of anti-trust issues being raised.
• The potential possibility that the anticipated economic gains will not materialize. It is highly recom-
mended that before expanding by horizontal integration, management should make sure that the
potential benefits are real. For example, it had been assumed that computer hardware manufactures
that entered the software business would experience synergies between hardware and software. But,
the connection between these groups of products does not necessarily imply realizable synergy.
• The potential possibility that even if benefits do exist, they do not materialize spontaneously. Thus,
there should be a specific horizontal strategy in place.
Vertical Integration
Vertical integration involves companies at different stages of production. In these cases, the buyer expands
back toward the source of raw materials, called backward integration, or forward in the direction of the
consumer, called forward integration.
Example: One of the earliest, largest and most famous example of vertical integration was the Carnegie
Steel Company. Carnegie Steel controlled not only the mills where the steel was manufactured, but the
mines where the iron ore was extracted, the coal mines that supplied the coal, the ships that transported
the iron ore and the railroads that transported the coal to the factory, the coke ovens where the coal was
coked, etc.
Examples of Backward and Forward integration
Backward Integration Forward Integration
Raw Materials Raw Materials
Intermediate Intermediate
Manufacturing Manufacturing
Assembly
Assembly
Distribution
Distribution
End Customer End Customer
The decision of whether to vertically integrate or not should consider two issues: cost and control. The cost
aspect depends on the cost of the market transactions between firms versus the cost of administering the
same activities internally within a single firm. The control issue has to do with the impact of asset control,
which can impact barriers to entry and which can assure cooperation of key value-adding players.
Benefits of Vertical Integration

• The potential to reduce transportation costs. This would happen only if ownership results in
closer geographic proximity.
• The potential to have greater control over inputs. This is one of the main reasons why Apple
decided to make its computer hardware, accessories, operating systems, and much of the software
itself. Today, Apple is one of the few vertically integrated businesses in the IT industry.
• The potential to improve supply chain coordination.
• The potential to capture upstream or downstream profit margins.
• The potential to increase entry barriers to competitors. This would be true, for example, if the
firm could gain sole access to a scarce resource.
Drawbacks of Vertical Integration

• The potential that the merger will cause higher costs due to low efficiencies resulting from
lack of supplier competition.
• Increased bureaucratic costs.
• The potential that flexibility due to previous upstream or downstream investments will be
decreased. But, the flexibility to coordinate vertically related activities might be increased.
• The potential for capacity problems. For example, the firm may have to build excess upstream
capacity to ensure that downstream operations have sufficient supply under all demand conditions.
Question 73: A milk producer company acquires its own dairy farms to supply milk. The growth strategy
adopted by the company can be identified as
a) Horizontal integration
b) Vertical integration
c) Concentric diversification
d) Conglomerate diversification
(IIA adapted)
Capacity Expansion
The decision whether or not to expand capacity is a major strategic decision for management and the firm.
Before making this decision, management has to have a clear understanding of the costs and benefits of
expansion. For example, any expansion requires additional capital investment. Investment could be in the
form of new equipment, additional personnel, construction of new facilities, etc. Management simply needs to
know that these additional costs will be covered by the expected increase in sales. It is for this reason that
capacity expansion is also referred to as market penetration.
A key issue for management is to avoid overcapacity.
In the long term, the company will need to make certain that its capacity will be able to meet the expected
demand as well as decide how to obtain this capacity. The firm may either purchase or lease the necessary
fixed assets, but a plan is required to determine how the company will obtain the necessary financing for
whatever option it chooses. This is the process of capital budgeting.
Undercapacity, on the other hand, tends to be a short-term issue in profitable industries. In these
situations, investors would be lured to making investments to increase the firm’s capacity capability, thereby
increasing the firm’s profits.
Michael Porter, in his book, Competitive Strategy: Techniques for Analyzing Industries and Competitiveness,
describes the strategic decision process to expand capacity. These are the interrelated steps in his process:
1) The first step is for the firm to identify all of the options open to it. The firm would also have to
consider responses by competitors.
2) The second step is to forecast demand, input costs, and technology developments.
• Depending on the industry, there can be a lot of uncertainty about future demand. This is proba-
bly the most crucial variable in determining the nature of the industry’s expansion.
• In regards to technology, the firm has to be aware that any new technology can quickly become
obsolete, or future design changes might not be practical.
• The firm also needs to consider the possibility that expansion could put upward pressure on input
costs.
3) The third step is to analyze the competitors. The difficulty of analyzing competitors is that this
requires the ability of the firm to forecast their behavior, which requires knowing their expectations.
This is difficult even under the best of circumstances.
4) The fourth step is for the firm to develop a detailed model that predicts prices and cash flows. This
model could also possibly have information on the firm’s expected market share and total indus-
try capacity.
5) The final step is to test for inconsistencies.
A critical variable that helps to determine the nature of the industry expansion is the extent of uncertainty
about future demand.
• If there is high uncertainty about demand then firms who have the available financial resources
and are willing to take on greater risk will act first.
• On the other hand, if there is low uncertainty about demand, and market signals tend to be
strong, firms will tend to take on a strategy of preemption to forestall competitor’s expansion
plans. This strategy tends to lead to excess industry capacity because firms overestimate their com-
petitive strengths, don’t understand the market signals, or fail to accurately assess competitors’
intentions.
Capacity Overbuilding
Overbuilding is most frequently associated with firms whose business cycles are cyclical in nature. The cyclical
buildup of production capabilities is due to the unbalanced inflow of fixed capital. When the investment
climate and future demand is favorable, firms invest in fixed capital, and thereby, in production capacity. This
surplus in production and competition between firms will reduce profits and eventually lead to capital
devaluation.
Note: The general thought is that overbuilding is bad, but in fact, overbuilding may be good for society
as a whole. For example, when railroads were overbuilt and the price of transportation plunged below what
was needed for recovery of invested capital, that was bad for the investors in railroads, but it was good for
the transportation-dependent industries, many of which could not have existed without the eventual lower
costs of transportation. In fact, the lower prices created non-secular elasticity: greater demand because
new industries became possible. These new industries resulted in new volumes of traffic, which eventually
made the lower prices bearable for the railroads, although not for the original investors. What happened
with the railroads also happened with Internet companies as well.
The following is a list of factors that may lead to overbuilding:
1) Technological factors
• Economies of scale are present, and there is a steep learning curve that encourages preemption.
• The industry has long lead-time that increases the risk that the industry will experience overbuild-
ing.
2) Structural factors
• Exit barriers are high. This causes firms to stay and keep producing that otherwise would not
produce.
• Suppliers of capital, input supplies, etc. may have favorable terms that promote expansion.
• The extent of the competitor’s integration may act as a promoter of expansion. A firm may feel
pressure to build capacity even in the face of uncertainty in demand.
3) Competitive factors
• Firms with capacity capability may seek to improve market share.
• Lack of true market leader(s). The lack of a true market leader may give firms an incentive to
gain market share through expansion. On the other hand, expansion tends to be more orderly in in-
dustries with true market leaders since they are able to retaliate against inappropriate expansion by
other firms.
• Low entry barriers and other favorable economic conditions may encourage new entrants to
the market, thus, causing overcapacity.
4) Information flow factors

• Future expectations may be over inflated because of media reports.
• The assumptions or perceptions about competitor’s strengths, weaknesses, or plans may be

inaccurate.
5) Managerial factors
• A firm that is more production-oriented is more likely to overbuild than firm’s that are market-
oriented. Production-oriented firms are primarily concerned with production, manufacturing, and effi-
ciency issues. Market-oriented firms allow the wants and needs of customers and potential
customers to drive all the firm’s strategic decisions.
6) Governmental factors
• Tax incentives may tempt firms to build excess capacity.
• Promotion of indigenous industries may cause inefficient domestic producers to stay in business,
thereby contributing to excess global capacity.
• Governmental pressures on domestic employment may result in overbuilding in order to create

or maintain domestic jobs.
Question 74: What is a key issue for management when considering capacity expansion?
a) Avoiding overcapacity
b) Having strong future demand
c) Analyzing competitors
d) Capital budgeting
(HOCK)
Question 75: Which of the following is a market-oriented definition of a business versus a product-
oriented definition of a business?
a) We make air conditions and furnaces
b) We supply energy
c) We make movies
d) We sell clothing
(IIA adapted)
Entry into New Businesses

Entry into new businesses can be accomplished either by internal development or through acquisition.
Entry through Internal Development

Entry through internal development usually consists of creating a whole new business entity. In order to
successfully compete, any new business entity has to deal with existing entry barriers, and the possibility of
retaliation by the existing firms. Existing firms could retaliate by lowering prices and thus making it harder
for the new firms to make a profit.
Some of the more common entry barriers are:
• Economies of scale. Large firms can generally produce goods at a lower cost than smaller firms.
But, these costs advantages can quickly evaporate with changing technology. For example, the
common use of PCs allowed small companies the opportunity to make use of database and commu-
nication technology that was once extremely expensive and only available to large corporations.
• Customer loyalty can be very strong with some brands. This customer loyalty can impede market
entry.
• Advertising can make a difference for those firms seeking to enter the market. Established firms
are able to spend more on advertising that new brands might find difficult to afford.
• Research & Development can be a huge entry barrier, particularly if the product requires massive
upfront investment in technology that will deter potential new entrants.
• Sunk costs are those costs that cannot be recovered if a firm decides to leave the market. There-
fore, these costs increase the risk and deter business entry.
• Distributor agreements, exclusive agreements with key distributors or retailers can make it more
difficult for other businesses to enter the industry.
• Supplier agreements, exclusive agreements with key suppliers can make it more difficult for other
businesses to enter the industry.
• Patents give a firm the sole legal right to produce a product for a certain number of years. Patents
are intended to encourage innovation by offering this financial incentive.
• Government regulations can make entry more difficult by having requirements for licenses and
permits. These requirements can raise the investment needed to enter the market.
Potential new entrants should conduct structural analysis in order to determine the feasibility of actually
entering into a new business and market. Porter’s Five Forces Model is still widely used for identifying
industries to target.
Entry through Acquisition

The other method to gain market entry is through acquisition. The analysis for an acquisition will differ from
that of an analysis for internal development. When looking at a possible acquisition, the key point is that the
market determines the price of the acquisition. Countries with developed and active acquisition markets tend
to be efficient, thereby eliminating above average profits.
Section E Forecasting
Question 76: After a firm conducted extensive structural analysis, it decided to create a whole new
business entity. The analysis helped the firm choose the most appropriate industry in which to target. The
most likely target is an industry in which the new entity
a) Will have to develop its own distribution network.
b) Can raise mobility barriers after entry.
c) Will not have to compete with a dominant firm that seeks to protect the industry.
d) Calculates that the costs of retaliation to existing firms are less than the benefits.
(HOCK)
Forecasting
Forecasting is a critical part of any business, and it involves looking into the future and attempting to
determine what future conditions and/or results will be. A budget is a form of forecasting. Examples of
forecasting are projecting sales, determining inventory demand, estimating cash flows, determining future
capital needs, and estimating costs.
Forecasting methods can be either qualitative or quantitative. Which method is used will depend on the
specific objectives of the forecast and the amount of information available to the company.
Qualitative forecasting
Qualitative forecasting is generally used when historical data is not available, or when the information cannot
be quantified. Qualitative forecasting entails the use of expert opinions, such as predicting the cost of oil over
the next six months, or the impact that rising oil prices might have on the global economy. If qualitative
forecasting uses opinions, then what are the methods used to obtain the opinions?
Three common approaches are:
1) Delphi technique. This is probably the best-known method for generating forecasts based on the
use of “experts.” A survey or questionnaire is sent to a group of independent, unbiased experts,
who fill out the survey without reference to the other contributors. The replies to the survey are
summarized, analyzed and then returned back to the experts so they can reconsider and revise their
earlier responses based on the views of the group. This process continues until the facilitator deter-
mines that a group consensus (or narrower range of opinions) has been reached.
2) Jury of executive opinion. This approach involves bringing senior managers together so that they
can draw upon their collective wisdom to come up with a forecast. This differs from the Delphi tech-
nique in that the senior managers actually get together in an open meeting to discuss their opinions.
A drawback to this method is that the meeting may be subject to groupthink and personality
dominance.
Note: Groupthink is a term coined by Irving Janis that refers to faulty group decision-making.
Groups experiencing groupthink do not consider all alternatives and they desire unanimity at the
expense of quality decisions.
3) Scenario planning. This approach develops a set of well-defined assumptions and then applies
these assumptions to a series of scenarios. For example, a transportation company concerned about
rising oil prices might develop a series of scenarios indicating what would happen to its business
model if oil prices go from $100 per barrel to $150 per barrel to $200 per barrel. Scenario planning
is not about producing a consensus but rather about identifying likely or possible outcomes and
then coming up with a plan for how the business would respond to the least desirable scenario.
Forecasting CIA Part 3
Quantitative forecasting
Mathematical models are used in quantitative forecasting. A mathematical model is an equation that
attempts to represent an actual situation. For example, if a company has a product that it sells for $1,000
each, and if we use R to represent total revenue, the total revenue that the company will earn by selling x
units can be represented by the following equation, or mathematical model:
R = 1,000x
For a model to be useful, it must be a good representation of the real situation. Therefore, it is important to
carefully construct the equations.
Collecting the Data for a Forecast

In forecasting, historical data is used in various ways. We may look at the past to discover a pattern for use
in predicting the future. Or we may look at the past relationship between two factors to determine if there has
been a cause-and-effect relationship between them that can be used to predict future results. Collecting the
data is usually the most difficult step in analysis. When working with costs, one of the primary challenges is
finding the cost driver that best fits the data; in other words, finding the causal factor in the cause-and-
effect relationship.
Thus, there are two basic forecasting methods:
1) Time series methods, which look only at the historical pattern of one variable and generate a
forecast by extrapolating the pattern using one or more of the components of the time series, and
2) Causal forecasting methods, which look for a cause-and-effect relationship between the variable
we are trying to forecast (the dependent variable) and one or more other variables (the inde-
pendent variables).
Time Series Analysis

Time series data reflects activity for one variable – an organization, plant, activity, or one expense
classification – over a sequence of past time periods. A time series method of forecasting uses only these
historical values in an attempt to find a pattern in them that can be used in forecasting the future. Only one
set of historical time series data is used in time series analysis and that historical data is not compared to any
other set of data.
A time series may have one or more of four patterns (also called components) that influence its behavior
over time:
1) Trend
2) Cyclical
3) Seasonal
4) Irregular
In addition to these patterns of behavior, time series data can also be affected by inflation. The presence of
inflation can distort the analysis, and it may be necessary to adjust the time series or the resulting forecast to
remove this distortion.
1) Trend Pattern
Over a long period of time, the historical data may exhibit a trend, which is a gradual shifting to a higher or
lower level. If a long-term trend exists, there will probably also be short-term fluctuations within that trend;
however, the long-term trend will be apparent. For example, sales from year to year may fluctuate but
overall, they may be going up, as is the case in the graph below.
Sales 2002-2011 with 2012 Forecast
$3,500,000
$3,000,000
$2,500,000
$2,000,000
$1,500,000
2003 2005 2007 2009 2011 2013
The long-term sales trend has been upward from 2003 to 2012, despite the dips in 2005 and 2009. According
to this trend, a reasonable sales forecast for 2013 would be $3,250,000.
Trends in a time series analysis are not always upward and linear like the above graph. Time series data can
exhibit an upward linear trend, a downward linear trend, a nonlinear (curved) trend, or no trend at all. A
scattering of points that have no relationship to one another would represent no trend.
2) Cyclical Pattern
A long-term trend line can still be established even if the sequential data fluctuates greatly from year to year
due to cyclical factors. Any recurring fluctuation that lasts longer than one year is attributable to the cyclical
component of the time series. The cyclical component is usually due to the cyclical nature of the economy.
In the next graph, we see an example of the cyclical components of a time series. The fluctuations from year
to year are greater than they were for the first graph. However, we can still discern a long-term trend
upward.
Sales 2003-2012 with 2013 Forecast
$3,500,000
$3,000,000
$2,500,000
$2,000,000
$1,500,000
2003 2005 2007 2009 2011 2013
3) Seasonal Pattern
In order to identify trend and cyclical components of a time series, we track the annual historical movements
of the data over several years. That is, we look only at results for full years, such as total sales for the years
2003 through 2012.
However, a time series can fluctuate within the year due to seasonality in the business. Seasonal variations
are common in many businesses. For example, a flower company’s sales would be highest during the warm
summer months, whereas a retailer of skis would experience its peak sales in the wintertime. Variability in
the time series due to seasonal influences is called the seasonal component.
“Seasonal” behavior can take place within any time period that is less than a year in length. A business that
has its busiest time of day at the same time every day is said to have a within-the-day seasonal
component. As long as the pattern repeats regularly, it is a seasonal component.
4) Irregular Pattern
A time series can also vary in a random pattern, not repeating itself in any regular pattern. This is called the
irregular pattern. It is caused by short-term, nonrecurring factors, and its impact on the time series cannot
be predicted.
Using Time Series Analysis in Forecasting

The objective of time series analysis is to develop a forecast for future results. Time series methods are used
in forecasting in two ways:
1) Smoothing (moving averages, weighted moving averages and exponential smoothing).
2) Trend projection (including trends adjusted for seasonal influence).
We will now look at each of these in more detail.
1) Smoothing
Just as the name implies, smoothing methods attempt to “smooth out” random fluctuations caused by the
irregular component of a time series. Smoothing methods work with a time series that has no significant
trend, cyclical or seasonal effects. They do not work well when there is a long-term upward or downward
trend or when there is cyclical variation or seasonal variation. However, when nothing affects the values
except random variations, smoothing methods can provide highly accurate, short-range forecasts such as a
forecast for the next time period.
Moving averages use the average of the most recent data in the time series. Whenever a new value
becomes available for the time series, it replaces the oldest value. For example, when using a four-week
moving average to forecast sales, to forecast sales for week five, we would average the sales for weeks one
through four. The forecast of sales for week ten would use the average sales for weeks six through nine.
A weighted moving average is a variation of the moving average method. When utilizing this method, we
use different weights for each value and compute a weighted moving average, using the most recent data in
the time series. For example, we might give more recent historical values weights that are greater than those
given to the older values. If we have four months of data, to forecast the fifth month’s value using a weighted
moving average, we would approach it in the manner outlined in the following example.
Example: ABC Corporation wants to use a four-month weighted moving average method to forecast sales
for the month of May. Actual sales for ABC for the months of January, February, March and April are as
follows:
January $21,000,000
February 23,000,000
March 25,000,000
April 20,000,000
ABC has assigned a descending weight to each month’s values, starting with the most recent month. Each
of the month’s results is multiplied by the weight, and then these individual monthly values are added
together to determine the May forecast. The weights ABC has assigned to the four previous months are
40%, 30%, 20% and 10%. This means that the results in the most recent month (April) will have four
times the impact on the May forecast as the oldest month (January).
Weight
April $20,000,000 * 4/10 = $ 8,000,000
March 25,000,000 * 3/10 = 7,500,000
February 23,000,000 * 2/10 = 4,600,000
January 21,000,000 * 1/10 = 2,100,000
$22,200,000
Note that the total of all the weights equals 10/10, or 1.
The weighted moving average is the total, $22,200,000, and this is the expected result for the month of
May.
Exponential smoothing is a special type of weighted moving average. With exponential smoothing, we
forecast a value for the next period by calculating a weighted average of two numbers only:
• The most recent period’s actual value.
• The most recent period’s forecasted value, using exponential smoothing.
Exponential smoothing takes the forecast developed for the current period and adjusts it up or down based on
what actually occurred in that period. The actual value is multiplied by the weight put on it and this is added
to the forecasted value multiplied by its weight. This becomes the forecast for the next period.
The amount of weight put on the actual value is called alpha (α), or the smoothing constant. It will always
be between 0 and 1. The amount of weight put on the forecasted value will be (1 - α). The total weight put on
both values will always equal 1.
The value used for the smoothing constant will influence the accuracy of the forecast. If alpha is set to 1,
the forecast for the next period will be based completely upon the actual value from the current period, with
no weight given to the forecasted value from the current period. If alpha is set to 0, the actual value from the
current period will be completely ignored and all the weight will be put on the forecasted value. Neither of
these will provide much information for the future. That is why alpha will always be between 0 and 1. Usually
alpha will be between 0 and .4.
We will discuss how alpha is determined and why its value is between 0 and .4, but first we will look at the
calculation of a forecasted value for the coming month, using the current month’s actual and forecasted
values. We are using the same actual data used to calculate a forecast based on a weighted moving average
in the previous example. However, forecasted amounts that have been calculated using exponential
smoothing are added to the table.
Example: In January, ABC Corporation began using exponential smoothing to forecast sales for each
month. Actual and forecasted sales, in millions, for ABC for the months of January, February, March and
April are as follows. Forecasted sales for January through April have been calculated using exponential
smoothing and an alpha of .1.
Actual (Y) Forecasted* (F)
January $21.0 N/A
February 23.0 $21.0
March 25.0 21.2
April 20.0 21.6
*Forecasted by means of exponential smoothing.
To calculate a sales forecast for the month of May using exponential smoothing, use only the actual sales
for the month of April and the forecasted sales (forecasted using exponential smoothing) for the
month of April.
As you may have noticed, not just any forecast can be used in this calculation. For exponential smoothing
to work, the forecasted value used can only be one that was calculated using exponential smoothing.
The calculation is expressed algebraically as follows:

Ft+1 = α Yt + (1 − α) Ft
Where:
Ft+1 = forecast for the next period
Yt = actual value for period t
Ft = forecasted value for period t
α = smoothing constant (between 0 and 1)
The forecasted sales figure for the month of May will be:
Ft+1 = (.1 * 20) + (.9 * 21.6)
Ft+1 = 21.4
When exponential smoothing to calculate the next period’s forecast is first instituted, more weight is
automatically given to the very earliest period’s results. This heavy weighting will decrease period by period
as several periods pass and more history builds up. Ultimately, the greatest weight will be on the most
current period’s results with the weight descending as the results go back in time. (This can be proven
mathematically but is outside the scope of the exam and so is not presented.) At all times, the sum of the
weights for all the periods will be 1.0.
One of the advantages of exponential smoothing is that it does not require a lot of historical data. Therefore,
it is an inexpensive method to use when multiple forecasts need to be made every period. If using a moving
average or a weighted moving average method, we would have to apply several different historical values,
but exponential smoothing requires only the current period’s actual and forecasted values. Thus, data storage
requirements are minimized.
Exponential smoothing is a simple concept, yet it is quite powerful because of its weighting process.
On the other hand, a disadvantage of exponential smoothing is that its forecast will lag behind as the trend
increases or decreases over time. And it does not account for dynamic changes that occur in reality. Its
forecasts will require constant updating in order to respond to new information.
Furthermore, in exponential smoothing, the choice of α is important, because it influences the accuracy of the
resulting forecast. A desirable value for α is one that minimizes the forecasting error over time. The
forecasting error is calculated by taking the historical difference between the actual and the forecasted values
using exponential smoothing. That difference, or error, for each period is then squared to eliminate negative
amounts, and the squared error amounts for each period are averaged. This average is called the Mean
Squared Error or MSE. Our goal is to find a value for α that will minimize the MSE.
Note: Detailed information about the calculation of MSE is outside the scope of the exam and is therefore
not included here. You only need to know that the MSE is the measure of the error in the exponential
smoothing, and that it should be minimized.
Generally, as alpha increases, the forecasting error decreases, up to an alpha of .4. Beyond an alpha of .4,
not much improvement usually results. For that reason, alpha is usually between 0 and .4.
However, if the actual values fluctuate substantially and randomly, we prefer a lower value for α,
because we do not want to adjust forecasts too much in response to random variations. In this case a larger
alpha will create a greater MSE and a less accurate forecast because a larger alpha will cause more weight
to be put on the random variations.
For this reason, exponential smoothing as a forecasting technique is most useful when the time series is
stable, without many fluctuations.
As additional time series data is collected, the smoothing constant α can be adjusted for future forecasts at
any time.
Note: Smoothing methods are useful for a stable time series that has no significant trend, cyclical, or
seasonal effects.
2) Trend Projection and Regression Analysis

When a time series is not stable and is increasing or decreasing consistently, smoothing methods are not
appropriate for forecasting. Instead, a time series that has a long-term upward or downward trend can be
forecasted by means of trend projection.
Trend projection can be done by using the high-low point method. However, this method is not very
accurate, because it uses only two points (the highest and lowest results during the time period) to develop a
trend line for forecasting. A more accurate method of forecasting using trend projection is simple regression
analysis, which forecasts values using information from all available observations.
Both the high-low points method and simple linear regression analysis rely on two assumptions:
• Variations in the dependent variable (i.e., what we are forecasting) are explained by variations in
one single independent variable (i.e., time, if a time series is what we are forecasting).
• The relationship between the independent variable (time or something else) and the dependent
variable (sales or whatever we are forecasting based on the value of the independent variable) is
linear. A linear relationship is one that will graph as a straight line.
The line of best fit, as determined by simple linear regression, is a formalization of the way we would fit a
line just by looking at it. We use a ruler to move it until we think we have minimized the differences
between the points and the line. Similar to fitting a line visually, the goal is to take each of the differences
between the individual values and the point on the regression (trend) line for that time period – called a
deviation –square each deviation, then calculate the total of all the squares of the deviations, and have the
result be as low as it can get. When this is the case, the total of the squares of the deviations is “minimized,”
and the trend line is the “line of best fit.” That line can then be used for forecasting using extrapolation.
To use regression analysis, first graph the values of the time series and review the results. If the long-term
trend appears to be linear, use simple regression analysis to determine the trend value.
Before performing regression analysis, we should perform correlation analysis to determine the strength
of the linear relationship between the value of x and the value of y in order to determine whether trend
projection would be meaningful. Correlation analysis measures the relationship between two or more
variables. This measurement shows how closely connected the variables are and the extent to which a change
in one variable will result in a change in the other.
The coefficient of correlation, represented by the letter R or r, is a numerical measure that measures both
the direction (positive or negative) and the strength of the linear association.
The coefficient of correlation, r, can be used to determine whether trend projection would be meaningful.
• A high correlation coefficient, r, (i.e., a number close to either +1 or −1) would indicate that simple
linear regression analysis would be useful as a way of making a projection using a trend line.
• A low correlation coefficient, r, (close to 0) would indicate that a forecast made using a trend line
would not be very meaningful.
The coefficient of correlation, r, can be calculated in Excel by entering the X values in one column (say
Column A, rows 1-10), the Y values in another column (say Column B, Rows 1-10), and entering the following
formula in a blank cell:
=CORREL(A1:A10,B1:B10)
If we call the predicted value of y obtained from the fitted line “ŷ,” then the prediction equation, or the
equation of a linear regression line, is:
ŷ = a + b(x)
Where:
ŷ= the predicted value of y on the regression line corresponding to each value of x
a= the y intercept, or the value of y when x is 0
b= the slope of the line
x= the value of x on the x axis that corresponds to the value of y on the trend line.
Note: This formula may be written in different ways (e.g., ŷ = ax + b), but x will always represent the
independent variable and y is the constant. The coefficient of the independent variable, or the
variable coefficient, is whatever term is next to the x in the formula. That term represents the amount
of increase in y for each unit of increase in x, or the slope of the line.
The constant coefficient is a and it represents the y intercept because this is the value of y when x is
zero.
The symbol over “y” is called a “hat”, and thus, it is read as “y-hat”, which means that we are looking at
the predicted value, not the actual value.
Here is the chart again, illustrating a regression analysis. We have made a couple of changes so that the
trend line, the equation of the trend line, and the coefficient of determination, R2 or r2, (more on that later)
can be calculated on the computer. We have expressed sales in thousands and changed the years along the X
-axis to Year 1, Year 2, etc., to enable computer calculation.
The numbers below are the historical sales amounts that have been graphed on the graph that follows (000
omitted). These were input into Excel, and Excel calculated the regression equation and the other values for
the regression.
2003 Year 1 $2,256
2004 Year 2 $2,564
2005 Year 3 $2,305
2006 Year 4 $2,525
2007 Year 5 $2,752
2008 Year 6 $2,830
2009 Year 7 $2,926
2010 Year 8 $2,935
2011 Year 9 $3,001
2012 Year 10 $3,165
Sales in 000s, 2003-2012 with 2013 Forecast
y = 94.976x + 2203.5
R² = 0.8984
$3,500
$3,000
$2,500
$2,000
$1,500
0 1 2 3 4 5 6 7 8 9 10 11
Year (2003 = Year 1)
The coefficient of correlation, r, as calculated in Excel, is .94786. It is a positive number because the trend
line is upward sloping. If the trend line were downward sloping, the coefficient of correlation, r, would be a
negative number. A value close to 1 (or -1) – .94786 is – indicates that there is a close correlation between
the values of x and the values of y on this graph, and you can see this when you look at the graph. Thus, in
this case, regression analysis would be a good method of forecasting sales for coming years.
The equation of the trend line, as calculated on the graph above, is:
y = 94.976x + 2,203.5
This means that the trend line starts at 2,203.5, and each value on the trend line increases 94.976 over the
previous year’s trend line value. Thus for each year, the trend of sales has increased by $94,976.00.
Forecasted sales for 2013, according to the regression equation, are predicted to be:
y = 94.976x + 2,203.5
y = (94.976 x 11) + 2,203.5
y = 3,248.236 (or $3,248,236)
This is consistent with the point on the y axis where we see the extension of the trend line when it is lined up
with 11 on the x axis.
Question 77: As part of a risk analysis, an auditor wants to forecast the percentage growth in next
month’s sales for a particular plant using the past 30 months’ sales results. Significant changes in the
organization affecting sales volumes were made within the last 9 months. The most effective analysis
technique to use would be:
a) Unweighted moving average
b) Exponential smoothing
c) Queuing theory
d) Linear regression analysis
(CIA adapted)
Question 78: A division uses a regression in which monthly advertising expenditures are used to predict
monthly product sales (both in millions of dollars). The results show a regression coefficient for the
independent variable equal to 0.8. This coefficient value indicates that
a) The average monthly advertising expenditure in the sample is $800,000.
b) When monthly advertising is at its average level, product sales will be $800,000.
c) On average, for every additional dollar in advertising, you get $0.80 in additional sales.
d) Advertising is not a good predictor of sales because the coefficient is so small.
(CIA adapted)
Question 79: What coefficient of correlation results from the following data?
X Y
1 10
2 8
3 6
4 4
5 2
a) 0
b) -1
c) +1
d) Cannot be determined from the data given
(CIA Adapted)
Other Measures Used in Regression Analysis Forecasting

In addition to the coefficient of correlation, r, several other measures are used to evaluate the precision and
reliability of a regression forecast. These would be performed at either the same time as or following the
actual regression analysis:
• The standard error of the estimate (SE) represents a confidence range that gives us a range
around the forecasted value within which we can be approximately 68% confident that the actual
value of the unknown variable will fall. The size of the standard error of the estimate must be inter-
preted in relationship to the average size of the dependent variable. If the standard error of the
estimate is around 5-10% or less of the average size of the dependent variable, we can be confident
that the regression analysis is fairly precise.
• The coefficient of determination is the square of the coefficient of correlation. It is represented by

the term R2, or r2, representing the percentage of the total amount of change in the depend-
ent variable that can be explained by changes in the independent variable.
R2 is expressed as a number between 0 and 1. In a regression with a high r2, the data points will all
lie close to the trend line. In a regression with a low r2, the data points will be scattered above and
below the trend line. An r2 above .50 would indicate that the forecast yielded by simple linear re-
gression analysis should be meaningful.
In our example, r2 is .947862, or .8984. Note that if the trend line were downsloping and the coeffi-
cient of correlation were -.94786, for example, the coefficient of determination would still be .8984,
since squaring eliminates the negative value.
Causal Forecasting
Note: This is the second of two basic forecasting methods.
Causal forecasting methods are used when the value that we are forecasting can be determined to be affected
by some other value. If we can identify a cause and effect relationship between what we are forecasting
and the other value, and if that relationship is a linear one, we can use a projection of the other value to
forecast the sought-after value.
Note: The two basic assumptions of simple regression analysis are:
1) Changes in the value of the dependent variable can be explained by changes in the level of the
independent variable.
2) The relationship between the dependent variable and the independent variable is linear. That is, a
graph of the two variables, with the independent variable on the x-axis and the dependent variable
on the y-axis, will result in a straight line within the relevant range.
If there is only one independent variable and one dependent variable and the relationship between them is
linear, regression analysis is called simple linear regression, just as it was called in the section above.
However, it is also possible for one dependent variable (for example, sales) to be affected by more than one
independent variable (for example, advertising expenditures, size of the sales staff, competition, the economy
and any number of other possible causes). When there is more than one independent variable, the regression
analysis is called multiple regression analysis.
When we use one or more values to forecast another value that is influenced or explained by the first
value(s), this is causal forecasting. When doing causal forecasting, we can use time series data, such as
advertising expenditures over time. However, time series data is not always available. When time series data
is not available, regression analysis can still be employed to develop a causal forecast.
For example, demographic data may be used to forecast sales for a newly planned retail store. If there are
previously opened new outlets in other areas, we can use this demographic data and relate it to sales results
in the new retail store. The size of the population, the population’s socio-economic level, age breakdown, and
other factors can be tried as independent variables. If there is a causal linear relationship, we can then use
demographic information for the new area to forecast its sales levels.
Note: In order to use regression analysis, there must be a reasonable basis to expect the dependent
variable to be caused by the independent variable. If there is no reason for a connection, any connection
found through the use of regression analysis is accidental. So we must be careful not to assume that a
linear relationship means there is a cause and effect relationship.
Note: Remember in doing correlation analysis that correlation does not prove causation. There must be a
logical cause and effect relationship in addition to a high correlation in the data.
If the coefficient of determination, or r2, is low, it may mean that we are using the wrong independent
variable in our analysis.
Benefits and Limitations of Regression Analysis

The benefits or advantages of regression analysis are that it is a quantitative method and as such, it is
objective. A given data set generates a specific result. That result can be used to draw conclusions and make
forecasts.
Thus, regression analysis is an important tool for use in budgeting and cost accounting. In budgeting, it is
virtually the only way to compute fixed and variable portions of costs that contain both fixed and variable
components (mixed costs).
The shortcomings or limitations of regression analysis are:
• Historical data is required for the variable that we are forecasting or for the variables that are causal
to this variable. If historical data is not available, regression analysis cannot be used.
• Even when historical data is available, if there has been a significant change in the conditions sur-
rounding that data, its use is questionable for predicting the future.
• In causal forecasting, the usefulness of the data generated by regression analysis depends upon the
choice of independent variable(s). If the choice of independent variable(s) is inappropriate, the re-
sults can be misleading.
• The statistical relationships that can be developed using regression analysis are valid only for the
range of data in the sample.
Question 80: In regression analysis, which of the following correlation coefficients represents the
strongest relationship between the independent and dependent variables?
a) 1.03
b) -.02
c) -.89
d) .75
(CIA adapted)
Section E Quality Management
Quality Management
Quality is the measure of whether a company’s product or service satisfies the customer’s expectation given
the price that was paid. The key to understanding quality is to first understand the customer’s expectations. A
product that seeks to differentiate itself through a lower price must still satisfy the customer expectations of
performance (quality), or the customer will not purchase the product again.
Quality Management and Productivity

At first glance, it may seem that as a company’s commitment to quality increases, the productivity of the
company will decrease. Since productivity is measured as the level of output given an amount of input, it
would seem that by allocating resources to quality and spending resources in the quality process, there would
be fewer outputs for the level of inputs.
This, however, is not the case. In fact, as a company’s commitment to quality increases, productivity also
increases. There are a number of reasons for this, including:
• A reduction in the number of defective units. This in turn reduces the amount of time, material
and effort wasted on unusable output as well as time spent fixing salvageable defective units. (There
is a term called the hidden factory that refers to the time and effort spent on reworking and repair-
ing damaged units.)
• A more efficient manufacturing process. By looking at the process from a quality production
standpoint, the company may remove or change inefficient, unproductive or non-value adding activi-
ties.
• A commitment to doing it right the first time. As the culture in the company focuses on doing it
right the first time, the employees of the company can take a more conscientious approach to their
work, and this may lead to greater productivity.
No matter the cause, the relationship between quality and productivity is a positive one – the more attention
paid to quality, the higher the levels of production.
Total Quality Management (TQM)

Total Quality Management (TQM) is a methodology or process that has had a tremendous influence on the
nature of business in the past couple of decades. The basic premise of TQM is that quality improvement is a
way of increasing revenues and decreasing costs. As such, a company should continuously strive for
improvement in performing its job and producing its product correctly the first time. Errors should be
caught and corrected at the source.
At the root of TQM is the definition of what quality is. Quality can mean different things to different people.
For a customer it is a product that meets expectations and performs as it is supposed to for a reasonable
price. For a production manager it is a product that is within the required specification. When a company is
considering quality, it must be certain to include all of these different perspectives of quality from all of the
involved parties.
Certain core principles, or critical factors, are common to all TQM systems:
• They have the support and active involvement of top management.

• They have clear and measurable objectives.
• They recognize quality achievements in a timely manner.
• They continuously provide training in TQM.
• They strive for continuous improvement (Kaizen).
• They focus on satisfying their customers’ expectations and requirements.
• They involve all employees.
Quality Management CIA Part 3
TQM is an organizational action. For it to be successful, the entire organization must strive to this end. This
leads to the continued pursuit of excellence throughout the organization.
Part of this pursuit of excellence is a focus on continuing education. Employees at all levels participate
regularly in continuing education and training in order to promote and maintain a culture of quality.
One of the unique perspectives of TQM relates to customers. In a TQM system, it is important to remember
that people within the organization are also customers. Every department, process or person is at some
point a customer and at some point a supplier.
Another feature of TQM is quality control circles. A quality control circle is a small group of employees (or
teams) who work together and meet regularly to discuss and resolve work-related problems and monitor
solutions to the problems. This form of communication is vital to a successful TQM program.
In TQM, the role of quality manager is not limited to a special department; instead every person in the
organization is responsible for finding errors and correcting any problems as soon as possible.
Question 81: The management and employees of a large household goods moving company decided to
adopt total quality management (TQM) and continuous improvement (CI). They believed that if their
company became nationally known as adhering to TQM and CI, it would result in increased profits and
market share.
The primary reason for adopting TQM was to achieve:
a) Greater customer satisfaction
b) Reduced delivery charges
c) Greater employee participation
d) Reduced delivery time
(CIA adapted)
Question 82: Which of the following is a characteristic of TQM?
a) Education and self-improvement
b) Management by objectives
c) Quality by final inspection
d) On-the-job training by other workers
(CIA adapted)
Cost of Quality
There are four different costs of quality that can be classified as two larger categories, which are the cost of
conformance and the costs of nonconformance. There are two categories of costs within each of these two
larger categories. These are shown below.
Cost of Conformance
The costs of conformance are those that the company incurs to assess internal quality with the purpose of
insuring that no defective products reach the consumer.
The two types of costs of conformance are:
1) Prevention Costs are the costs that are incurred in order to prevent a defect from occurring in the
first place. Prevention costs include:
• Quality training and planning costs
• Equipment maintenance costs
• Supplier training and confirmation costs
• Information systems cost
2) Appraisal Costs are the costs that are incurred in order to determine if an individual unit is defec-
tive. These are the costs of:
• Testing and inspection (including the costs of the testing equipment)
• Quality audits
• Internal quality programs
Costs of Nonconformance
Nonconformance costs are those costs that are incurred after a defective product has already been produced.
The costs of nonconformance can be broken down into two types:
1) Internal failure occurs when we detect the problem before shipment to the customer. The costs
associated with this are:
• Rework
• Scrap
• Tooling and downtime
• Expediting costs - The cost of rushing to reperform and complete an order in time because of a
failure to complete it correctly the first time.
2) External failure happens when we do not detect the defect until the product is already with the
consumer. The costs of this are:
• Warranty costs
• Product liability costs
• The loss of customer goodwill (including customer complaints)
• Environmental costs
These costs can be summarized in a cost-of-quality report. An example is shown below:
Prevention costs $15,000

Appraisal costs 10,000
Internal failure costs 8,000
External failure costs 5,000
Total quality costs $38,000
Note: For the exam, you need to make certain that you know what the four subcategories of the costs of
quality are and what individual items go into these four types of costs.
Measuring Quality
There are a number of ways to measure the costs of quality.
We can use quality cost indices to measure the cost of maintaining a certain level of quality. We can
calculate our index in the following manner because it is people who are ultimately responsible for quality:
Total Quality Costs

Quality cost index = x 100
Direct Labor Costs (or some other measure of activity)
Based on the equation above, if direct labor costs were $120,000, the quality cost index would be 31.67
[($38,000 ÷ $120,000) x 100].
In order to understand whether the number is favorable or unfavorable, it would be necessary to compare it
with something, such as a prior period or the industry average.
The manufacturing cycle efficiency ratio measures the amount of the manufacturing time that is actually
spent in value-adding production. It is calculated as:
Value-adding Production Time

Manufacturing cycle efficiency = x 100
Manufacturing Cycle Time
We can also calculate the ratio of good output to total output, the percentage of defective goods shipped,
customer satisfaction, customer complaints, on-time deliveries and so on.
Other Quality Related Items

With the development of a good TQM system, a company can also manage its time better and become more
productive. In today’s environment, it is ever more important to become the first company to get a new
product or service to the marketplace. This is seen in the need to have shorter product development time
and shorter response times to changes in demand or the market.
The customer-response time, or cycle time, is the measurement of the length of time between the order
by the customer and the receipt of the product by the customer. The components of cycle time are:
• Order receipt time - From receipt of order until we are ready to produce it.
• Manufacturing cycle time - From readiness to produce to completion of the product.
• Order delivery time - From receipt of the order until delivery of the order.
Monitoring Quality
If a company is to achieve total quality management, it must be able to identify significant quality problems
when they occur. Several methods are used to analyze quality problems.
These are: 1) control charts, 2) histograms, 3) Pareto diagrams, 4) cause-and-effect diagrams, and 5) Six
Sigma.
1) A control chart records observations of an operation taken at regular intervals. Quite simply, this is
sampling. It is used to determine whether all the observations fall within the specified range for the
operation. This can be applicable to anything: a machine, a workstation, an individual or a part or
process. The intervals can be measured in time, batches, production runs or any other method at-
tributable to an operation.
A process is said to be in statistical control if no sample observation falls outside the specified lim-
its, if all samples are randomly distributed with no apparent patterns, and if the number of
observations that are above and below the center of the specified range are about equal. In addition,
most of the measurements should be close to the center of the range.
If there are trends, clusters, or many measurements near the limits, the process may be out of con-
trol.
We show an example of a control chart below.
Source: Unknown
2) A histogram is a bar graph that represents the frequency of events in a set of data. Patterns that
may not be apparent when just looking at a set of numbers become clear in a histogram. A histo-
gram can pinpoint most of the problem areas as well as those that are experiencing fewer problems.
If one particular production line is experiencing most of the difficulty, a histogram detailing the types
of problems and their frequency can help determine what is most often causing the problems.
3) A Pareto diagram is a specific type of histogram. A Pareto diagram takes all the factors identified
by the histogram as causing the problem and ranks them from the highest frequency to the lowest
frequency. Usually only a few causes are accounting for most of the quality problems.
The name “Pareto” comes from Vilfredo Pareto, a nineteenth-century Italian economist, who came
up with the now well-known 80-20 observation. We know it as “20% of the population causes 80%
of the problems”; or “20% of the population is doing 80% of all the good things.” The 80-20 proposi-
tion can work both ways, but it usually seems to hold true.
After management understands what 20% of the causes account for 80% of the problems, it can fo-
cus efforts on improving the areas that are likely to have the greatest overall impact.
4) A cause-and-effect, or Ishikawa, diagram organizes causes and effects visually to sort out root
causes and identify relationships between causes. This idea was identified by Karou Ishikawa, who
discovered that it was often difficult to trace the many causes leading to a single problem, and as a
result developed a way of diagramming them. An Ishikawa diagram, which consists of a spine, ribs
and bones, looks like a fishbone, so it is also called a fishbone diagram. At the end of the horizontal
spine (circle) is the quality problem. The spine itself connects the main causes, the ribs, to the
effect, or the quality problem. Bones pointing to each rib are contributing factors to that cause.
In manufacturing, typical main causes for quality problems are the “4 Ms”: machines, materials,
methods and manpower. An Ishikawa diagram would look like this:
Quality
problem
Contributing factors
Main cause Main cause
5) Six Sigma is an approach to quality that strives to virtually eliminate defects. To achieve Six Sigma,
a process must produce no more than 3.4 defects per million opportunities. “Opportunities” refers to
the number of opportunities for nonconformance or not meeting the required specifications. It is the
total number of parts, components and designs in a product, any of which could be defective. If a
product has 10,000 parts, components and designs, for example, 3.4 defects per million would
amount to 34 products out of every 1,000 that would have some defect. The goal of Six Sigma is to
improve customer satisfaction by reducing and eliminating defects, which will lead to greater profita-
bility.
Section E Organizational Behavior
Organizational Behavior
There are several topics we need to cover for organizational behavior, including: motivation theories, group
dynamics, human resource processes, the implications of different leadership styles, performance, and
organizational theory.
Motivation Theories
Motivation is what drives people to do or accomplish something. People can be motivated to reaching for a
long-term goal, such as becoming a Chief Audit Executive (CAE) of a major international corporation, or a
more short-term goal like becoming certified as an internal auditor (CIA).
Needs-based Theories of Motivation

Motivation is the desire and commitment that a person has to achieve a specific goal. Ideally, management
motivates its employees and subordinates by creating situations and requiring behaviors that will satisfy both
the needs of the organization and the needs of the employees. If the required behavior does not satisfy the
employees’ needs, there will be a lower amount of motivation on the part of the employees.
The level of motivation that people have is determined by the opportunity to satisfy their needs. Therefore,
the things that the organization offers to the employees as motivation should match the benefits that the
organization will receive from the work of those employees. It is the task of the manager to make sure that
the motivators that are available to the employees are those required to achieve the necessary level of
production and motivation.
Maslow’s Hierarchy of Needs

It was in 1943 that the famous psychologist, Abraham Maslow, published his need hierarchy theory of
motivation. His theory was based on the five basic needs that a person strives to fulfill, and until the most
basic needs are met, higher level needs are not important to the individual. As each level of needs becomes
satisfied, the next need up the hierarchy becomes dominant. However, once a person has moved to a higher
level of needs, if a lower-level need becomes deficient again, that person will return to the lower level.
The five levels in Maslow’s hierarchy of needs (from the lowest to the highest) are:
These are the basic requirements of life – water, food and

Physiological
shelter. In organizations, this translates to adequate pay, toilet
Needs
Lower Order facilities and comfortable working conditions.
Needs The freedom from physical or emotional harm – security
Security and
against the loss of a job, medical insurance, savings and an
Safety Needs
adequate retirement program.
The need of people to belong to a group and to be accepted by

Social Needs others. Family, friends and co-workers usually satisfy this
need.
Internal factors that provide esteem, such as self-respect and

Higher Order
achievement; and external factors such as status and
Needs Esteem
recognition. Job titles, choice offices, bonuses and other
rewards can meet these needs.
Self- The desire to become everything you are capable of becoming

Actualization – growing, achieving one’s potential and self-fulfillment.
Motivation Theories CIA Part 3
Maslow’s hierarchy of needs was the earliest motivational theory to become popular and is still one of the best
known. But more recent research has shown that peoples’ need structures are not so invariable and people do
not always move from one level to the next one quite as smoothly as the theory claims.
Furthermore, this need hierarchy is not applicable to all countries and cultures. Different things motivate
people from different countries and cultures.
Question 83: Clear Connections Inc., the largest provider of mental health services in its tri-county area,
was encountering personnel problems. Their 25 residences housed many vulnerable clients, but funding
never seemed adequate to hire quality, live-in staff. A new administrator, Deborah Romano, is deter-
mined to facilitate long-term employment of the best possible care-giving staff. Besides paying better
wages, she feels it is important that the staff be strongly motivated by the work itself. According to
Maslow's need hierarchy, the best employees would have a need for:
a) Esteem
b) Belongingness
c) Self-actualization
d) Safety and security
(CMA Adapted)
McClelland’s Theory of Needs: Achievement, Power, Affiliation

According to David McClelland a person’s motivation is based upon the need for achievement, power and
affiliation.
Some people have the need for achievement, the need to do things better than they have ever done it
before. They strive for personal achievement. High achievers thrive when a job calls for personal responsibil-
ity, because they seek feedback on their performance so they can determine whether they are improving.
They may find it difficult to delegate. These people frequently go into sales, because they can get immediate
feedback in the form of sales results. High achievers avoid goals that are too easy, but they also avoid goals
that are too difficult. They do better with moderately difficult tasks. High-need achievers are also preoccupied
with their work, and they hate to stop in the middle of a job. These individuals do well as entrepreneurs, but
less well as senior executives, because an executive must be able to delegate and seldom receives immediate
feedback.
The need for power is the desire to be able to control one’s environment. This includes influencing other
people as well as one’s financial, material and information resources. Good managers have a high need for
power. As managers, they also must have a low need for affiliation, because their power may alienate them
from others. And further, managers’ need for power must be combined with self-control so their need for
power will not interfere with effective interpersonal relationships.
The need for affiliation is the need for human companionship and close interpersonal relationships. People
with a high need for affiliation desire approval from others and are concerned about the feelings of others.
They strongly identify with other people and tend to think and act the way they think other people want them
to. People with a high need for affiliation go into jobs that provide them with much interpersonal contact, such
as sales and teaching.
Section E Motivation Theories
ERG Theory
According to Clayton Alderfer, a Yale psychologist who developed the ERG theory, people’s core needs are
existence (E), relatedness (R) and growth (G).
• Existence needs are those necessary for survival, and they are similar to Maslow’s physiological and
safety needs.
• Relatedness needs are similar to Maslow’s social and external esteem needs. They include the
desire for interpersonal relationships.
• Growth needs include Maslow’s internal need for self-esteem as well as his self-actualization needs.
Alderfer sees this as a need for personal development.
Like Maslow, Alderfer says that satisfaction of lower-order needs leads to the desire to satisfy high-order
needs.
However, ERG theory differs from Maslow’s approach in that Maslow says only one need is dominant at a
time, but Alderfer claims that more than one kind of need can motivate a person at the same time.
Furthermore, Alderfer says that if a higher-level need is not gratified, the desire to satisfy a lower-level need
increases.
ERG theory also contrasts with Maslow’s hierarchy of needs, because while Maslow assumes a step like
progression up the hierarchy, ERG theory says a person can be working on growth even though the other
needs for existence and relatedness have not been satisfied.
ERG theory seems to be more adaptable to cultural differences, because people in different cultures rank their
needs differently. ERG theory is widely considered to be a more valid system of the need hierarchy.
Question 84: A manager has a small team of employees, but each individual is self-motivated and could
be termed a “high achiever.” The manager has been given a particularly difficult assignment. Even for a
high achiever, the probability that one individual can complete this job by the required deadline is low.
Select the best course for the audit manager.
a) Assign one individual since high achievers thrive on high risks.
b) Assign two employees to moderate the risk of failure.
c) Assign all employees to ensure the risk of failure is low.
d) Ask company management to cancel the job.
(CIA adapted)
Process-Based Motivational Theories

Process-based motivational theories attempt to explain why employees behave the way they do in order to
help managers develop compensation programs and other rewards in such a way that enhances employees’
motivation and performance.
Equity Theory
Equity theory says the amount of motivation employees receive from rewards is affected by their perception
of the equity, or fairness, of the rewards. Employees compare the ratio of what they have received
(outcomes) with what they perceive they have given in effort (inputs), and compare that to similar ratios for
other jobs they have had or to those of other people who work either inside or outside the same organization.
For most employees, their motivation is influenced by relative rewards as much as by absolute rewards.
If an employee perceives inequity, he or she will be motivated to reduce the inequity. This may manifest as
reduced effort on the job or a request for a raise, in order to adjust the ratio of outcomes to inputs. Or the
employee may adjust their perceptions of either their own outcomes or inputs, or of the outcomes or inputs of
the person with whom they are comparing themselves. Alternatively, they may seek additional avenues for
growth and development, or some may even resort to stealing from the employer. Or finally, the employee
may simply look for another position and leave.
Most research on equity theory has focused only on the ratio between pay and worker input. Research has
confirmed the theory, at least where piecework and hourly workers are concerned. Workers who are paid on a
piecework basis who perceive inequity will decrease the quality of their work in order to increase their
outcomes (pay) by producing more units of work. Workers who are paid by the hour who perceive inequity
will decrease the quality and quantity of their work.
Expectancy Theory
Although Victor Vroom (1960s) did not develop the expectancy theory, he is credited with applying the
theory to workplace motivation. The basic premise of the theory is that people’s motivation depends on how
much they want something and how likely they think it is that they will get it. Employees will put in maximum
effort if they expect that their effort will lead to rewards that will satisfy their personal goals.
Expectancy theory says that the objectives need to be clear and there needs to be specific criteria for
measuring the employee’s progress toward the objectives. Furthermore, employees need to have confidence
that their efforts will result in a satisfactory reward if their objectives are achieved. Expectancy theory
recognizes that people are different and different things satisfy different people.
Most research has failed to support the general premise of the theory. Critics feel it has limited use because
few people perceive any real relationship between their performance and rewards in their jobs. Instead of
rewarding employees for their performance, most organizations actually reward their employees for seniority,
effort, skill level and job difficulty. However, this could actually be viewed as a confirmation of the theory,
because it explains why so many people perform at low levels in their jobs.
Goal-Setting Theory
In the late 1960s, Edwin Locke proposed goal-setting theory, suggesting that goals tell an employee what
needs to be done and can be a major source of motivation for the employee. The goals need to be specific,
however. A generalized goal such as “do your best” does not work as well. Locke said that specific goals
increase performance, and challenging goals (if accepted by the employee) result in higher performance than
easy goals.
Feedback as to how the employee is doing at reaching the goal is effective. Feedback where the employee can
monitor his or her own progress is the most effective type of feedback.
Four other factors make a difference in the effect that goals have on performance:
1) How much the employee is committed to the goal and determined not to abandon it.
2) How much the employee believes in his or her own ability to meet the goal (self-efficacy).
3) Whether the goal is achievable (simple and well-known tasks have a more positive effect than
difficult tasks) and independent (rather than a group goal because independent goals have a more
positive effect).
4) The culture and the country (people in different countries respond differently to goals).
Although goals can be a potent motivating force and lead to higher performance, the goal-setting theory has
not proved to create increased job satisfaction among employees.
Reinforcement Theory
The premise of reinforcement theory is that reinforcement, or consequences, control people’s behavior.
Consequences are the actions that occur after a behavior takes place. They take the form of positive
reinforcement (rewards), negative reinforcement (the removal of an unpleasant condition as a reward),
extinction (ignoring a bad behavior) and punishment.
Reinforcement theory disregards any internal motivation but says the only thing that affects what people will
do tomorrow is the external reinforcer(s) that they experienced after their actions today. Reinforcement
theory ignores all the feelings, expectations, needs, attitudes and all the other things that are known to affect
behavior.
Positive reinforcement is most effective when the rewards are given according to a variable schedule (this
means that the reward is not given every time that the behavior occurs, but only after some of the
occurrences) and are connected to the behavior that is being encouraged. Reinforcement can have a potent
influence on behavior; however, it is not the only influence.
Intrinsic Motivation and “Flow”

When a person is deeply involved in a specific activity, and highly focused on the process, something can
occur that motivation researchers call the flow experience. Key to the flow experience is that it is not related
to the goal. Flow is a feeling of timelessness, and it comes from the process of the activity itself, not from
trying to reach any goal. When the task is completed and the person looks back on it, he or she experiences
great satisfaction.
Characteristics common to flow experiences are: a task that is challenging, requiring much skill; a task that
requires total concentration and creativity; and a task that is so consuming that the person has no thought
for anything else.
Ken Thomas developed a motivational model that extends the flow concept and relates it to intrinsic
motivation. He describes intrinsically motivated employees as those who care deeply about their work, are
always looking for ways to do it better, and are fulfilled by it. The rewards the employee receives from
intrinsic motivation come from the work itself, not external factors such as raises, praise or other rewards.
Thomas suggests that intrinsic motivation is the factor in people’s experiencing feelings of choice, compe-
tence, meaningfulness and progress in their work. These components are all interrelated with the flow
experience.
However, Thomas’s studies were all done with professional and managerial employees. It is unclear whether
lower-level employees would have the same reactions.
Other Motivational Theories
Theory X and Theory Y

Douglas McGregor manifested a theory of two approaches that he believed typified managers’ views of
human nature in general.
In his book The Human Side of Enterprise, McGregor identified two different perspectives, and said all
managers fall into one or the other classification. In his theory, every manager subscribes either to Theory X
or to Theory Y, and the classification is determined by how the manager relates to subordinates. Theory X
assumes a negative view of human behavior, while Theory Y assumes a positive view.
According to McGregor, the Theory X manager assumes that people don’t like to work and seek to avoid it,
and they therefore must be coerced and threatened with punishment to get them to work. The Theory X
manager assumes that employees have little ambition and desire formal direction because they want to avoid
responsibility, and their overriding goal is security.
On the other hand, McGregor advocated that the Theory Y manager assumes that people see work as a
natural part of their lives. This manager believes people can seek and accept responsibility, and are internally
motivated to strive for objectives and commitments. Furthermore, employees are perceived as bright and
innovative in solving organizational problems.
Viewing McGregor’s Theory X and Theory Y in the framework of Maslow’s hierarchy of needs, Theory X
assumes that workers are dominated by the lower-level physiological and safety needs, while Theory Y
assumes that the higher-order social, esteem, and self-actualization needs dominate. McGregor favored the
Theory Y position and proposed ideas such as participative decision-making and responsible, challenging job
assignments to improve employee motivation.
We know that people react differently to different things and look for different things from their work, so the
correct management style is largely dependent upon the company’s unique situation and the individuals who
work for it. Even the most dedicated Theory Y managers may need to be Theory X managers at times with
certain employees.
Theory Z
William G. Ouchi developed another theory called Theory Z. Ouchi analyzed organizational cultures of three
types of firms: typical U.S. firms, typical Japanese firms, and U.S. Type Z firms. Ouchi found the following:
• The cultures of typical Japanese firms and U.S. Type Z firms had similarities and they were both very
different from typical U.S. firms.
• Typical Japanese and U.S. Type Z firms try to keep their employees and lay them off only as a last
resort. Typical U.S. firms do not have the same commitment to their people and will let their manag-
ers and employees go if there is a downturn, change of ownership, or merger.
• In Japanese and U.S. Type Z companies, promotion is relatively slow, because evaluation of manag-
ers and employees is thought to take a very long time and require qualitative as well as quantitative
information. In typical U.S. firms, evaluation is done quickly and emphasizes quantitative measures,
which encourages short-term thinking on the part of managers and employees.
• Career paths in Japanese and U.S. Type Z firms are broad, spanning varied functions. Thus, people
are more like generalists. Career paths in typical U.S. firms are narrower because of the value placed
on specialization.
• Control in Japanese and U.S. Type Z firms is exercised through informal mechanisms such as an
organization’s culture, which is based on shared norms and values. Typical U.S. firms exert control
through job descriptions, delegation of authority, and policies and procedures.
• In Japanese and Type Z firms, much decision-making takes place in groups, whereas in typical U.S.
firms, individuals make the decisions.
• Japanese and Type Z firms have a concern for the personal lives of their workers and managers,
whereas in typical U.S. firms, concern for the people focuses only on the workplace.
• On the subject of group versus individual responsibility, U.S. Type Z firms were more like typical U.S.
firms. In both types, individuals take responsibility. However, in Japanese firms, the group as a whole
is responsible for decisions that the group makes.
Ouchi found that the Japanese and U.S. Type Z firms outperformed typical U.S. firms, and he argued it was
due to the differences in their cultures.
Question 85: As a manager, you should be striving for a high level of job satisfaction for your staff for all
the following reasons except:
a) A happy, satisfied worker is always a more productive worker.
b) High job satisfaction usually results in lower turnover.
c) Dissatisfied employees are often less healthy.
d) Many people feel job satisfaction is as important as remuneration.
(CIA adapted)
Question 86: Which of the following is not an example of positive reinforcement of behavior?
a) Paying a bonus to employees who had no absences for any four-week period.
b) Giving written warnings after only every other absence.
c) Assigning a mentor to each employee.
d) Having a lottery every month where 10% of the employees with no absences receive a $200 bonus.
(CIA adapted)
Question 87: When supervising employees, the behavior most likely to attain long-term positive results
for a manager would be to:
a) Discipline employees immediately for undesirable behaviors, using oral reprimands, written
warnings and temporary suspensions.
b) Hold weekly meetings during which employees are reminded of work procedures and are praised for
the week's accomplishments.
c) Praise employees on a random schedule and link rewards to performance.
d) Tell employees that working overtime now will result in a better performance review in 6 months.
(CIA adapted)
Impact of Job Design

Job design refers to the way an organization defines and structures jobs. Job design is important, because
the way jobs are designed impacts employee motivation, performance and job satisfaction.
Job specialization was responsible for the gains in productivity that were achieved when assembly-line
manufacturing was developed. Highly specialized jobs can result in high productivity. However, jobs that are
too highly specialized can create worker boredom and other dissatisfactions because of their extreme
monotony.
Job rotation was an early means devised to deal with worker dissatisfaction with production work that was
too specialized. Workers were systematically moved from one job to another (cross-training) in order to
lessen the boredom and keep them interested and motivated. With job rotation, there was no change in the
tasks that were to be completed by any one person in any one specific job. However, workers were
systematically rotated among the various jobs. Rotation proved to have an advantage in that the workers
each had more job skills, enabling increased flexibility in work assignments. However, job rotation did not
solve the basic problem of job boredom. Instead of working on just one boring job, the workers were working
on several boring jobs. In addition, some of the efficiencies resulting from specialization were lost. Job
rotation is now used mainly for its benefits in having a more highly trained workforce but not for motivating
workers.
Job enlargement was another method developed to decrease the specialization in hopes of increasing job
satisfaction. Job enlargement involves expanding a job’s responsibilities horizontally. Instead of attaching one
piece to the item being manufactured, each employee was charged with doing a “larger” job, perhaps
attaching four pieces. The expectation was that boredom would be decreased, because each job entailed
more different, specific tasks. However, experiments with job enlargement have also been disappointing. As
long as all the tasks were simple and easy to master, simply doing more of them did very little to decrease
the monotony.
Job enrichment developed as an alternative to job rotation and job enlargement. Job enrichment is based
on Frederick Herzberg’s theory of motivation called the Dual-Structure Theory, or Two-Factor Theory.
During the late 1950s and early 1960s, Herzberg interviewed several accountants and engineers to find out
what made them feel satisfied and motivated by their jobs versus what made them feel dissatisfied and
unmotivated. Based on his interviews, Herzberg proposed that there are certain factors that can make a
person feel dissatisfied, such as low pay; but when those same factors are improved, the most that can be
said is that the person no longer feels dissatisfied. Improved pay did not move a person all the way from
dissatisfaction to satisfaction. Different factors such as achievement and recognition were required for the
person to feel satisfied.
Thus, Herzberg developed his Dual-Structure Theory. He suggested that salary, job security, relationship with
supervisors and working conditions, if inadequate, lead to job dissatisfaction. These “dissatisfiers” Herzberg
called hygiene factors. On the other hand, factors such as achievement and recognition, if present, lead to
job satisfaction. When they were not adequate, their absence can lead to feelings of no satisfaction but not
necessarily to dissatisfaction. These “satisfiers” Herzberg called motivation factors.
Herzberg developed what he called job enrichment as a technique for structuring jobs to make use of his
concepts. Job enrichment attempts to create motivation in employees not only by adding more tasks to their
jobs, but also by giving them more control over those tasks, allowing them to make more decisions as well as
do more tasks.
Many companies have used job enrichment, sometimes with positive results, and sometimes with less than
positive results. Some of the criticisms have paralleled criticism of Herzberg’s dual-structure theory. They
include criticisms of the method used by Herzberg in his research, because other studies using different
methods have gotten very different results. Other criticisms are that Herzberg’s use of accountants and
engineers in his study did not create a very representative sample of the population, and that his theory does
not take into consideration individual differences caused by factors such as age.
Question 88: If you were designing a new position in an organization, which of the following design
techniques would you use to increase the motivation of the person filling the position by adding responsi-
bility and authority?
a) Job enlargement
b) Job rotation
c) Job enrichment
d) Job significance
(CIA adapted)
Section E Group Dynamics
Question 89: Frederick Herzberg postulated a two-factor theory of human behavior that included satisfiers
and dissatisfiers. Which of the following is a dissatisfier?
a) Promotion to another position
b) Salary
c) Challenging work
d) Responsibility
(CIA adapted)
Group Dynamics
A group is defined as several individuals who come together to accomplish a specific task or goal. Group
dynamics is the study of the nature of these groups within the organization, which has come to be an
important area of study because the interaction of these groups within the organization goes a long ways in
explaining the organization’s apparent success or failure.
Traits of Group Dynamics

Generally, there are two types of groups: formal and informal groups.
Formal Groups
Formal groups have the sanction of the organization. This means that these groups (i.e., committee, quality
circle, or task force) that exist within the organization have legitimate power, formed to help the organization
accomplish a goal, or task. Formal groups contribute to the success of the organization.
One of the characteristics of a formal group is that there is an explicitly designated leader of the group
who has the authority and responsibility to direct the other members of the group. The leader of the group
operates according to the hierarchical principle of the organization; power flows downward from the top.
Informal Groups
Informal groups differ from formal groups in that they arise within an organization based on some other
reason than on the presumption of achieving some specific goal or task. Often these groups come about in a
spontaneous manner and may be created around a workplace issue (interest group) or an activity outside the
workplace (friendship group).
The leader of an informal group is not designated but emerges because of some personal characteristic that
the person possesses. It might be because the person is the most knowledgeable, or the most outspoken, or
for some other reason.
Characteristics of informal groups are:
• They arise as a result of their proximity, personality, and needs of the individual.
• Virtually all employees (including managers) belong to some kindof informal group.
• They are often small and complex. People tend to be more satisfied in smaller groups.
• Most members tend to conform to group pressures.
Group Dynamics CIA Part 3
Even though informal groups are not officially sanctioned by organizations, they do provide some benefit to
the organization. These benefits may include:
• Reducing tension and stress in the workplace.
• Providing another channel of communication via the grapevine. A grapevine is an informal means of
communication that is found in all organizations.
• Enhancing employee feelings about the workplace.
• Improving coordination and reducing required supervision.
• Aid in training, perpetuate cultural values, and provide social satisfaction on and off the job.
But, these informal groups also may cause problems for the organization, such as:
• Resisting change, becoming protective of the status quo.
• Pressuring other group members into accepting something that may go against company objectives.
• Spreading rumors or distorting information.
• Causing conflict in the formal organization.
• Forming subgroups that may cause problems with group cohesiveness.
• Developing dominant members.
Attraction to Groups
The degree to which members of the group desire to remain in the group(s) will depend on the attractiveness
and cohesiveness of the group(s).
• Attractiveness of the group is described as one that has a favorable view from the outside.
• Cohesiveness of the group is one in which the members adhere to the group norms and resist
outside pressure.
A group is considered to be attractive and cohesive when it has the ability to recruit and maintain its
membership.
Elements that increase the group’s attractiveness and cohesiveness are:
• Prestige and good social standing.
• Cooperation among the members.

• Substantial member interactivity.
• Smaller in size.
• Similarity of the members.
• Good public image.
• Common external threats.
On the other hand, elements that diminish the group’s attractiveness and cohesiveness are:
• Objectionable demands on its members.

• Disagreement among members about the group’s activities and procedures.
• Bad experiences of the group members.
• Conflict between the demands of the group and those of other groups.
• Bad public image.
• The possibility of joining other groups.
Roles and Norms

Roles and norms are important concepts of group dynamics theory and are the social building blocks for
groups and organizational behavior.
Roles
Roles are the expectations regarding behavior of a group member in specific positions. Roles will determine
what a person must, must not, or may do in a position. In discussion about roles, you need to keep in mind
that the role a person is expected to play or assume will depend on the situation, but people in the same
position should behave similarly.
Role conflict can occur when there is inconsistency between the perceived role and role behavior. For
example, a conflict arises when an individual must handle conflicting demands from different sources while
performing the tasks associated with the same role.
When conflict exist within an organization, individuals have a(n)
• Increased tendency to leave the organization.
• Decreased commitment.
• Decreased involvement to the job.
• Decreased job satisfaction.
• Decreased participation in decision-making.
Norms
Norms tend to be more generalized than roles. Norms are the standards (degrees of acceptability or
unacceptability) for conduct that help individuals judge what is good or bad in a given social setting. Norms
are culturally derived and vary from one culture to another. In addition, norms are usually unwritten, yet
have a strong influence on individual behavior. Norms go above and beyond formal rules and written policies.
Norms function in order to:
• Facilitate group survival.
• Make behavior more predictable.
• Avoid embarrassing situations.
• Express the values of the group.
In order for behavior to be accepted, a majority of the group must support the norms. However, there could
be instances where members might violate group norms. If a majority of the members do not adhere to the
norms, then these norms will eventually change and will no longer serve as a standard for evaluating
behavior. But, members who do not conform to the norms are punished by being excluded, ignored, or
possibly ostracized from the group. Ostracism is the ultimate sanction by the group as the group
terminates all contact with that person.
Conformity and Groupthink

Conformity is another important element of group dynamics. Robert Kreitner, in his book Management,
defines conformity as “complying with the role expectations and norms perceived by the majority to be
appropriate in a particular situation.” The majority can influence members either through subconscious
processes or through overt peer pressures on individuals. Other factors that can influence the level of
conformity include group size, unanimity, cohesion, status, price commitment and public opinion.
There are both benefits and costs to conformity. The primary benefit is that it provides some basis of
predicting behavior of standardization in the performance of assigned tasks, or behavior.
On the other hand, the cost of conformity, in extreme cases, can lead to tolerating illegal or unethical
conduct. For example, failure to question unscrupulous business practices (e.g., Enron, WorldCom, Tyco, etc.)
led to many people in the US losing their jobs and/or pensions.
Groupthink is a concept that was identified by Irving Janis that refers to
A mode of thinking (blind conformity) that people engage in when they are deeply involved in a
cohesive in-group, when the members’ strivings for unanimity override their motivation to realistically
appraise alternative courses of action.
The actions of groupthink can lead to faulty decision-making in the group.
Some of the symptoms of groupthink are:
• Excessive optimism.
• Unquestioned belief in the inherent morality of the group.
• Collective rationalization of group’s decisions.
• Shared stereotypes of those outside the group, particularly opponents.
• Self-censorship where members withhold criticism.
• Illusion of unanimity.
• Intolerance to dissent.
• Self-appointed “mindguards” protect the group from negative information.
Some ways that groupthink can be prevented are:
• Avoid using groups as rubberstamps for decisions already made by senior management.
• Urge group members to think independently.
• Bring in outside experts, and invite the group to meet off-site so that changes in settings and sur-
roundings are a stimulant.
• Consider the ramifications of different actions (devil’s advocate).
• Take time to consider possible effects and consequences of alternative courses of action.
Question 90: Which of the following can be a limiting factor associated with group decision-making?
a) Groups generally do not analyze problems in enough depth.
b) It is very difficult to get individuals to accept decisions made by groups.
c) Groups have a difficult time identifying the important components of decision-making.
d) Accountability is dispersed when groups make decisions.
(IIA adapted)
Question 91: Under “groupthink”
a) There is a tendency to conform to the majority’s will and to ignore relevant individual input that is
at variance with group opinion.
b) The group is not required to reach consensus.
c) The extent of groupthink is proportional to the size of the group.
d) There are too many alternatives to facilitate decision-making.
(IIA adapted)
Question 92: An audit manager allowed a work group to make a decision about whether to adopt a new
work procedure. In allowing the group to make the decision, the manager should be aware that groups
tend to make
a) Very conservative decisions and do not want to assume risk.
b) Faster decisions than do individuals because groups have more expertise than any one person.
c) Decisions that are less accurate than those made by individuals.
d) Riskier decisions than individuals, and individual responsibility for the groups’ decision are lessened.
(IIA adapted)
Stages of Group Development

Most groups exhibit similar stages of development. It would be very easy to say that all management has to
do is define a problem or a goal, or assign members, and the group is created. This would be too simplistic.
Groups have to go through stages, similar to that of any life cycle situation (e.g., human, organization,
products). In the beginning, there may be uncertainty about the group’s objectives and the roles of the
members, but with time, the group should start to develop understanding, trust and commitment among its
members.
As expected, the end of the group development stage is referred to as the mature group. This group is the
most effective and productive of the stages.
According to L.N Jewell and H.J. Reitz, the characteristics of a mature group are:
• Members are aware of each other’s assets and liabilities.
• Individual differences are accepted.
• The group’s authority and interpersonal relationships are accepted.
• Group decisions are made through rational discussion with no attempt to force unanimity.
• Conflict is over substantive issues, not emotional issues.
• Members are aware of their roles in the group’s processes.
There have been several models describing the stages of group development, but we will discuss the theory
developed by Jewell and Reitz. They described six stages of group development:
1) Orientation Stage. This is the least effective, mature and efficient stage. Uncertainty about most
everything is high.
2) Conflict and change stage. In this stage, subgroups struggle for control, and often, roles are
undefined. If these conflicts cannot be resolved, this might be the final stage.
3) Cohesion stage. During this stage, a consensus on leadership, structure, and procedures is
reached.
4) Delusion stage. During this stage, the members might gain a false sense that all issues have been
resolved and that the group has reached maturity.
5) Disillusion stage. This stage is marked by a decrease in the group’s cohesiveness and commit-
ment. Members start to realize that their expectations are not being met.
6) Acceptance stage. Groups that start to evolve into this stage tend to be more effective and effi-
cient. In some cases, a trusted and influential group member steps forward and moves the group
from conflict to cohesion, making the group more effective and efficient.
Question 93: According to Jewell and Reitz, a mature group would have all of the following characteristics
except:
a) Individual differences are accepted.
b) Group decisions are made through rational discussion with no attempt to force unanimity.
c) Conflict over emotional issues.
d) Members are aware of their roles in the group’s processes.
(HOCK)
Organizational Politics
Andrew Dubrin defined organizational politics as “the pursuit of self-interest at work in the face of real or
imagined opposition.” The emphasis on self-interest is what distinguishes this form from social influence.
Similar to organizational politics is impression management, which is “the process by which people attempt
to control or manipulate the reactions of others to images of themselves or their ideas.” Both organizational
politics and impression management try to get others to see us in a certain manner.
Politics is a fact of life in organizations, so managers have to accept that power relations exist and is a part of
organizational life. The function of the manager is to find a workable balance between the employees’ self-
interest and the organization’s interest. If balance can be found, then the pursuit of self-interest may serve
the organization’s interest. On the other hand, if balance is not found, then this self-interest can erode or
defeat the organization’s interest.
An example of organizational politics (politicking) is when employees intentionally filter or distort information
flowing up to top management, thereby putting themselves in the best possible light.
Organizational culture plays a big part in determining the amount of politicking that occurs in the organiza-
tion. The effects of politicking can:
• Hinder organizational and individual effectiveness.
• Be an irritant to employees.
• Have significant ethical implications.
Research found the following perceptions of politicking are widely held:
• The higher the level of management, the greater the amount of politics.
• The larger the organization, the greater the politics.
• Staff personnel tend to be more political than line personnel.
• Marketing people tend to be the most political. Production people are considered the least political.
• Politics is believed to help advance one’s career.
• Politics may harm the organization by distracting from organizational goals.
Anyone who has worked in an organization understands what blatant politicking is. Dubrin identified six
common political tactics. These include:
1) Posturing is when an employee tries to make a good impression by staying one step ahead of the
competition (one-upmanship) or taking credit for others’ work.
2) Empire building is gaining control over human and material resources.
3) Making the boss look good is an attempt to get recognized by the manager and by those who
control the manager’s career path.
Section E Human Resource Processes
4) Collecting and using social IOUs is exchanging reciprocal political favors by making someone look
good or covering up their mistake.
5) Creating power and loyalty cliques is based on the belief that it is better to face superiors as a
cohesive group rather than as an individual.
6) Engaging in destructive competition is where an individual will sabotage the work of others
through character assassination.
Top management knows that it cannot eliminate politicking, but it should try to manage it to keep it
constructive and within reasonable bounds. To manage organizational politicking, Dubrin suggested the
following:
• Strive for a climate of openness and trust.
• Measure results based on performance rather than personality.
• Encourage top management to abstain from politicking.
• Strive to integrate individual and organizational goals through meaningful work and career planning.
• Practice job rotation to encourage broader perspectives and understanding others’ problems.
Question 94: In which situations would organizational politics most likely have a significant impact?
a) When space allocations are made according to objective criteria.
b) When the budget allows for generous salary increases for all employees.
c) When promotions are based on an employee’s attitude.
d) When performance outcomes are clearly stated and objective.
(IIA adapted)
Human Resource Processes

Employees are a valuable company asset; therefore, every company needs a process to ensure that
employees are properly recruited, hired, supervised, and evaluated. Once the employee is hired, the company
must have policies to retain and motivate these new workers.
Human Resource Planning

Human resource planning involves the following:
• Forecasting future human resource requirements.
• Developing charts showing planned succession of personnel for all levels in the organization.
• Preparing an inventory of the skills and abilities needed by people in order to move within the organ-
ization.
• Matching individuals with the organization’s needs.
• Developing plans, assessing needs, and implementing plans so that the organization can meet its
objectives.
When developing your human resource plan, it needs to be flexible enough to meet your short-term staffing
needs, while at the same time being able to adapt to changing conditions in the business and environment
over the longer term. In other words, human resource planning is a never-ending continuous process.
Human Resource Processes CIA Part 3
Employee Recruitment
For new positions, employees can be recruited either from within the organization, or from outside the
organization.
If the employee is to be recruited from within, there are several ways this can be done.
• Job posting – This is where the job is posted within the company and employees have an oppor-
tunity to apply. Job postings are usually posted in an area that has a lot of traffic, such as the
cafeteria, or posted in some kind of company publication (e.g. newsletter). It is also possible that
employees may refer someone else for the position, such as a friend, colleague, etc.
• Review of database – Organizations generally have a database of the skills and qualifications of its
employees. It is possible that this database could reveal a highly qualified employee who is well suit-
ed for the position.
If the employee is recruited from outside, the most common methods to recruit are:
• Advertising – This is probably the most common, but can be costly.
• Use of employment agencies – There are both public and private employment agencies.
• Referrals from current employees – As mentioned above, current employees may refer someone
else for the position, such as a friend, relative, colleague, etc.
• Other organizations – These might include colleges, universities, and professional organizations.
• Other – Might include Internet job references/resume services, temporary job agencies, etc.
Both inside and outside recruiting have advantages and disadvantages. Promoting from within can have a
positive motivational effect on the employees, is generally less expensive, and it is usually easier to identify
proven performers.
On the other hand, the main reason for recruiting outside is that an external candidate could bring new ideas
to the organization and may have more up-to-date training or education.
Employee Selection
The goal of employee selection is to match the abilities and experience of an individual with the requirements
of the job.
Job Analysis
The first step in the process of employee selection is to perform job analysis. Job analysis includes assessing
the requirements for the job, determining how the job relates to other jobs, and determining what
knowledge, abilities and experience are necessary for someone to be able to perform the job effectively.
There are several ways in which this information can be obtained:
• By observing employees working, either by watching them in person or reviewing videos of them
working on the job,
• By interviewing selected incumbents of the job and combining the results of the interviews into the
job analysis,
• By asking incumbents to log their activities each day, recording the amount of time spent on each
activity, and
• By having incumbents complete questionnaires, selecting items from a list of possible tasks that they
perform in their jobs.
Information gathered by means of one or more of these methods is then used to develop a job description.
The job description is a formal, written statement of what a person in this position does, and how and why it
is done. The job description gives content to the job, its environment, and the conditions of employment.
A job specification is also developed by means of the job analysis. The job specification states the minimum
acceptable qualifications that an employee in that position must possess to perform the job successfully. It
identifies the education, knowledge, abilities and experience requirements.
Note: Job descriptions identify characteristics of the job itself. Job specifications identify characteris-
tics of the successful job incumbent.
The job description and job specification are used to guide the selection process. The job description can
be used to describe the job to candidates, and the job specification focuses those who are doing the selection
on the qualifications to look for in candidates.
Selection Devices
Devices used in employee selection have the goal of obtaining information about the job applicant in order to
determine whether a candidate’s skills, knowledge, abilities and experience fit the requirements for the job.
Interviews are most useful for assessing an applicant’s applied mental skills, interpersonal skills and
personal characteristics, such as conscientiousness. If these qualities are related to job performance, as they
are for an executive position, an interview is a valid selection device. For other types of positions, interviews
are less helpful, but that has not prevented the interview from becoming very widely used. However, the fact
is that interviews generally lead the interviewer to select the person who has the most polished job-seeking
techniques, even though that person may not be the best candidate for the position.
An interview may also be used to assess whether an applicant would fit into the organization’s culture, in
addition to seeking information on the candidate’s job-specific qualifications.
Sawyer’s Internal Auditing (5th edition, pp. 883-884) lays out some of the questions that would be
appropriate to ask experienced and inexperienced internal auditing candidates.
Appropriate questions to ask Appropriate questions to ask

Experienced candidates Inexperienced candidates
What were some of the assignments you carried What kinds of assignments would you like best?
out?
How did you approach them? Why do you think you’d like this position?
What kind of reports did you write? How did you hear about this position?
How have you kept up with your education? What are your outside interests?
Why do you want to make a change? What are your personal goals?
What do you like about internal auditing?
What don’t you like about it?
What kinds of assignments do you like best?
What are your hobbies?
What are your personal goals?
Written tests may be used to test intelligence, aptitude, ability, interest and integrity. Ability tests have
proved to be helpful in predicting good employees for semi-skilled and unskilled jobs. When cognitive ability is
required, intelligence tests are good predictors. Integrity tests are also used to evaluate traits such as
honesty, dependability and conscientiousness.
Performance-simulation tests are ways of finding out whether an applicant can do a job successfully by
having the person perform the job in a simulated environment.
Work sampling tests are hands-on simulations. Work sampling tests are well suited to routine jobs, such as
assembly-line jobs. Some companies have a simulated assembly line that they have their candidates work on.
Assessment centers are used for testing of managerial personnel. In assessment centers, candidates go
through several exercises simulating real problems they could face in the position. Executives, supervisors
and psychologists evaluate the candidates’ performance. Assessment centers have been very effective at
predicting job performance in managerial positions.
If testing is done, the same test must be given to all applicants for a position and must have no racial,
religious, gender or national origin bias.
Other Means of Staffing

Flexible staffing, or the use of temporary or part-time employees, gives the company flexibility to
adjust to rapidly changing market conditions and needs. Temporary employees include those who are hired
on a “temp-to-perm” basis, which enables the employer to bring employees into the organization and employ
them as temporary employees for a period of time with the understanding that, if they perform satisfactorily,
they will be offered a permanent position.
For other employers, a significant part of the workforce is made up of “long-term temporary” employees who
may never be offered regular full-time employee status. The advantage to this arrangement for an employer
is the ability to end the arrangement at any time without having any repercussions such as increased
unemployment taxes. Also, such workers may be paid a lower salary and do not receive the full package of
benefits. The downside of temporary and part-time workers is that they have less loyalty to the company, and
the company receives less long-term benefits from training provided to them.
Professional Employer Organizations (PEOs) provide employee leasing services to companies who
contract to use their services. A PEO serves as the actual employer of record for all the company’s employees,
both managerial and staff.
The PEO writes the paychecks to pay the employees, provides all of the employee benefits, and pays all the
employer’s payroll taxes for employees who work on site at the contracting company. The contracting
company makes the hiring decisions and supervises the employees, just as if the employees were their own
employees. However, instead of paying salaries and providing benefits to the employees, the contracting
company pays the PEO for all the costs, plus the PEO’s fee.
The primary market served by PEOs is that of smaller employers, who may not have the in-house expertise to
manage the human resources function. The PEO serves as the company’s human resources department,
ensuring that all labor laws and other regulations are followed. Unlike temporary employees, employees who
are leased under a contract with a PEO are regular employees, although they are employees of the PEO, not
of the contracting company.
However, the services of a PEO can be quite expensive. In some cases, an employer will find that they could
form and staff a small human resources department for the fee that a PEO would charge.
New Employee Orientation

After new employees are hired, they must be provided with an orientation to the company. This is when and
where they receive official information about the overall objectives of the organization, the organizational
chart, benefits and the policies and procedures of the company.
Employee Training
In addition to an orientation, an employee will need initial and ongoing training. Training is how the
organization prepares its staff to accomplish the tasks set before them. Ongoing training is important because
technology is always changing, the organization’s needs are always changing, and their employees’ skills can
quickly become obsolete.
Training methods are classified as formal/informal and on-the-job/off-the-job. The majority of training is
informal, and consists of employees helping each other learn the job.
On-the-job training may involve apprenticeships, understudy arrangements, formal mentoring, and job
rotation. To avoid disruption in the workplace caused by these training programs, however, many organiza-
tions pay for off-the-job training for their employees. Off-the-job training consists of classroom lectures,
seminars, and self-study and Internet courses.
Training courses may involve leadership or interpersonal relations courses, training in the use of equipment or
software programs, business ethics, problem-solving skills and other related skills. As the use of teams
expands, team members need increased knowledge regarding how the organization operates, and training
can provide that. In addition, organizations are increasingly finding that they need to provide basic literacy
and math training to their employees.
Large companies have formal training departments. A smaller company that contracts with a PEO will have
access to ongoing training opportunities for its leased employees through the PEO. There are also multiple
training companies available that will offer programs to companies and their employees, either on-site or off-
site.
Career Development
Organizations increasingly regard employee development as an obligation to help employees maintain their
marketability through learning opportunities. They accomplish this by:
• Communicating the organization’s goals and long-term strategies. If employees understand the
organization’s plans, they are better able to develop their own personal plan to be a part of that
long-term strategy,
• Creating growth opportunities by means of professionally challenging experiences,
• Offering tuition reimbursement to help employees keep their knowledge up to date, and
• Providing time off for learning experiences.
Employees have a responsibility to manage their own careers, as well. It is important to keep skills and
knowledge up-to-date and remain flexible.
Note: Employee development is not undertaken to provide lifetime employment at the company or regular
promotions to employees in this company.
Performance Evaluation
The employee evaluation process is an important part of the manager’s job, and these evaluations are
important to the manager, the employee and the employer. When performed properly, the evaluation process
is an instrument that promotes the growth of a person. The documentation of an evaluation must be
complete, accurate and consistent, and it is important that employees be given notice of evaluations and also
an opportunity to discuss them with the person who has done the evaluation, and to respond.
Management uses performance evaluations, as well, for human resource decisions such as merit pay
increases, promotions, transfers and terminations. New employees who are performing poorly can be
identified. Performance evaluations can be used to identify training and development needs because they can
identify inadequate job skills that might be improved. If an employee participates in a training or develop-
ment program, the effectiveness of that program can be measured from that employee’s performance
evaluation. Evaluations also provide feedback to employees, so that they can understand how superiors view
their performance. The evaluation process should be used to help employees direct their activities towards
efforts that will help the organization and aid their personal growth.
In the expectancy theory of motivation, people need to believe that if they exert effort, it will lead to a
favorable performance evaluation that will result in a reward, such as a merit increase. Using the expectancy
theory, we would say that for employees to be motivated, they need clear objectives with specific criteria for
measuring their progress toward the objectives. Furthermore, the employees must have confidence that their
efforts will result in a satisfactory reward once their objectives have been achieved. If these conditions are
met, employees will perform well. If they are not met, employees will likely perform below their potential.
Criteria Used in Performance Evaluations

The design of the system itself may be poor if the criteria for evaluation are poor, inappropriate or at variance
with the goals of the organization. An effective performance appraisal system needs to evaluate the right
things. Employees will put their efforts into whatever they are being evaluated on, so the criteria selected for
evaluation needs to be task outcomes, not means.
The different approaches to performance evaluation are:
• Behavior-oriented - Some jobs do not really offer the opportunity to achieve outcomes. This could
be the case where an employee is in a support position or for a person whose efforts are part of a
group effort. These employees can be evaluated on their behaviors, such as meeting deadlines, help-
ing other employees, or volunteering for extra work. These are subjective factors, but if they
contribute to the overall goals of the organization, they are appropriate criteria.
• Trait-oriented - Some organizations evaluate their employees according to their traits, or charac-
teristics, even though this is not the only, or even best, criteria for hiring employees. Examples of
traits that are often used are: “good attitude,” “self-confidence” or “dependability.”
• Goal-oriented – This approach measures how the employee attains the objectives and goals set by
management.
• Employee-oriented – The employee-oriented approach would focus on who did the job.
Who Should Evaluate an Employee?

An employee’s supervisor may not be the only one who can, or should, complete the employee’s performance
evaluation. Peer evaluations are a very reliable source of appraisal information. Peers know what is really
going on because they are close to the action. Their daily interactions with the employee provide them with a
good look at the employee’s performance. In the case of a team evaluation, peer evaluations result in
multiple independent judgments. On the negative side, peer evaluations can be affected by co-workers’
unwillingness to evaluate the employee honestly.
Sometimes an employee is asked to evaluate his or her own performance. Self-evaluation tends to decrease
an employee’s defensive attitude toward a performance appraisal, although it usually results in an inflated
appraisal. For that reason, self-evaluations are better suited for developmental purposes than for evaluative
purposes.
Another source for an evaluation of an employee’s performance is his or her subordinates. Subordinates can
provide accurate information about a manager’s behavior, because they see it all the time. The downside of
this is that the subordinates may have a fear of reprisal from a boss who has been given an unfavorable
evaluation.
The most recent approach to performance evaluation is called a 360-degree evaluation. This type of
evaluation asks for feedback from all the people the employee may interact with during a day’s (or longer)
time. Most organizations collect 5 to 10 appraisals per employee to be evaluated. This type of appraisal works
well in organizations that have teams with high employee involvement.
Potential Problems in the Evaluation Itself

There are also a number of potential problems in the evaluation itself. These are outlined below:
• The halo effect occurs when the manager draws an evaluation of a person on the basis of one
characteristic, such as personality or communication skills. If an employee is very competent but is
not strong on the one trait the manager values, that manager would not evaluate that employee
very highly. Alternatively, an employee who is highly skilled in that one area would be evaluated
highly, even though he or she might actually not be performing the job very well.
• A central tendency error occurs when the manager rates all employees about the same.
• If the evaluator allows the employee’s most recent performance to outweigh the overall performance
over the whole period to be evaluated, this creates the recency effect.
• Employee evaluations are not equitable across an organization if some managers apply different
(lower or higher) standards to their employees than other managers apply to their employees. Dif-
fering standards among managers may become a problem when employees are unfairly rated
lower or higher simply because the evaluator has standards that differ vastly from those of other
evaluators in the same organization.
• Rater bias is the process of evaluating a person’s on-the-job performance according to how much
the manager likes the person.
• Contrast error can creep in if the evaluator allows the employee’s evaluation to be influenced by
evaluations done recently for other employees. Another employee’s evaluation may be a “tough act
to follow,” resulting in a lower evaluation than is deserved, or vice-versa.
• If a manager judges all the people he or she evaluates on the basis of their traits on a scale from
“most” to “least,” it can lead to a forced normal distribution. This is where the manager puts
most of the people in the middle of the scale and a few at the extremes. When this occurs, the em-
ployees are not being fairly evaluated on the basis of their individual performances but rather in
comparison with the others, and forced into a “normal distribution.” This is like grading on a curve.
Compensation and Benefits

Employee compensation is a very important aspect of the decision a prospective employee makes and that
current employees make when deciding if they should stay with the organization they are working for. It is
important to remember that compensation may take many forms other than money. It may take the form of
time off, benefits, insurance, stock, pensions or other forms of non-monetary compensation.
It is important that employee compensation is in line with market rates in the area so that employees will feel
fairly compensated.
The primary forms of compensation are:
• Base pay. Base pay can be tied to performance evaluation, so that merit increases reflect good
performance.
• Incentive pay. This can include:
o Piecework programs.
o Gain-sharing programs, which reward employees for cost reduction ideas.
o Bonus systems based on financial performance of the organization or one unit.
o Long-term compensation, which provides additional income for managers based on factors such
as stock price or earnings per share.
o Merit pay systems, which base increases on performance.
o Profit-sharing plans, which distribute a portion of the firm’s profits to employees.
o Employee stock option plans that permit employees to purchase company stock at a below-
market price.
o Incentive pay can be based on either individual performance or group performance.
• Benefits. Typical benefits are payment for time off such as vacation, sick leave, holidays and per-
sonal days, employer’s portion of social security contributions, unemployment compensation,
disability insurance, workers’ compensation benefits, life insurance, medical insurance and pension
plans. Benefits developed originally as a way to increase employees’ pay during times when wage
controls were in effect. Benefits have grown in importance and now can amount to 30 - 40% of a
company’s payroll expense. Since employees do not see the cost of their benefits to the company
when they see their paychecks, it is important that they realize how much their total compensation
package is worth. This can be communicated in individual, annual letters from management, outlin-
ing for each employee what his or her total compensation has been for the past year.
• Flexible benefits, or “cafeteria plans.” This is a flexible reward system that lets employees
choose the combination of benefits that is most appropriate for them. A set amount is designated
per employee, and the employee can choose how to allocate it. Younger workers might prefer a tui-
tion reimbursement plan, workers with children might choose child care, and older workers might
choose additional retirement program contributions.
• Perquisites or “Perks.” These are special privileges, usually limited to top managers. They include
things like use of a company car, company apartment, a country club membership or a cell phone.
Perquisites add to their recipients’ status and may increase job satisfaction. At one time, these perks
were paid for by the company but were not included as taxable income to the manager, which in-
creased their value. However, the IRS has changed the rules and made some perks taxable.
• Awards. Example of awards include an “Employee of the Month” award with not only recognition but
also perhaps a special parking space reserved for that employee for the month, or awards for perfect
attendance, for quality work (“zero defects”), or extra effort on a special project. Award programs
can improve performance, if they are structured so that employees receive special recognition for
good performance.
• Expatriate compensation. When employees are transferred to overseas locations, the cost of
living may be significantly different from that of their former location. The employer will design the
employee’s compensation package so that the employee’s lifestyle in the new location will be compa-
rable to that of their old location.
Section E Management Skills and Leadership Styles
Management Skills and Leadership Styles

Leadership is using one’s influence to direct and coordinate a group’s work in order to achieve a goal. This
influence is not coercive but results in the group members’ cooperation. Even though leadership and
management are related, they are not the same. If a manager relies only on formal authority in directing the
work of subordinates, he or she is not exercising leadership.
A manager may be a leader as well as a manager, but not all managers are leaders. In fact, a person may
even be a leader without having any managerial authority, if that person is respected by peers and relied on
for direction. So leadership can be formal or informal.
• Formal leadership is the process of influencing others to pursue the organization’s objectives.
• Informal leadership is the process of influencing others to pursue unofficial objectives that may or
may not serve the organization.
Leader vs. Manager

A leader casts a vision for people and develops strategies for achieving that vision. A manager develops
formal plans and monitors the results compared to those plans. Thus, the manager implements the leader’s
vision and strategy, coordinates the activities and the staffing, and handles day-to-day problems. A manager
brings about order and predictability to the effort to produce results. A leader produces change.
Leadership is important for creating and directing change and for helping an organization get through difficult
times. Management is important for creating the coordinated effort and systematic results required during
stable times.
Both leaders and managers are required to achieve planned, orderly change. Furthermore, both leaders and
managers are required to establish the culture of the organization in terms of its ethical and moral climate.
Studies on Leadership
There are three main theoretical frameworks that have dominated leadership research since the 1930s. These
include the trait approach (1930s and 40s), the behavioral approach (1940s and 50s), and the
contingency approach (1960s and 70s). There is also a fourth theoretical framework called a transforma-
tional leader that we will review as well.
The Trait Approach

Leadership studies, and what it takes to be a good leader, are relatively recent developments, going back
only to the start of the 20th century. The early efforts to study leadership focused on the traits of a leader.
Early writers developed long lists of leadership traits, from personality traits to physical characteristics.
However, their studies were not consistent or definitive, and their theories were abandoned. Recently,
however, some researchers have found moderate agreement on five traits that seem common to effective
leaders:
1) Intelligence
2) Scholarship
3) Dependability in exercising responsibilities
4) Activity and social participation
5) Socioeconomic status
Management Skills and Leadership Styles CIA Part 3
Another modern trait profile is based on leaders with emotional intelligence (EI). EI is the ability to
monitor and control one’s emotions and behavior in complex social settings. Daniel Goleman 12 believes the
following leadership traits are associated with EI:
• Self-awareness is to know oneself. Only when someone is aware of their strengths and weaknesses
can they maximize their potential.
• Self-management refers to methods, skills, and strategies by which individuals can effectively
direct their own activities toward the achievement of objectives.
• Social awareness is being able to understand the actions and emotions of others.
• Relationship management is an ability to use one's own emotions and the emotions of others to
manage relationships to a successful outcome.
Other researchers have been exploring gender, ethnic and cultural differences in leadership styles. For
instance, there is evidence that there are differences between the way women lead and the way men lead.
Or, culture determines whether emphasis is placed on sales growth and profits, or on group cohesiveness.
The Behavioral Approach

The behavioral approach developed during World War II as an attempt to develop better military leaders.
Researchers attempted to identify the behaviors of effective leaders on the basis that if behavior made the
difference, people could be trained to be good leaders.
Kurt Lewin and others at the University of Iowa did one of the earliest known behavioral studies. They
identified three leadership behaviors, and these are still quoted today as the basic leadership styles:
1) Autocratic, a leadership style where the leader relies on his or her legitimate power or position
authority. The leader gives detailed instructions for attainment of goals and provides praise and criti-
cism. This leads to the subordinates being dependent upon the leader’s presence if they are to be
productive, and to potentially negative reactions from the group when they feel under constant pres-
sure to produce. When the leader is absent, production slacks off.
2) Democratic, in which the leader gives an overview of the task to be accomplished and encourages
the group to participate in developing procedures to get it done. The leader provides feedback and
consultation but still makes the final decisions. Members grow in self-confidence and in their respect
for other members of the group. There is more emphasis on team effort and cooperation among
group members, resulting in a higher level of satisfaction among the members. Productivity contin-
ues even in the leader’s absence.
3) Laissez-faire, a French term meaning noninterference, in which the leader provides information to
the group but no feedback unless asked, gives the group members complete freedom. The group
members experience a lack of clear goals and a lack of clarity on how to achieve their goals. They do
not know what is expected of them, there is no sense of unity in the group, and production lags be-
cause of the lack of direction.
The assumption in this research was that these three basic leadership styles are fixed for an individual, and a
particular leader will always relate to all of his or her followers according to one of the styles.
Another study by the University of Michigan in the late 1940s came up with two types of leadership behavior:
a leader is either task or job-centered, or employee-centered. The job-centered leader supervises the work
of subordinates closely and explains work procedures carefully. He or she is primarily concerned with their job
performance.
12
Daniel Goleman is the best-selling author of several books that describe Emotional Intelligence.
On the other hand, the employee-centered leader concentrates on emphasizing interpersonal relations and
on building effective work groups. The leader’s primary concern is with performance, but he or she
accomplishes that by attending to the human aspects of the group.
The University of Michigan researchers presumed that a leader was one or the other at any given time and
could not be both job-centered and employee-centered at the same time. Their findings suggested that
employee-centered behavior was more likely to result in higher performance of the group and higher job
satisfaction among its members.
Contingency Theories of Leadership

The behavioralists had some success in identifying relationships between leaders’ behavior and group
performance, and their approaches identified several leadership behaviors that are still used in leadership
theories. However, they did not really succeed in identifying universal leader behaviors and follower
responses. Researchers realized that situational factors also influenced the response of a group to a particular
leader’s style, so they began to develop contingency theories to describe the complex relationships
between leaders and their followers. Contingency theories assume that the behavior of leaders will vary
according to circumstances, and they focus on better understanding the different forms of leadership required
in different situations.
Contingency theories of leadership concern transactional leaders. Transactional leaders motivate followers
by clarifying their tasks and roles for them.
Fred Fiedler’s LPC Theory of Leadership

Fred Fiedler developed the earliest contingency model, proposing that effective group performance is a
function of a good match between the leader’s style and the situation. Fiedler’s Least-Preferred Coworker,
or LPC, Theory of Leadership proposes that some leaders can be effective in one situation while being
ineffective in a different situation. The theory attempts to identify matches between various leadership styles
and the various situations in which each style should result in effective performance.
Fiedler’s system asked a leader to complete a questionnaire describing the person – from among all the
people ever encountered – that he or she had least enjoyed working with. Fiedler believed that the results
reflected differences in the leader’s personality traits and dictated the person’s leadership style. If the leader
described the least-preferred coworker in relatively favorable terms, then the leader was relationship-
oriented. If the leader described the least-preferred coworker in relatively unfavorable terms, then the
leader was task-oriented.
Like researchers before him, Fiedler assumed that leadership styles are fixed, and proposed that there are
particular situations where a task-oriented leader is needed and others where a relationship-oriented leader is
required. Accordingly, task-oriented leaders would perform better in situations of either high or low control,
while relationship-oriented leaders would perform better in moderate control situations.
Fiedler suggested that if the leader’s style did not match what the situation called for, either the situation
would have to be changed or the leader would have to be replaced in order for good performance to be
achieved.
There is evidence to support at least parts of Fiedler’s model. However, his findings with respect to the LPC
theory and the practical use of the model are problematic and controversial.
The Path-Goal Theory of Leadership

We briefly discussed this theory in Section B. Developed by Martin Evans and Robert House. The Path-Goal
Theory focuses on the leader’s responsibility to assist followers in attaining their goals while ensuring that
those goals are compatible with those of the organization.
Path-Goal Theory identifies four leadership behaviors:
1) A directive leader lets subordinates know what is expected of them, gives specific guidance on
accomplishing tasks, schedules the work, and sets standards of performance.
2) A supportive leader is friendly and concerned for the needs of subordinates.
3) A participative leader consults with subordinates and considers their suggestions in making a
decision.
4) An achievement-oriented leader sets challenging goals for subordinates and expects them to
perform at their maximum level.
The Path-Goal Theory says that the appropriate leadership style depends upon the situation. This sets
Path-Goal Theory apart from earlier theories. It assumes that the leader can be flexible and need not behave
in the same manner at all times, but may behave differently in different situations.
The two situations that the Path-Goal Theory recognizes as influencing how the leader’s behavior affects
subordinate satisfaction are:
1) The personal characteristics of the subordinate, such as locus of control, experience and per-
ceived ability.
Locus of control refers to whether people believe they have control over what happens to them, or
whether they believe that what happens to them is outside their control. People who attribute things
that happen to their own behavior are considered to be happier with a participative leader, because
that leader makes them feel that their actions can make a difference. If people attribute things to
factors outside their control, they will be more satisfied with a directive leader, since they consider
their actions to be of no consequence anyway.
And if employees perceive their own abilities to be high, they will feel less need for a directive lead-
er; whereas if they perceive their own ability to be low, they will prefer a directive leader who will
show them how to do the job.
2) The characteristics of the environment, which are outside the subordinate’s control, such as the
task structure, the authority system and the work group.
The Path-Goal Theory says that the leader’s behavior will motivate subordinates if it helps them deal
with the uncertainties related to the things that are outside their control.
However, if the task structure is high, directive leadership is not necessary and is less effective. And
if the work group itself gives each employee plenty of social support, a supportive leader will not
have much to offer.
The researchers who developed the path-goal theory did not see it as a final answer, but only a framework for
understanding how a leader’s behavior and situations can influence subordinates’ performance. In general,
evidence has supported the proposition that employee performance and satisfaction are improved if their
leader compensates for things that are lacking in either the employee or the work setting. If a leader over-
manages an employee who can handle his or her tasks without interference, that leader will probably be
ineffective because the employee will consider the directive behavior inappropriate and insulting.
Vroom’s Decision-Tree Approach

Victor Vroom and Philip Yetton developed the first version of the decision-tree approach. Vroom, along
with Arthur Jago, later revised and expanded it. The current approach is another refinement developed by
Vroom alone.
Vroom’s Decision-Tree Approach, like Path-Goal Theory, attempts to determine an appropriate leadership
style for various situations and assumes a leader may use different leadership styles. However, it limits itself
to the question of subordinate participation in decision-making, and how much participation is appropriate
under various circumstances. For each decision, the leader evaluates several characteristics of the decision
and determines the decision style that reflects the proper amount of subordinate participation.
Vroom proposes two different decision trees for use: one to use when the primary consideration is to make an
effective decision as quickly as possible, and the other to use when the primary focus of the effort is
developing the decision-making capabilities of others. After choosing which decision tree to use, the leader
evaluates a series of eight factors (the factors themselves are outside the scope of the exam) to determine
how much participative decision-making is appropriate and decides among five alternatives:
1) Autocratic I – The leader solves the problem alone.
2) Autocratic II – The leader obtains additional information from group members, and then makes the
decision alone.
3) Consultative I – The leader shares problem with group members individually, and asks for infor-
mation and evaluation. Group members do not meet collectively, and the leader makes the decision
alone.
4) Consultative II – The leader shares problem with group members collectively, but makes decision
alone, which may or may not reflect the group’s opinion.
5) Group – The leader meets with group to discuss the situation. The leader focuses and directs dis-
cussion, but does not impose his or her will. The group makes the final decision.
Not surprisingly, Vroom’s approach is quite complex. Therefore, Vroom has developed expert software to
guide managers in assessing the situation and making a decision regarding the appropriate level of employee
participation in the decision.
Transformational Leadership
The contingency theories of leadership reviewed above concern transactional leadership, which is focused
on guiding subordinates in the direction of a goal by clarifying task requirements and roles.
Another type of leader is called a transformational leader. These leaders inspire people to follow them –
even if doing so goes against their own interests – for the good of the organization. These leaders are able to
inspire their followers to put forth extra effort to achieve group goals.
The transformational leader displays the following characteristics:
• Charisma. The transformational leader instills a sense of mission and pride in followers while gain-
ing their respect and trust.
• Inspiration. The transformational leader communicates high expectations and important purposes.
• Intellectual stimulation. The transformational leader promotes intellect and rationality for problem
solving.
• Individualized consideration. The transformational leader is a coach, giving individual attention to

each employee.
Transformational leadership is not in opposition to transactional leadership. It extends transactional

leadership by getting followers to put forth more effort and perform at a higher level than would occur using a
transactional approach alone.
Transformational leaders are overwhelmingly considered to be more effective than transactional leaders.
Transformational leadership generally results in lower turnover rates among employees, higher productivity,
and greater employee satisfaction.
Mentoring
Mentoring refers to someone who develops another person (protégé) through tutoring, coaching, and
guidance. Usually, but not necessarily, the mentor / protégé pair will be of the same sex.
A mentor has knowledge and experience in an area and shares it with the person being mentored. For
example, a senior internal auditor might mentor a student intern or a new internal audit employee.
According to Kathy Kram, 13 mentors provide two primary types of behaviors or roles:
1) Mentors serve as a career enhancement function, which involves coaching, sponsoring advance-
ment, providing challenging tasks, protecting the protégé from adverse forces, and fostering positive
visibility.
2) Mentors provide psychological support, which may involve personal support, friendship, counsel-
ing, acceptance, and role modeling.
Mentoring has many positive efforts for the organization and career outcomes. Research indicates that
mentored individuals have a higher level of mobility on the job, recognition, promotion, and financial
compensation. In regards to benefits to the organization, mentoring can be a tool for socializing new
employees, for increasing organizational commitment, and for reducing unwanted turnover.
Question 95: If a supervisor uses a supportive management approach, evidenced by positive feelings and
concern for subordinates, a problem might result because:
a) An approach based on pure power makes it difficult to motivate staff.
b) This approach depends on material rewards for the worker.
c) This approach depends on people who want to work, grow and achieve.
d) The manager must believe in the teamwork approach.
(CIA adapted)
Question 96: Some behavioral models stress employee participation as a key to motivation. A limitation
of the participative approach is:
a) Workers are intrinsically lazy and must be driven.
b) A number of dissatisfiers must be present in order for the approach to work.
c) It is difficult to elicit the participation of all employees.
d) Irresolvable conflicts arise when a mature, capable, creative person joins a structured, demanding
and limiting organization.
(CIA adapted)
13
Kathy E. Kram is professor of Organizational Behavior at the Boston University School of Management.
Section E Team Building
Team Building
Team building is the process of establishing and developing a greater sense of trust and collaboration
between team members. The need for team building increases as modern societies become more fluid and
dynamic. Some of the factors that contribute to this increased need are advances in communication, the
global market, and the ever-increasing specialization and division of labor.
Joining a new group and expecting to get along immediately can be somewhat difficult. Thus, it becomes
important for organizations to establish team-building methods so employees can better adapt to the new
requirements.
Participative Management
One of the more common means of motivating individuals is through participative management. Participative
management gives employees greater involvement and control in the workplace. Employee are able to
participate in the decision-making process by participating in activities such as setting goals, determining
work schedules, and making suggestions. These methods are intended to treat the ideas and suggestions of
the employees with respect and consideration.
The primary forms of participative management are quality circles, self-managed teams, and open-book
management.
1) Quality circles are small groups of employees who work together and meet regularly to discuss
problems they are having and recommend solutions. Quality circles focus on problems relating to
quality, such as how to reduce rework and defective products. Quality circles are limited in their
scope. They do not make decisions about how the work should be done; they can only make recom-
mendations. Quality circles are relatively permanent teams.
2) Self-managed work teams are teams that are charged with doing the daily work. They tend to be
permanent. A team has the authority to decide how its work will be done in terms of planning,
scheduling and assigning tasks to members. It takes action on any problems that develop, makes
operating decisions, and works directly with suppliers and customers. Some self-managed teams
even select their own members, and the members evaluate one another’s performance and discipline
those who cause problems. The entire team is responsible for the results of their work. The efforts of
all the team members can result in a level of performance that is greater than the sum of their indi-
vidual efforts. Though self-managed work teams can be successful in some situations, they do not
work very well in cultures with strong respect for hierarchical authority.
3) Open book management (OBM) is when employees are given all relevant financial information
about the company, so that the employees can feel more empowered. This information can include,
but is not limited to, revenue, expenses, profit, cost of goods sold, and cash flow.
Raj Aggarwal and Betty Simkins developed an OBM model referred to as STEP (share, teach, em-
power and pay).
• Step One - Share all relevant financial information.
• Step Two - Teach the employees to understand the financial information.
• Step Three - Empower the employees so they are responsible for the numbers under their con-
trol.
• Step Four - Pay the employees a fair amount based on performance. Methods of compensation
might include bonuses, stock options, and/or profit-sharing.
Teams and Work Groups CIA Part 3
Teams and Work Groups

A group consists of people gathered together who interact with one another and influence each other. A work
group can be a group of people who all work in the same department and have the same supervisor. They
may help each other perform their jobs and share information. Each individual brings different skills to his or
her job, and each one is accountable only for his or her own performance. Members of a work group need not
have any common goal and in fact may have little concern for any common objective.
The difference between a work group and a work team (also referred to simply as a team) is that a team
consists of work group members who are working together toward a common goal. The members of a team
are chosen for the complementary skills that they bring to the team. Their performance as a team may be
greater than the sum of their individual work, and they are accountable both individually and as a team for
their performance. This accountability is to one another, not merely to a manager. A mature team is
autonomous, directing and self-managing. The team comes together to pursue a goal, and that goal becomes
the team’s focus.
Benefits and Costs of Teams

The importance of teams in the workplace is growing. The majority of businesses, both large and small, use
teams in some areas of their organizations. In restructuring themselves to respond to competitive pressures,
businesses have discovered teams as a way of better using their employees’ talents.
Benefits of teams include:
• A team can outperform an individual when the task facing it requires multiple skills, diversity of
experience and good judgment.
• Reduced errors, reduced absenteeism and reduced on-the-job injuries can result in significant cost
reductions.
• Teams provide the flexibility to respond quickly to challenges.
• Teams facilitate employee participation and increase employee motivation because they provide a
sense of self-worth and self-fulfillment.
• Teams can make better use of employees’ talents.
• Teams give employees the opportunity to grow and gain respect by making their own decisions
about their work, which ultimately provides a feeling of making a difference in the organization.
• Use of teams can eliminate layers of middle management, flattening the organization, reducing
managerial costs and bringing employees more in touch with top management.
Costs of teams are usually related to the costs of changing the business to a team-based organization.
• Managers accustomed to traditional hierarchical management may feel threatened by the fact that
the team is taking over their duties of directing the work.
• Some staff personnel may also feel threatened as more of the work formerly done by them is turned
over to the teams. This can be addressed by assigning technical staff personnel to one or more
teams.
• It takes time for a team to become mature and effective. If management becomes impatient with
the process, the teams may be disbanded and the organization returned to its original form, often
with significant losses for all concerned. All the hard work of the team members is lost, and employ-
ee confidence in management will suffer.
Section E Teams and Work Groups
Types of Teams
Some teams are formal, created by management. Some teams are informal, evolving naturally in organiza-
tions that permit participative management. The major types of teams are:
• Problem-solving teams are temporary teams formed to work on a specific problem in the work-
place. After the problem is solved, the team is disbanded and the team members return to their
regular jobs. Problem-solving teams are often cross-functional, i.e., they consist of members from
different functional areas of the organization and are selected for their expertise. Problem-solving
teams do not make decisions but only make recommendations.
• Cross-functional teams are formed of employees from different work areas who may work togeth-
er on a single client’s account, and may be permanent. A team working together for one client can
improve communications and tracking of jobs for that client, leading to more satisfied clients.
• Management teams are made up of managers from several areas that work together to support
and coordinate the activities of work teams. These are relatively permanent teams. Their primary job
is to coach and counsel the work teams in order to support them in their task of being self-managing
and making their own decisions. Management teams also coordinate the activities of work teams
that are dependent upon each other.
• Product development teams are a combination of work teams and problem-solving teams. They
are formed to create new products or services to meet customers’ needs. They are similar to prob-
lem-solving teams in that the team may be disbanded when the product has been developed and is
in production. Use of a team to develop a new product can cut product development times, which is
an important edge in a competitive economy.
• Virtual teams are made up of members who may be located all over the world. They share files via
the Internet and email and may meet via teleconferencing and videoconferencing. Virtual teams may
be used as product development teams, with a team on one side of the world working on the re-
search and at the end of their day updating the team on the other side of the world that is just
starting its day. The result is that research goes on around the clock, dramatically cutting the time
necessary to bring a new product to market.
Team Effectiveness
What makes teams effective? Teams are considered effective when they accomplish goals, have innovative
ideas, have the ability to adapt to change, have a high level of team commitment, and are highly rated by
senior management. Accordingly, team effectiveness is determined by the following interdependent factors.
These factors need to be addressed on a continuous basis.
• Leadership. Teams must be able to agree on who will do what, how decisions will be made, how
conflicts will be resolved, how schedules will be set, and various other organizational matters. Team
leadership is necessary in order to accomplish this. Team members may fulfill the leadership roles,
or management may provide the leadership.
• Abilities of members. A team needs people with technical expertise, people with problem-solving
and decision-making skills, and people with good interpersonal skills who can take the lead in con-
sensus-building. These skills in the right mix are essential. However, it is possible for a team to
develop these skills in its members, if all of the skills are not present when the team is formed.
• Team performance. Team start-up can take several months to a year, or more. During that time,
performance often declines due to initial confusion and lack of direction. However, as time passes,
internal leaders arise and the work becomes focused. Team members become more competent and
more deeply committed to each other and to the success of the team, and performance levels usual-
ly recover and rise above the previous level of performance.
Teams and Work Groups CIA Part 3
• Top management support. The change to a team approach must start at the top of the organiza-
tion and must have top management’s full support. Top management must make the decision to
institute a team-based organization because they recognize it as a good business decision. This is a
major cultural shift, and it cannot be made quickly. Top management must take the lead in com-
municating the reasons for the change and enlist the support of the entire organization. Top
management must then support the effort during the difficult start-up period. Organizational support
systems for the teams must be in place if the teams are to have any chance of succeeding. Support
systems for teams include efficient inventory ordering and scheduling, better hiring and selection
systems, improved information systems and appropriate compensation systems. Management sup-
port includes assistance with decision-making when needed and coordination of teams that are
interdependent upon one another.
Trust is another key element to team effectiveness. Trust is defined as “reciprocal faith in others’ intentions
and behavior.” 14 The primary responsibility of creating a climate of trust in the organization lies with
management. Trust is the key to establishing productive interpersonal relationships and encourages self-
control, reduces the need for direct supervision, and expands managerial control.
Fernnando Bartolomė outlined six ways to build trust:
1) Communication. This is keeping people informed.
2) Support. This is being available to provide assistance when needed.
3) Respect. Respect can be shown by delegating and listening.
4) Fairness. Evaluations are given fairly and objectively, without bias.
5) Predictability. Being dependable and consistent.
6) Competence. Competence is being a good role model.
Question 97: Which of the following is key to any plan to empower teams?
a) Give structure to team members.
b) Monitor progress and offer timely feedback on performance.
c) Reduce authority of the team when mistakes are made.
d) Avoid tension and conflict within the team.
(IIA adapted)
Question 98: Which of the following is not an appropriate approach to team building?
a) Ensuring a balance of complementary team roles.
b) Choosing members who need to improve their skills.
c) Developing clear and shared values.
d) Selecting team members based on how they are likely to relate to each other.
(IIA adapted)
14
Kreitner R. & Kinicki A., Organizational Behavior, 5th edition, pg. 422.
Section E Conflict Management
Question 99: Which one of the following statements about quality circles is false?
a) A quality circle is typically comprised of a group of 8 to 10 subordinates and supervisors.
b) Part of the quality circle concept includes teaching participants communication skills, quality
strategies, and problem analysis techniques.
c) Quality circles meet on the company premises and on company time.
d) The quality circle has the final control over implementation of recommended solutions.
(IIA adapted)
Conflict Management
Conflict is “a process in which one party perceives that its interests are being opposed or negatively affected
by another party.” 15 The word perceives reminds us that sometimes the source of conflict is not always real,
and sometimes is only imagined by one of the parties. Therefore, managers need to be aware of the
dynamics of conflict and know how to handle it effectively.
In dealing with conflict, the two broad types of conflict are: cooperative and competitive.
1) Competitive conflict occurs when parties are pursuing directly opposite (win-lose) goals. Competi-
tive conflict is considered destructive, and ultimately the parties part ways. If this type of conflict
occurs within a company, it is particularly damaging to the company and must be handled quickly
and completely.
2) Cooperative conflict, on the other hand, is constructive. It is a mutually reinforcing experience

(win-win) that serves the best interest of both parties.
Conflict Triggers
A conflict trigger is simply any situation or factor that increases the likelihood of conflict. But, as we
mentioned above, conflict should be allowed to exist if it is cooperative conflict, and eliminated if competitive.
Conflict may be triggered by the following situations: 16
• There are ambiguous or overlapping jurisdictions.
• There is competition for scarce resources, i.e., human, financial, or natural.
• There is a breakdown of communications between managers and subordinates.
• There is a time pressure to finish work.
• Management places unreasonable standards, rules, policies, or procedures that employees consider
unfair.
• There are personality conflicts among managers or employees.
• There is power and status differential causing one individual to have questionable influence over
another.
• There is disagreement over performance standards.
15
Ibid., pg. 447.
16
Kreitner, Robert, Management, 8th edition.
Conflict Management CIA Part 3
Resolving Conflicts
Conflicts may be resolved in a number of different ways:
• Problem solving is a process that confronts the problem and removes its causes. This is a very
good method, but takes longer to perform than some of the other methods.
• Smoothing is a short-term avoidance process whereby the parties are asked by management to
forget about their differences for the short term. However, this does not solve the problem.
• Forcing occurs when the superior position in the conflict uses its position to solve the conflict. This
is sometimes necessary in the short-term, but there needs to be a better treatment of the underly-
ing problem in the long-run.
• Superordinate goals are those goals that are above the goals of the individual or the department.
In the short term, management may appeal for the “common good” and ask the parties in the con-
flict to forget about the conflict for the greater benefit of the entire company.
• In a compromise, both parties make concessions. The parties both gain something and lose some-
thing, but the source of the conflict may not have been dealt with.
• Expanding resources is a possible solution only when there is a conflict as a result of insufficient
resources and it is possible to expand the resources available in the situation.
• Accommodation is where the goal is to maintain a harmonious relationship by placing others’

needs and concerns above your own. This is in essence when one of the parties simply gives up its
position and accepts the other parties’ position.
• Avoidance (withdrawing) involves either withdrawing from the problem or suppressing the issue.
This does not address the problem and, at best, will provide only a short-term solution. This ap-
proach might be appropriate when the manager perceives the problem to be minor. It might also be
appropriate if there is no chance of solving the problem, or disruption would be too costly.
• Changing the human element attempts to change the behavior of the individuals involved. This
may take too long to accomplish and is usually not a short-term option.
• Diffusion is the process of trying to solve the smaller, less critical issues first in order to build a
feeling of success and cooperation before dealing with the larger issues.
• The public media unfortunately at times becomes the venue in which the conflict is played out.
Sometimes this happens because one of the parties makes the issue public. This is a risky option be-
cause public opinion may not always be as expected, but the pressure of the media attention may
force people to solve their differences.
The interactionist theory views conflict as possibly beneficial. Conflict is good if it improves performance
and helps the organization achieve its objectives. Occasionally conflict serves to “clear the air” and to help
people get rid of frustrations and anger that they have not voiced. Afterwards, people feel better and more
ready to work. Given this, sometimes the intentional stimulation of conflict may be desirable.
Section E Conflict Management
Question 100: One division of a large manufacturing company has traditionally performed much better
than any of the other divisions. The management team of this division has risen through the ranks
together and exhibits no signs of conflict. Recently, earnings of the division have begun to decline, and
market share has eroded. Senior management of the parent company has asked the director of internal
audit whether the introduction of conflict by bringing in outside managers might help resolve the
deteriorating situation. The most appropriate response would be that:
a) Conflict is dysfunctional and should not be risked under these circumstances.
b) All conflict can be beneficially controlled and should be encouraged in this situation.
c) The management team has been together for a long time and should be allowed to work through its
problems.
d) Varying the management team could introduce new ideas and be beneficial to the division, and
some conflict is not a problem.
(IIA Adapted)
Question 101: Upon completing an audit of a major operation of the company, the auditor is certain that
a proposed recommendation should be made in the audit report. However, the auditor also understands
that the recommendation will result in conflict between the auditee department and the accounting
department. The organization is not bureaucratic and encourages the development of informal relation-
ships across departments. Which of the following statements is correct regarding the nature of conflict in
organizations?
a) Conflict is more likely to be functional in a bureaucratic organization than in a less formal (organic-
type) organization.
b) Conflict reduces the likelihood that an acceptable solution can be implemented in highly structured
organizations; thus, the auditor should consider revising the recommendation in order to avoid con-
flict.
c) Conflict should be viewed as a healthy way to facilitate growth in an organization; thus, the auditor
should accept conflict that may result from normal audit recommendations.
d) Conflict is healthy unless it clearly points out differences in the goals and objectives of the
organization's operating units.
(IIA Adapted)
Question 102: The behavioral science literature identifies diffusion as an effective approach to resolving
conflict. An auditor effectively using diffusion in working with a confrontational auditee would:
a) Set aside critical issues temporarily and try to reach agreement on less controversial issues first.
b) Emphasize differences between the parties.
c) Avoid the conflict situation.
d) Identify the sources of conflict and address them directly.
(IIA Adapted)
Conflict Management CIA Part 3
Question 103: Two managers have been informed that their units will be relocated to a new site. The
units are to share space at the new office location. The managers have been arguing for several weeks
over the allocation of space and the location of offices. This disagreement is threatening the relocation
schedule and disrupting other projects. The managers' supervisor has now become involved in the conflict
and must try to minimize the potential for hurt feelings while resolving the problem quickly. Identify the
supervisor's best approach for this situation.
a) Sit down with the managers and determine a solution.
b) Design a floor plan and tell the managers who occupies what space.
c) Remind the managers that the company needs their cooperation in this effort so that costs can be
reduced.
d) Tell the managers not to worry, and that problems like this have a way of working themselves out.
(IIA Adapted)
Question 104: To effectively market the internal auditing function to management, auditors must
recognize that their roles may result in varying degrees of conflict. Conflict triggers must be understood
and managed so that a dysfunctional situation does not develop. Select the answer that is not a conflict
trigger.
a) Communication breakdowns
b) Superordinate goals
c) Personality clashes
d) Status differentials
(IIA Adapted)
Question 105: Two managers have been arguing about the distribution of money for capital investment
projects affecting their respective production units. All of the projects are worthwhile and significantly
exceed the organization's required rate of return. The approach that would create a win-win solution for
the managers under these circumstances would be to:
a) Smooth the differences of the two managers by emphasizing their common interests.
b) Alter the attitudes and behaviors of the managers so that agreement can be reached.
c) Force the managers to compromise by asking each of them to give up something.
d) Expand the resources available so that both managers’ projects can be funded.
(IIA Adapted)
Section E Negotiation
Negotiation
Robert Kreitner defines negotiation as “a decision-making process among interdependent parties with
different preferences.” In order words, it involves examining the facts of the situation and then bargaining to
resolve issues, if possible.
Negotiation is something that takes place every day and touches on every facet of life, occurring in private
(between spouses or other family members), business, non-profit organizations, government branches, legal
proceedings, and among nations.
Approaches to Negotiations
The two main approaches to negotiating are distributive bargaining and integrative bargaining.
1) Distributive bargaining occurs when there is a zero-sum situation. This means that there is a
limited amount that can be discussed and someone will get it and the other party will not. It is very
unlikely that a true win-win situation will come out of a zero-sum situation. Each party will create a
desired result and a minimum acceptable result. If these two ranges overlap, then there is a chance
of a successful negotiation. If the minimum that one party will accept is more than the other party
will give up, it will be very difficult to come to an agreement.
2) Integrative bargaining occurs when there is a possibility for both sides to win. This is the classic
win-win situation and occurs when the parties have shared interests, there is not a limit on re-
sources and the parties have, or are hoping to develop, a long-term relationship. This is the
preferred type of bargaining within organizations.
Another approach to negotiating is something called subordination bargaining. Subordination bargaining is

when the person who is in the position of the subordinate agrees to anything that is reasonable. This is not
bargaining or negotiating in the true sense of the word because one person has significantly more power over
the other.
Common types of negotiations are two-party and three-party negotiations.
• Two-party negotiations occur when there is a buyer and a seller. An example is when a person
buys a new car, or a person sells his or her car to a used car dealer.
• Three-party negotiations are more complicated and involve an agent, or broker. For example, a
person buys or sells stock through a stockbroker.
Effective Negotiations
It seems to make sense that the point of negotiations is to reach an agreement with the other party rather
than to achieve victory. If the other side plays “hard” or “bullies” than this will probably cause resentment for
future bargaining. Instead, the idea should be for the parties to meet their needs and establish trust.
Some of the methods used to increase the effectiveness of negotiations include:
• Adopting a win-win attitude. This is considered to be a cooperative attitude where both parties
are seeking mutual benefit and satisfaction. Adopting a win-win attitude is to understand that mutual
beneficial agreement addresses both parties’ interest.
The other side of this win-win attitude is a win-lose attitude. This attitude is based on the assump-
tion is that one person’s gain is another person’s loss. This approach is competitive and is prevalent
in some cultures. This approach is what is known as a zero-sum game.
Negotiation CIA Part 3
• Knowing your best alternative to a negotiated agreement (BATNA). Harvard University

researchers, Roger Fisher and William Ury, developed BATNA. 17 The theme of BATNA is that you
cannot know whether you made a wise decision about whether to accept a negotiated agreement un-
less you know what your alternatives are. BATNA is used to keep you from making these two
common mistakes:
1) Accepting an unfavorable agreement.
2) Rejecting a favorable agreement.
Thus, in its simplest terms, if the terms of the agreement are better than your BATNA, then you
should accept the offer. If the agreement is not better than your BATNA, then you should renegoti-
ate.
• Identifying the Bargaining Zone. Any negotiation will be useless if both parties involved have no
common ground on which to maneuver during bargaining. BATNA is useful in helping to identify the
bargaining zone.
Example: Suppose you had a written offer from Broncos Used Cars to buy your car (a 2005 PT Cruiser,
fully loaded) for $10,250 dollars. Your BATNA when dealing with other potential purchasers would be
$10,250 since you can get $10,250 for your car even without reaching an agreement with such alternative
purchaser.
Now suppose you think you can get more than $10,250 through advertising over the Internet. The car is
considered a classic and is fully loaded with features that are not typically found on Cruisers. You ask
$13,000 dollars, or best offer.
A buyer wishes to purchase your car for $10,000, with a BATNA of $12,000 dollars.
Thus, negotiation is feasible because a bargaining zone exists (buyer’s BATNA of $12,000 – your BATNA of
$10,250). But, if your BATNA were $12,500, then negotiations would not be feasible.
Overcoming Resistance
Encountering resistance during negotiations is not unusual, and in some cases, should be expected. If there is
resistance then there are certain steps that can be taken to overcome the situation. These steps include:
• Attempt to find out the reasons for the resistance.
• Stop the negotiations and try to address each other’s concerns in private.
• Reconfirm the negotiator’s position on the issue.
• Do a background check to get better idea of the other party’s views on the issue.
Added Value Negotiating

The idea of added value negotiating (AVN) came from Karl and Steve Albrecht. The principle concept of
AVN is that negotiations should add value to any deal, rather than one of extracting or conceding value from
the other party. In other words, they wanted AVN to help both sides arrive at a win-win outcome. AVN
consists of a five-step process involving development of multiple deals:
1) Clarify interests. Before you can begin you must know what you want and what the other party
may want out of the negotiation. Thus, you are seeking common ground.
17
BATNA is a term coined by Roger Fisher and William Ury in their 1981 bestseller, Getting to Yes: Negotiating Without
Giving In.
2) Identify options and their marketplace values. Every negotiation has elements of value that can
be traded off to arrive at a satisfactory deal. These elements can be either tangible or intangible,
e.g., property, money, behavior, rights, risks.
3) Create at least two or more “deal packages.” The use of multiple deal opportunities is what
differentiates AVN from other negotiating methods. Instead of creating only one offer and then trying
to get the other side to accept (as in win-lose negotiating), you create two or three possible deals.
Each deal should have its own special appeal. After these special deals are created, they then have
to be analyzed.
4) Sell the deals and ask the other side to select one. This is probably the most critical step to a
successful AVN process. You may understand the deal packages that you have created, but the other
party may not. In this case, it may be necessary for you to describe the range of possibilities and in-
clude the reasons why the deals are structured differently. You may have to discuss each of the deal
packages separately to get the other side to feel more comfortable. When this has been done and
you both agree that there is at least one mutually acceptable deal, it is time to move on to the next
step.
5) Perfect the chosen deal. This is the final step in the process. This step entails more than just
dotting the “i’s” and crossing the “t’s.” This is a chance to make sure that “all of the bases” are cov-
ered and you have a written agreement that all parties can live with.
AVN is based on openness, flexibility, and mutual search for the successful exchange of value. It allows
you to build stronger relationships that will be beneficial in future negotiations.
Principled Negotiation
Principled Negotiation is another win-win approach described by Fisher and Ury in their book, Getting to Yes.
This approach focuses on basic interests, mutually satisfying options, and fair standards. Its goal is to reach a
lasting agreement, rather than traditional positional (win-lose) bargaining.
The basic principles include
• Separating the people from the problem. People tend to become personally involved with the
issues and can lose objectivity. Thus, it’s necessary to separate the people from the issues allowing
the parties to address the issues without damaging their relationship. Doing this may also help them
get a clearer view of the problems.
• Focusing on interests rather than positions. Good agreements focus on the parties’ interests
rather than their positions. It’s been found that when a problem is defined in terms of the parties’
underlying interests, it is often possible to find a solution that satisfies all parties’ interest.
• Generating options for mutual gain. A distinct failing is when parties decide prematurely on an
option and fail to consider alternatives. In these cases, Fisher and Ury suggest getting together in an
informal atmosphere and brainstorming for all possible solutions to the problem. Only after a variety
of options have been made should the group turn to evaluating the ideas. Evaluation would start
with the most promising idea.
• Insisting on using objective criteria. Objective criteria should be used to resolve differences
when interests are directly opposed. If differences are allowed, they can spark a battle of wills that
can destroy the relationship, and they are also inefficient and are not likely to produce a wise
agreement. Decisions based on reasonable standards make it easier for the parties to agree and pre-
serve the relationship. Therefore, the first step is developing objective criteria. These criteria should
be legitimate and practical, e.g., scientific findings, professional standards, or legal precedent are
possible sources of objective criteria.
Negotiation CIA Part 3
Third Party Negotiations

There may be situations in which the two parties are unable to come to an agreement that is satisfactory for
them. In these cases, they will need to turn to a third party negotiator. There are a number of different
methods of third party negotiations:
• Mediation is an intervention between the parties by a neutral party with the intent of facilitating an
agreement. The mediator will offer solutions, assist in communications, and present the arguments
to each side.
• Arbitration is a situation in which a third party (either chosen by the parties or appointed under
some authority) decides the situation. This decision is binding to the parties.
• Consultation occurs when an expert in conflict resolution is engaged in an attempt to improve the
communications between the parties.
Question 106: A construction manager is using a distributive-bargaining approach in negotiating the price
of lumber with a supplier. The construction manager will:
a) Concede to the supplier’s asking price in order to maintain a positive working relationship.
b) Hire a mediator to negotiate the deal on behalf of the manager.
c) Attempt to get agreement on a price within the settlement range (that is, within both the manag-
er’s and supplier’s aspiration ranges).
d) State the resistance point (that is, the highest price acceptable) and ask the supplier to concede.
(IIA Adapted)
Question 107: Two internal auditors have been assigned projects of equal priority and the same due date.
Unfortunately, support services are limited. The auditors have been directed to negotiate between
themselves for the available services. This type of negotiation is called:
a) Distributive
b) Integrative
c) Attitudinal structuring
d) Intraorganizational
(IIA Adapted)
Question 108: What is a primary disadvantage of forcing another party to accept terms in a negotiation?
a) Damage of the relationship between the negotiators.
b) Lack of achievement of the negotiator’s goals.
c) Increased time involved in reaching an agreement.
d) Reduction in internal support for the negotiator’s tactics.
(IIA Adapted)
Question 109: The method of principled negotiation is based on which of the following principles?
I. Separate the people from the problem.
II. Focus on positions rather than interests.
III. Generate options for mutual gain.
IV. Insist on using subjective criteria.
a) I and II only.
b) I and III only
c) I, II, and III only.
d) II, III, and IV only.
(IIA Adapted)
Question 110: There are many types of third-party negotiations available to parties facing disagreement.
If the goal is to be certain that settlement is reached, a negotiator with authority to make a decision
should be selected. The best negotiator to select, given this goal, would be a(n)
a) Mediator
b) Arbitrator
c) Consultant
d) Conciliator
(IIA Adapted)
Change Management CIA Part 3
Change Management
As desirable as it may be for a company to exist in a static business environment, all organizations will at
some point go through some kind of change. Whether miniscule or dramatic, expected or unexpected, change
in the corporate world has an impact to a company’s bottom line, and therefore companies must be prepared
to handle the stressors that will most certainly come when change occurs.
Nadler and Tushman developed a model of the different types of change that a company might undertake.
Two pairs of binaries (anticipatory/reactive and incremental/strategic) are aligned to form four quadrants, and
each quadrant expresses a specific combination of factors that describe corporate change:
Anticipatory Reactive
Incremental Tuning: Promotion and reevaluation of Adaptation: Changing the structure of

the corporate structure with minor the company to meet changes in the
adjustments operating environment
Strategic Reorientation: Making changes in Re-creation: Starting over completely

order to meet the upcoming with the corporate structure
requirements of the organization
Note: Different companies can be organized through a network corporation, which is a long-term,
strategic relationship that exists without specific legal ties to each other.
A strategic partnership is an association of companies that accomplish a specific goal, such as the
alliance between two auto companies to produce a new vehicle.
In order for management to implement change with minimal disruptions, any resistance to change needs to
be acknowledged and appropriately addressed. The following is a basic list of proactive and participative
methods to address concerns about change:
• Communicate to all affected parties the nature, extent, and reasons for the changes.
• Provide sufficient notice before changes are made.
• Allow affected parties to participate in the change implementation process.
• Hold formal and informal discussions about the change.
• Anticipate and address the perceived impact of the change on the economic, social, and psychologi-
cal needs of employees (since employees tend to react to the perceived rather than the real impact
of change).
Section E Change Management
Lewin’s force field analysis is a more detailed model for understanding change, resistance to change, and
ways to address that resistance:
Force Field Analysis
Forces for Change Current State Forces Resisting Change
Fear of the unknown

Changing markets
Need for security
Internationalization and
global markets Pay reductions
Social transformations
Loss of power and/or
status
Increased competition
Breaking up of existing
teams
Lewin suggests that, instead of taking on the resisting forces head-on, management should aim to weaken
resistance to change.
Lewin offers a three-step process to describe the method that companies might employ to manage change
and resistance to change:
• Unfreeze. Management “unfreezes” the current situation by explaining to affected parties the
reasons for the change preparing them for the transition.
• Move. Management makes the change or changes, which can involve a relatively long period of
retraining and restructuring.
• Refreeze. Management allows a period of calm where things “refreeze” or becomes more stable in
the new environment (and during the “refreeze” care should be taken to prevent conditions from re-
verting to pre-change conditions).
Project Management CIA Part 3
Project Management
Project management entails the process of planning, managing and controlling large projects that are
composed of many different jobs performed by many different departments and people. When projects are
very large and complex, the manager needs a system for keeping track of all the information and coordinat-
ing the various activities in order to complete the entire project on time.
Many activities in a project are dependent upon the completion of other activities, and they cannot begin until
the other activities have been completed. Some activities are critical because they must be completed exactly
as scheduled to avoid slowing down the whole project, whereas other activities are non-critical and may be
delayed for a while before they will cause a slowing of the entire project.
Proper scheduling can make the difference between completing the project on time and within budget, or
missing deadlines and having cost over-runs. In addition, proper scheduling can help foresee and avoid
potential difficulties in the completion of a project, thus reducing total time required and related costs. Thus,
in order for organizations to be competitive, they must reduce project time.
A project is a temporary endeavor undertaken to achieve some specified aim or objective, such as
creating some unique product or service. It is important to understand that even though projects are
temporary, they help organizations achieve longer-term objectives. The planning, execution and monitoring of
major projects sometimes involves setting up a special temporary organization, consisting of project teams
and one or more work teams.
The project life cycle consist of:
• Conceptualization is the setting of project goals and objectives.
• Planning is organizing facilities and equipment, personnel and task assignments, and scheduling.
• Execution is the actual work that is performed.
• Termination is when the project is released to the end user and project resources are redistributed.
Project planning has certain unique guidelines:
• Products are schedule-driven and results-oriented. These are more important than adhering to a
process.
• Achieving overall objectives (the big picture) and adhering to the little details are of equal
importance.
• Project planning is done out of necessity. It is not a luxury.
• Project managers know very well the motivational power of having a deadline. Deadlines shape
individual and team objectives.
In the following we discuss some of the more common project management techniques, including Gantt
Charts, flowcharting and PERT/CPM.
Section E Project Management
Gantt Charts
In a Gantt chart, a project is divided into parts that are called activities or tasks. These tasks are then plotted
on a chart that has tasks listed on the left side and time across the bottom. The tasks are then placed into the
time frame during which they need to be completed.
The diagram below is a sample of what a Gantt chart looks like.
Gantt Chart
As you can see, the Gantt chart does an excellent job of showing when different steps need to be completed,
and they may be color coded in order to show who is to do something or when they are completed (as shown
here). Gantt charts are easy to complete and also provide a quick way to see whether or not the project is on
schedule.
In the example above, the evaluation stage is ahead of schedule. The report writing stage, however, is behind
schedule because it should have been completed by the current report date, but is not.
However, Gantt charts have a couple of significant weaknesses.
• They do not show the interconnection between the different steps of the project.
• They do not show the critical path of the project.
Flowcharting
Flowcharting is a schematic representation of a process. This schematic representation is a way to help users
better visualize the content, or find faults in the process. Flowcharts are useful to a variety of different
purposes. For example, flowcharting can be used in computer programming for determining program logic, or
in TQM for simplifying work processes, or helping internal auditors better understand an organization’s
internal controls.
Flowcharting is also a method for sequencing activities and decisions. It arranges events in the order of their
actual or desired occurrence. This can help eliminate wasted steps and activities.
There are a variety of symbols used in flowcharting. The more common symbols are:
• Oval and rounded rectangles signify start and end symbols.
• Arrows shows the direction in the flow of information.
• Diamonds typically contain a Yes/No question, or True/False test.
• Rectangles represent processing steps.
PERT/CPM
Program Evaluation and Review Technique (PERT) and Critical Path Method (CPM) have the same general
purpose, in that they both address the same issues. The two techniques were developed independently in the
late 1950s. PERT was developed by the U.S. Navy primarily to handle projects where the time required for
each activity was uncertain.
CPM was developed for use in industrial projects where the time requirements for each activity were known.
CPM was developed in 1957 for use by DuPont and was first applied in 1958 to the construction of a new
chemical plant. When it was developed, the focus of CPM was on providing managers with options to reduce
activity times by adding more resources at greater cost. In 1959, the method was applied to a maintenance
shutdown at the DuPont works in Louisville, Kentucky, and as a result, unproductive time was reduced from
125 hours to 93 hours. CPM introduces the concept of trade-offs between time and cost for the various
project activities.
Computer applications for PERT and CPM have combined the two approaches, using the best features of both.
Therefore, a distinction between the two techniques is no longer needed, and they are referred to as
PERT/CPM.
The Concept of PERT/CPM

The most important concept of PERT/CPM is that one group of activities controls the entire project, because it
is the set of activities that will take the longest time to complete. Thus, management resources should be
concentrated on these “critical” activities, which will determine the fate of the entire project. Other less critical
activities can be rescheduled if necessary, and resources for them can be reallocated without affecting the
whole project.
PERT/CPM involves graphical representations of the project, called the project network. The project’s
beginning, end and each activity are represented by nodes on the network. Lines, or arcs, connect the
nodes and show the relationships between and among them. The project network helps the manager visualize
the activity relationships and assists in carrying out the PERT/CPM computations.
Once we have the form of the project network, we can estimate the time required by each activity, the set of
critical activities, and the time required for the whole project. Each activity, represented by a node, is
assigned a time that will be required for its completion.
After acquiring the expected times for each activity, we can determine which path is the critical path. A path
through the network is a series of connected nodes that go all the way from the beginning to the end of the
project. A network may have many paths, and all of the paths must be completed in order to complete the
project. The critical path is the path that requires the most time because if activities on that path are
delayed for any reason, the entire project will be delayed. Activities on the critical path are called critical
activities for the project.
Some activities may have slack time. Slack is the amount of time that an activity can be delayed without
putting the whole project behind schedule. Paths that are not designated as critical paths are paths with slack
time. Slack represents unused resources that can be diverted to the critical path.
The expected time to complete the entire project is the sum of the expected times for each of the activities on
the critical path.
Let’s start with an example. This is a very brief PERT/CPM diagram, but it will demonstrate the issues related
to PERT/CPM.
4 8
2 2
S A C E F
3 5
2 6
Immediate
Activity Time (Days) Predecessor
SA 2
AB 4 SA
AC 3 SA
BE 8 AB
CD 2 AC
CE 5 AC
DF 6 CD
EF 2 CE
In the chart above, the critical path is SABEF because this has the longest completion time – 16 hours.
Activity CE is not part of the critical path and therefore has slack time. Path SACEF takes only 12 hours. This
means that activity CE (or any other activity in this path) could be increased in time by 4 hours and the
project as a whole could still be completed on time.
The company can use this information and may be able to reallocate resources from one of the paths with
slack to the critical path, reducing the time for the critical path. However, it is important to remember that
there will always be a critical path. If the company reduces the time for activity BE to 4 hours, the time for
path SABEF becomes only 12 hours, and path SACDF then becomes the critical path with a time of 13 hours.
Start Times, Finish Times, Slack Times and the Critical Path
An important part of determining the critical path is determining start times, finish times and slack time for
each individual activity in a project. This appears difficult, but it is really just common sense. It is beneficial to
put in the effort to understand how it works.
In determining start times, we need to know the earliest and latest possible start times for each activity.
We determine the earliest start time by counting from the left side of the diagram. We determine the latest
start time by counting from the right side.
For finish times, we need the same thing: the earliest and latest possible finish times for each activity.
Once these are known, we will know where there is slack time and we will know the critical path(s).
In the example, the earliest possible start time for activity CE is 5 hours. This is because it takes at least 5
hours to get to this point in the process. The latest start time for CE is 9 hours, because once CE is started it
will take 7 hours to complete. Since the whole project can be done in 16 hours, we need to start CE at hour 9
at the latest in order to be able to finish in 16 hours. This gives a 4-hour window in which to start activity CE,
meaning that the workers on this activity can be used elsewhere until the 9th hour, when they must be ready
to start activity CE.
Dealing with Uncertainty in Activity Times

If a project has been done before, such as building a house using a standard floor plan and standard
materials, the construction manager should be able to make accurate estimates of the time required for each
activity. However, if the house is a custom home that requires unfamiliar materials to the builder, activity
times may be uncertain. When activity times are uncertain, a range of possible times is better than one single
time estimate. These uncertain activity times are treated as random variables with probability distributions.
To determine an expected time for an activity when its time is uncertain, we need three time estimates: its
optimistic time, most probable time, and pessimistic time. To calculate the expected completion time
for an individual activity using these three time estimates, we use the following formula:
Pessimistic time + (Most Likely time * 4) + Optimistic time
Network planning using three time estimates for each activity is called a probabilistic technique, or
stochastic technique, because it allows for uncertainty. This is in contrast to deterministic techniques, or
techniques that use only one time estimate for each activity.
Large differences between the pessimistic and the optimistic times indicate a high degree of uncertainty about
the time required for an activity. Using the assumption that one standard deviation is approximately 1/6th of
the difference between the most extreme values of a probability distribution, we can determine the standard
deviation (σ) of an individual activity as follows:
σ= Pessimistic time − Optimistic time
The variance of an individual activity is the square of the standard deviation, or σ2.
When activity times are uncertain, the manager must remember that the calculation of the critical path will
determine only the expected time to complete the project. The actual time required to complete the
project may be quite different. Activities with larger variances have a greater degree of uncertainty.
Therefore, the progress of any activity with a large variance should be closely monitored even if, based on its
expected time, the activity does not appear to be a critical activity on the critical path.
The standard deviation of the completion time of the critical path is calculated by taking the square
root of the sum of the variances of all of the individual activities in the path. Remember that the variance of
an activity is the square of the standard deviation of the activity.
Std Deviation of Critical Path = σ2a + σ2b+ σ2c + σ2d+ σ2e…
Cost-Time Tradeoffs and “Crashing”

When CPM was originally developed, it was used not only for scheduling, but it was also used to determine
what activities could be shortened by adding resources, thus shortening the completion time for the whole
project. It also considered what the added cost would be of those resources needed to shorten the activity.
This cost-time tradeoff enables the manager to determine whether the additional cost involved in
shortening the time to complete the project would be worthwhile.
If a project needs to be completed in less time, the critical path must be shortened. This can be done either
by using the existing resources in the company in a different manner (moving them from jobs with slack time
to the critical path) or bringing in additional resources. Which choice a company makes will depend upon the
skills of the resources in the company and whether or not they will be able to perform the needed tasks in the
critical path.
Putting additional resources to work on specific activities to shorten the time to complete a project is called
crashing. In order to decide where to crash, we need to know the least amount of crashing that is needed to
get the project completed within the timeframe. We then determine what activities will cost the least to crash
per unit of shortened project time.
The activities on the critical path are prime candidates for crashing. However, if we crash those activities too
much, then they might be shortened too much, making another path critical and wasting some of the
additional resources for which we are paying extra. So the entire network needs to be examined and the
crashing needs to be carefully planned.
In the earlier example, it is clear that activity BE could be shortened by as much as 3 hours without causing
another path to become critical. So if we have 2 people assigned to the job now, and those people can do the
job in 8 hours, how many people would we need to do the job in 5 hours?
Logic tells us that we would need almost twice as many people to do job BE in only 5 hours.
If it would cost an additional $450 to hire those people, and if that would shorten our overall project by 3
hours, we can then calculate the cost per day to shorten the project.
$450 / 3 = $150 per hour shortened
We will go through the network like this and determine the most cost-effective place or places to crash the
project to gain the maximum possible shortening of the overall project with the minimum cost.
For a small network, a trial-and-error approach can be used to determine this. However, with a large,
complex project, linear programming with a computer is used.
Other ways of shortening a total project’s length include: moving an activity that is on the critical path to a
parallel path instead, transferring resources from activities with slack to the activities on the critical path, if
possible, or eliminating or substituting less time-consuming activities for activities that are not essential.
Benefits of PERT/CPM
PERT/CPM is useful in the following ways:
• It forces managers to plan projects in intricate detail.
• It can be used for scheduling.
• It can be used to assign existing resources to a project in the most effective manner.
• It can be used to calculate costs to shorten the time required for a project.
• Sensitivity analysis can be used with PERT/CPM as a way of determining the probability of finishing a
project on time.
Limitations and Criticisms of PERT/CPM

There are also a number of limitations and criticisms of PERT/CPM.
• PERT is extremely complicated, and when costs are included in the analysis, scheduling complexity
is increased. Furthermore, CPM does not deal with the influence of indirect costs and contractual in-
centives. It assumes that time and costs are linearly related, which may not be the case.
• It can lead to overly optimistic estimates. It can be misleading to look only at the critical path
because paths that are near-critical and that have large variances may become critical. PERT/CPM
does not account for these activities.
• It assumes that a bell-shaped probability distribution is appropriate for calculation of activity

times. If this assumption is incorrect, the calculation of the expected times for each activity will be
incorrect, and the three estimates used may be only guesses and therefore not necessarily any better
than one guess. Thus, the actual activity times required may turn out to be quite different from their
expected values.
• In addition, PERT/CPM considers the various activities to be independent from each other,
with the time required to complete one activity not affecting the completion times of activities that
follow it. Thus, in a PERT/CPM analysis, we assume that the expected length of a project (or a se-
quence of independent activities) is simply the sum of their separate expected lengths. This
assumption may not be correct because in practice many activities have dependencies.
• Finally, if PERT/CPM is used to shorten the time required for a project by eliminating or substituting
activities, it can result in a degrading of the requirements and poor quality of work.
Question 111: California Building Corporation uses the Critical Path Method to monitor construction jobs.
The company is currently 2 weeks behind schedule on Job #181, which is subject to a $10,500-per-week
completion penalty. Path ABCFGHI has a normal completion time of 20 weeks, and critical path ADEFGHI
has a normal completion time of 22 weeks. The following activities can be crashed.
Cost to Crash Cost to Crash

Activities 1 Week 2 Weeks
BC $8,000 $15,000
DE 10,000 19,600
EF 8,800 19,500
California Building desires to reduce the normal completion time of Job #181 and report the highest
possible income for the year. California Building should crash:
a) Activity BC 1 week and activity EF 1 week.
b) Activity EF 2 weeks.
c) Activity DE 1 week and activity EF 1 week.
d) Activity DE 2 weeks.
(CMA adapted)
Question 112: In a PERT network, the optimistic time for a particular activity is 9 weeks, and the
pessimistic time is 21 weeks. Which one of the following is the best estimate of the standard deviation for
the activity?
a) 2
b) 6
c) 9
d) 12
(CMA adapted)
The following information is for the next two Questions: The PERT network diagram and corre-
sponding activity cost chart for a manufacturing project at Networks, Inc. is presented below. The
numbers in the diagram are the expected times (in days) to perform each activity in the project.
5 6.5
1
A B E
4.5 7
.5
5.5 7.5
Normal Crash
Activity Cost Time (days) Cost
AB $3,000 3.50 $4,000
AC 5,000 4.50 5,250
AD 4,000 4.00 4,750
BE 6,000 5.00 7,000
CE 8,000 5.00 9,200
DE 6,000 6.50 6,750
BC 2,500 .50 3,500
BD 2,000 .25 2,500
Question 113: The expected time of the critical path is:
a) 12.0 days
b) 13.0 days
c) 11.5 days
d) 11.0 days
Question 114: In order to keep costs at a minimum and decrease the completion time by 1 1/2 days,
Networks, Inc. should crash activity(ies):
a) AD and AB
b) DE
c) AD
d) AB and CE
(CMA adapted)
Question 115: A PERT network has only two activities on its critical path. These activities have standard
deviations of 6 and 8, respectively. The standard deviation of the project completion time is:
a) 7
b) 10
c) 14
d) 48
(CMA adapted)
Question 116: When making a cost/time trade-off in PERT analysis, the first activity that should be
crashed is the activity:
a) With the least amount of slack.
b) On the critical path with the lowest unit crash cost.
c) On the critical path with the maximum possible time reduction.
d) With the lowest unit crash cost.
(CMA adapted)
Question 117: In Program Evaluation Review Technique (PERT), slack refers to the:
a) Uncertainty associated with time estimates.
b) Difference between the latest starting time and earliest finishing time.
c) Path that has the largest amount of time associated with it.
d) Number of days an activity can be delayed without forcing a delay for the entire project.
(CMA adapted)
Management by Objectives (MBO)

Management by Objectives (MBO) is another technique for planning and controlling projects. Peter Drucker
first described MBO in his book The Practice of Management (Harper & Row, 1954).
Goal-setting theory suggests that employees’ performance increases when they have specific and challenging
goals to reach and receive feedback on their progress at attaining those goals.
MBO emphasizes taking overall organizational objectives and expressing them as specific objectives for
groups and individuals. The goals are said to cascade down through the organization. Although the goals
originate at the overall organizational level, lower-level managers participate in setting their own goals. MBO
emphasizes “bottom up” as well as “top down” goal setting. The objectives of employees at each level are
linked to the objectives of the next level.
There are four major characteristics of an MBO program:
1) Specific goals, which are concise statements of expected accomplishments.
2) Participative decision-making, where the manager and employee jointly agree on the goals and on
how achievement of them will be measured.
3) An explicit time period in which to complete the goals, typically 3 months, 6 months or 1 year.
4) Continuous feedback on progress toward the employee’s goals, supplemented by periodic managerial
evaluations. Thus, the employee is not assumed to be self-motivated to reach his or her goals.
The implication in MBO is that the goals must be achievable. This is consistent with goal-setting theory, which
states that as long as the goal is achievable, MBO is most effective when the goals are challenging enough to
require some effort.
There is only one area in which the MBO process deviates from goal-setting theory, and that is in the
participative goal setting. Goal-setting theory advocates assigning goals to subordinates, while MBO specifies
that the subordinate should participate in setting his or her own goals, as long as they are in line with the
goals of the organization. A major observed benefit to having the subordinate participate in the goal-setting
process is that the resulting goals are likely to be more challenging.
Implementing MBO
MBO is a widely used technique because it is usually successful at improving performance and achieving
organizational objectives. However, for MBO to be successful it requires:
• Realistic expectations regarding results.
• Regular review of employee progress toward meeting goals.
• Commitment by senior management.
• Good and free communication between managers and subordinates.
• Allocation of rewards based on goal accomplishment.
In addition, cultural differences may make MBO inappropriate in certain organizations. For instance, MBO
does not work well with the Japanese culture’s focus on long-term goals and minimizing risk.
Question 118: Which network model algorithm identifies the set of connecting branches having the
shortest combined length?
a) Shortest-path algorithm
b) Longest-path algorithm
c) Maximal flow algorithm
d) Minimal spanning free algorithm
(HOCK)
Question 119: Which of the following requirements are necessary in order for MBO to be successful.
I. Realistic expectations regarding results.
II. Regular review of employee progress toward meeting goals
III. Honest and free communication between managers and subordinates.
IV. Commitment by senior management.
a) I and II only
b) II, III and IV only
c) I, II, III and IV
d) I, II and III only
(HOCK)
Section F – Information Technology and Business Continuity CIA Part 3
Section F – Information Technology and Business Continuity

Section F covers Information Technology (IT) and Business Continuity. This sections accounts for approxi-
mately 15–25% of the exam.
Almost all of Section F is covered at the awareness level, with one exception (noted below). The main topics
in this section include:
• A description of information technology, basic control concepts, and IT control frameworks
• A review of the process of planning, analyzing, designing, and implementing a computer system
(Note: this topic is covered at proficiency level)
• The basics of operating systems and software licensing issues
• A discussion of computer networks, including the Internet
• A review of systems security, cybercrime, and business continuity
• The development and use of databases
• A discussion of Enterprise Resource Planning (ERP) systems
Questions related to these topics are likely to be of one of two types: 1) definitional or a basic application of
terms or 2) application to a particular situation in which you need to identify the best or worst evidence or
procedure from the choices.
While the first type of questions is relatively straightforward, the second type requires some practice and
patience. In order to prepare for the second type of question, you will need to go through the past Exam
questions and become familiar with the way the questions are asked and the correct answers. Some
questions are written in such as way as to imply more than one correct answer. For such questions, there is
almost always a short phrase that limits the scope of the question to a particular area, topic, or problem, and
that phrase will signal the correct answer. You will need to learn how to identify these signal phrases.
As a word of caution, the terminology in this section may be slightly different from the vocabulary you use at
work. This discrepancy occurs because internal auditing is, by its nature, an internal activity and therefore it
is impractical to establish standardized terms across various industries and companies. For this reason,
although you should internalize these terms for the exams, you are not at all obligated to change your
vocabulary at work.
This section accounts for 15–25% of the exam; therefore, it is significant enough that you do need to spend
adequate time understanding the concepts of IT and business continuity. We recommend you read through
the material, make sure you understand the general concepts, and use ExamSuccess to become familiar with
what has been asked in the past.
Section F Information Technology (IT)
Information Technology (IT)

The extensive use of computers in a company’s operations and accounting systems tends to increase the
company’s exposure to inaccuracies and fraud. Therefore, the information technology that is used in a
company is of particular interest to the internal auditors.
Because computers apply the same steps to similar transactions, there should be no chance for clerical
(human) errors in processing transactions. However, if there is a mistake in the program itself, there will be
an error in every transaction that is processed using that defective program. (And if a clerical error is made in
input, it will of course result in an output error.)
Potential for fraud is always present in organizations and is a serious problem, even without computer
processing of data. The automatic processing of data, the volume of the data processed, and the complexity
of the processing are aspects of computer processing that can increase both the risk of loss and the potential
dollar loss from exposures that naturally exist. The concentration of data storage creates exposure as well
because a problem with the storage in one place may affect large amounts of data. The potential for fraud is
further increased in a computer system because programs are used for data processing. Fraud can be
committed within the program without proper controls over the program itself, and this type of fraud may go
undetected for a long period of time.
Further complicating the situation is that because of the nature of computer systems, paper audit trails may
exist for only a short period of time. This is because support documents may be periodically deleted. The
existence of an audit trail means that an amount appearing in a general ledger account can be verified by
evidence supporting all of the individual transactions that go into the total. The audit trail must include all of
the documentary evidence for the transaction and the control techniques that the transaction was subjected
to in order to provide assurance that the transaction was properly authorized and properly processed. When
an audit trail is absent, the reliability of an accounting information system is questionable.
There is also a positive side to computer systems. Computer systems can provide large amounts of
information to management in a very short period of time. This will enable management to keep closer
control over the results of the company. Computers are also able to process and manipulate large amounts of
information without error (assuming, of course, that the program is correct).
Despite the fact that information systems present unique situations and challenges, it is important to
remember that there are the same internal control goals for an information system as there are for the
overall organizational internal controls. These are:
• Promoting effectiveness and efficiency of operations in order to achieve the company’s objectives.
• Maintaining the reliability of financial reporting through checking the accuracy and reliability of
accounting data.
• Assuring compliance with all laws and regulations that the company is subject to, as well as adher-
ence to managerial policies.
• Safeguarding assets.
When audit trails are absent and hard copy source documents are not available, an auditor must look to the
system for information. This information should include some kind of assurances that normal transactions are
being processed properly, and that there is a system in place to detect abnormal transactions and reject
them, place them in a suspense file, and bring them before management for review.
The internal auditors may employ an “event concept,” which means performing a review of the entire system
at a particular point in order to determine the effectiveness of all the controls while “events” enter the system
and flow through it. If the internal auditors will have to rely on the system itself as a basis for determining the
validity of its output, they have to be able to analyze the system and its controls. Thus, they must be able to
evaluate data processing systems themselves or else recruit people who can.
Information Technology (IT) CIA Part 3
Because the system itself becomes so important, changes to the way data is processed and changes in the
system’s operating environment are also critical to an auditor.
In addition, as a result of technology, major changes have taken place recently in the way companies do
business. These have created new challenges for internal auditors. The rise of e-commerce, virtual
organizations, broadband and wireless communications, reliance on data encryption, and open systems are
only a few examples. The interconnectedness of business means that businesses are more vulnerable to
threats from the outside.
This means that management must do a risk assessment to find out what their risks are and how serious
those risks are. The internal audit staff should assist in this risk assessment. Then, management must decide
which risks are acceptable and which risks can be mitigated, and do cost-benefit analyses to decide which
controls mitigate the risks most effectively. Existing controls need to be examined to determine whether they
are effective or whether they require compensating controls.
Classification of Controls
Controls within a computer system are broken down into two types: general controls, which relate to the
environment, and application controls, which are specific to individual applications. Application controls are
designed to prevent, detect and correct errors and irregularities in transactions during the input, processing
and output stages. Both types of controls are essential because the possibility of accident, error, and loss of
data exists whenever data is stored, processed, rejected and reentered, copied from one medium to another,
or transmitted from one location to another.
General Controls
General controls relate to the general environment in which transaction processing takes place and are
designed to ensure that the company’s control environment is stable and well-managed. A stable and well-
managed control environment strengthens the effectiveness of the company’s application controls. General
controls include controls over the development, modification and maintenance of computer programs.
General controls are broken down into the following categories:
• Organization and operation of the computer facilities, including provision for the segregation
of duties within the data processing function as well as segregation of the data processing function
from other operations.
• General operating procedures, including written procedures and manuals. Operating procedures
also specify the process to follow in system development and system changes in order to provide
reasonable assurance that development of, and changes to, computer programs are authorized,
tested and approved prior to the use of the program.
• Equipment and hardware controls, including controls installed in computers that can identify
incorrect data handling or improper operation of the equipment.
• Access controls to equipment and data, such as controls over physical access to the computer
system and over logical access to the data that are adequate to protect the equipment and data files
from damage or theft.
Organization and Operation of the Computer Facilities
Separate Responsibilities within the Information Technology Department

The most important organizational and operating control is the segregation of duties. Although the
traditional segregation practiced in accounting of separating the responsibilities of authorization, record
keeping and custody of assets may not be practiced in the same manner in Information Systems (since the
work is quite different), there are still specific duties in the IT environment that should be separated.
Responsibilities of different jobs within the IT department should be separated from one another. An
individual with unlimited access to a computer, its programs and its data could execute fraud and conceal it.
Therefore, effective separation of duties should be instituted by separating the authority over and responsibil-
ity for the different IT functions.
Although designing and implementing segregation of duties controls makes it difficult for one employee to
commit fraud, remember that segregation of duties is not perfect insurance against fraud because two
employees could collude to override the controls.
The various positions within a computer system and the responsibilities of each are:
• The Database Administrator (DBA) has responsibility for developing and maintaining the data-
base and for establishing proper controls over the database. The DBA controls access to various files,
making program changes and making source code details available only to those who need to know.
• Systems analysts are responsible for reviewing the current system to make sure that it is meeting
the needs of the organization, and when it is not will provide the design specifications to the pro-
grammers of the new system. Systems analysts should not do programming, nor should they have
access to hardware, software or data files.
• Programmers are the individuals who write, test and document the systems. They are able to
modify programs, data files and controls, but should not have access to the computers and programs
that are in actual use for processing. For instance, if a bank programmer were allowed access to ac-
tual live data, he or she could delete their own loan balance while conducting a test. Furthermore,
systems programmers should not do application programming, and vice versa. If installation of a
new accounts payable system were combined with operating system maintenance responsibilities,
for instance, a programmer could both perpetrate and conceal a fraud.
• Computer (console) operators perform the actual operation of the computers for processing data.
They should not have programming functions and should not be able to program. Their responsibili-
ties should be rotated so no one operator is always overseeing the running of the same application.
The most critical separation of duties is between programmers and computer operators.
• Data conversion operators perform tasks of converting and transmitting data (e.g., convert the
source data to magnetic disk or tape for long-term storage).
• Librarians maintain the documentation, programs and data files. They should have no access to
equipment. Librarians should restrict access to the data files and programs to authorized personnel
at scheduled times. Furthermore, the librarians maintain records of all usage and those records
should be reviewed regularly by the data control group for evidence of unauthorized use.
• The data control group receives user input, logs it, monitors the processing of the data, reconciles
input and output, distributes output to authorized users and checks to see that errors are corrected.
They also maintain registers of computer access codes and coordinate security controls with other
computer personnel. They must keep the computer accounts and access authorizations current at all
times. They should be organizationally independent of computer operations.
• For transaction authorization, users should submit a signed form with each batch of input data to
verify that the data has been authorized and that the proper batch control totals have been pre-
pared. Data control group personnel should verify the signatures and batch control totals before
submitting the input for processing. This would prevent a payroll clerk, for example, from submitting
an unauthorized pay increase.
• The end users need to have access only to the final output that is produced.
Separate IT Operations from Other Departments

IT department personnel should be separated from the departments and personnel that they support. This
separation of the IT department (the programmers) and the end users (the operators) is the most important
segregation of duties.
• Users (not the IT Department) should initiate and authorize all systems changes, and a formal
written authorization should be required.
• Asset custody remains with the user departments.
• An error log is maintained and referred to the operators for correction. The data control group
follows up on errors, but does not correct them.
Some organizational controls can be evaluated by the auditor only by observation, such as whether
documented segregation of duties is actually taking place, whether certain departments are physically
separated, whether access to the library is adequately controlled, and whether access to the computer room
is limited to authorized personnel.
General Operating Procedures

• Standard procedures for all IT operations, including network operations, should be documented.
These should include documentation of the start-up process, job scheduling, processing continuity
during operator shift changes, operations logs, and procedures to ensure connection and disconnec-
tion of links to remote operations.
• Job descriptions should exist for all jobs so that there is no doubt about who is responsible for what.
This is the basis for specific authorizations and prohibitions on who should not perform certain du-
ties. These authorizations and prohibitions are then the basis for logical security, such as password
controls.
• Personnel should be adequately trained in their jobs, and assigned duties should be rotated periodi-
cally for key processing functions.
• Everyone should take a vacation each year and be physically absent from the premises during that
time.
• Physical safeguards should be established over forms such as negotiable instruments and over
sensitive output devices such as signature cartridges. Sequential numbers on individual forms should
be printed in advance so missing forms can be detected.
• The system development and system change processes should be documented in order to provide
reasonable assurance that development of, and changes to, computer programs are authorized,
tested, and approved prior to the use of the program.
• Turnaround documents should be used whenever appropriate. A turnaround document is a comput-

er-produced document that is resubmitted into the system, such as the portion of an invoice that a
customer returns with payment.
The auditors need to determine whether the control group is accountable for data from the time it is received
until it is distributed as output to users. Auditors need to review job rotation schedules as well as vacation
records.
Equipment Controls
• A defined backup procedure should be in place, and the usability of the backups should be verified
regularly.
• Transaction trails should be available for tracing the contents of any individual transaction record
backward or forward, and between output, processing, and source. Records of all changes to files
should be maintained.
• Statistics on data input and other types of source errors should be accumulated and reviewed to
determine remedial efforts needed to reduce errors.
Equipment Access and Data Access Controls

The responsibility for logical security and physical security should be assigned to an information security
manager who reports to the organization’s senior management.
Logical Security
Logical security consists of access and ability to use the equipment and data. Controls over access to data
determine the company’s vulnerability to manipulation of equipment and assets, whether accidentally or
deliberately fraudulent.
Logical access controls are used to identify authorized users and control the actions that they can perform.
User IDs and passwords are the most common way of authenticating users. Security software can be used to
encrypt passwords so that they cannot be read, to require a change of password after a certain period of
time, and to require passwords to conform to a certain structure. Procedures should be established for issuing,
suspending and closing user accounts, and access rights should be reviewed periodically.
Logical security also includes Internet security, firewalls, virus protection procedures and cryptographic
techniques such as encryption of messages and digital signatures. Dial-up connections and other system
entry ports should be prevented from accessing computer resources.
The auditor should evaluate the effectiveness of the logical data security system. Does it provide assurance
that only authorized users have access to data? Is the level of access for each person appropriate to that
person’s need? Is there a complete audit trail whenever data is modified? Finally, is unauthorized access
denied and the attempt reported?
Physical Security
Physical security includes both physical access control and security of the equipment and premises.
Physical access control takes place both within the data center and outside of it. Outside the data center,
for example, certain activities such as changes to employee pay rates can be restricted to terminals physically
located in the payroll department, in addition to requiring password authorization. This would prevent a
person with access to a password but without access to the premises from changing pay rates.
Physical access to the data center should be limited to authorized persons. This can be accomplished through
card access, where a magnetically encoded card is inserted into a reader, and access is either granted or
denied. The card access also provides an audit trail, with date, time, and identity of the person who entered
recorded. Within the data center, physical access can be selectively assigned by establishing zones. For
example, a computer operator might be authorized to enter the computer room but would not be authorized
to enter the tape vault. Zoning can also be used to limit access to certain days of the week and certain times
of the day.
Biometric access systems can be used where the physical security needs to be rigorous. Biometric access
systems use physical characteristics, such as blood vessel patterns on the retina, handprints, and/or voice to
authenticate people for access. There is a low error rate with such systems, but the systems do occasionally
make errors, so these are usually combined with other controls.
Dual access and dual control can be established to require two independent, simultaneous actions before
processing is permitted.
Visitors should be escorted by an IT member when they enter the computer facilities, and a visitor’s log
should be kept and reviewed regularly.
Physical security involves the physical security of equipment and the premises. Fire prevention safeguards
such as a fire alarm system connected to a security center that is manned 24 hours a day, 7 days a week, or
to the fire department, should be installed. The fire alarm system should be tested and fire drills should be
conducted regularly. Smoke detectors should also be placed throughout the building, and a fire suppression
system should be installed.
An alternate power source should be available in case of power loss or brownout. The power source may be
long term, such as a generator that could power the center for a long period of time, or it may be a short
term battery-operated system that would provide enough time to accomplish an orderly shutdown of the
computer system. A large, critical system would require a generator, whereas a short-term solution would be
adequate for a less critical system.
A surge protector should be used on every computer, including PCs, along with a small UPS (uninterruptible
power supply). The UPS gives the operator time to save work in the event of a short power outage. The surge
protector protects the system from voltage spikes that can damage it, such as those that occur during an
electrical storm.
Media library contents should be protected. Responsibilities for storage media library management should be
assigned to specific employees. The file management system should include security considerations. Files
should include backups of current data that can be used in case of a disaster, as well as archive files for
permanent storage. Controls are required so that the files are labeled and stored correctly. Contents of the
media library should be inventoried systematically, so that any discrepancies can be remedied and the
integrity of magnetic media is maintained. Policies and procedures should be established for archiving.
Backup tapes that have become too worn out to use or hard disks that have outlived their usefulness should
be erased before being discarded.
Servers and associated peripherals should be kept in a separate, secure room. Particularly when servers are
located outside of the data center, servers and routers may be found installed in unsecured storage closets.
This is very poor practice, because they can be subject to damage by cleaning people who store their cleaning
supplies in the same closets.
Servers and equipment inside the data center should be kept in rooms with bars on the windows and blinds or
reflective film used on the windows for heat blocking as well as physical protection. There should be a system
in place to monitor hardware components to prevent them being removed from the premises. Offsite backup
tapes should be stored in a secure location.
The auditor’s role is to evaluate the effectiveness of the existing controls and security. For instance, the
internal auditor should review password administration, the levels of authority assigned and the appropriate-
ness of each person’s authority.
In the area of storage, the auditor should find out how stored magnetic media are labeled (externally as well
as internally), whether there is a tape or disk management or file management system, whether magnetic
media are stored appropriately and copies kept off-site as well as on-site, and whether temperature and
humidity in the storage area are monitored and controlled. It is important for the internal auditor to
determine whether adequate file naming standards have been established, because inadequate file naming
standards can result in accidental deletion of files.
If weaknesses are found in any of the controls, the auditor must state in the report what exposures result
from the inadequate controls.
Question 120: The most critical aspect of separation of duties within information systems is between:
a) Programmers and computer operators.
b) Project leaders and programmers.
c) Programmers and systems analysts.
d) Management and users.
(CMA adapted)
Application Controls
Application controls are controls that are specific to individual applications. They are designed to prevent,
detect and correct errors in transactions as they flow through the input, processing and output stages of
work. Thus, they are broken down into three main categories: input controls, processing controls and output
controls.
1) Input controls should provide reasonable assurance that the data entered into the system has
proper authorization, has been converted to machine-sensible form, and has been identified. Input
controls can also provide some assurance that data (including data sent over communications lines)
has not been lost, suppressed, added or changed in some manner.
In a batch processing environment, there are various controls that can be used to make sure that
data is not lost as it moves from station to station before it reaches the computer. This is more diffi-
cult with a real-time system, because real-time systems do not lend themselves to batch controls.
However, unbatched transactions can be checked.
a. Edit checks are the programs that check the validity and accuracy of input data, such as
checking whether each field has the proper numeric, alphabetic, or alphanumeric format and
whether the information in the transaction is reasonable. There are a number of input controls
that can be built into software applications:
• Error listing. This is simply the process of developing a list of all errors from a run of the da-
ta as well as any uncorrected errors from pervious runs. From this information we can
determine what changes need to be made to the system.
• Field checks. This is a check to make sure that an input field contains the correct type of
characters (number or letters). For example, a field check will not allow numbers to be input
into a field for a person’s name.
• Financial totals. This is a total of the amount of money included in a set of records.
• Hash total. This is a total of numbers such as the account numbers that are included in a set
of records or the employee numbers of people who are included in a payroll calculation. This
number can then be compared after processing or transmission in order to test the complete-
ness of the process.
• Limit and range checks. This is simply a maximum or minimum number for a record. For
example, the number of days worked in a week cannot exceed 7.
• Preformatting. As indicated by the name, this is the system of having a computer screen
appear like a paper form on the screen into which the proper information needs to be placed
into the proper place.
• Reasonableness (or compatibility) test. This tests the logical correctness of information.
For example, does the product code that is input for a sale match one of the codes of the
products available for sale.
• Record count. This counts the number of records processed.
• Self-checking digits. This is the process of applying an algorithm to an input field and then
applying the same algorithm to the code already entered to compare them.
• Sequence checks. This checks to make sure that the records are reported or stored in the
correct order (most likely alphabetical or numerical).
• Sign checks. This checks that numbers are correctly positive or negative.
• Validity checks. This compares the input information with a list of correct information (such
as personnel numbers) to make sure that the information being entered is valid.
• Overflow test. This makes sure that if an extra digit or letter is entered into a field, the op-
erator is informed and able to correct the input.
• Check digits. A check digit is a number that is a part of an account or other type of number.
The check digit is a function of the other digits within the number, determined by a mathe-
matical algorithm. It can be used to determine whether a number, such as an account
number, has been keyed incorrectly. Check digits are used with credit card numbers and oth-
er account numbers, and they are especially helpful in detecting transposition errors. If the
number is not keyed correctly, the operator will get an error message such as “invalid ac-
count number.”
• Reconciliations and balancing. Reconciliations are used to determine whether differences

exist between two amounts that should be equal. If there are differences, the differences are
analyzed to detect the reason and corrections can be made if necessary.
• Error correction. Error corrections often result in other errors. Before corrections are made,
the error reports should be analyzed and the required action determined. The process should
include updating all files that are involved and readjustment of all balances affected.
b. Key verification is the requirement of inputting information again and comparing the two in-
puts. An example would be entering your new password twice into a computer system.
c. A redundancy check is the process of sending additional sets of data to confirm the original da-
ta sent.
d. An echo check is the process of sending the received data back to the sending computer to
compare with what was sent to make sure that it is the same as what was received.
e. Completeness checks of transmission of data determine whether all necessary information has
been sent.
f. Some transactions may be initiated automatically, such as automatic stock reorders or pay-
ments to suppliers. Under normal circumstances, there are controls built into the system.
However, situations can arise that were not anticipated when the controls were designed, and
these can lead to difficulties.
Internal auditors should recognize that input errors are the most common error, and they should
dedicate a significant amount of effort to reviewing input controls. To determine what program con-
trols such as online edits are included in the system, auditors can interview the programmers, review
program abstracts, examine edit reports, or even review the code.
Auditors can observe balancing procedures, examine documents for authorizations and approvals,
and determine whether key verification or some other means of verification of data entry is being
used for critical data.
2) Processing controls provide some reasonable assurance that processing has been properly com-
pleted as intended, without programming errors or clerical errors, and in a timely manner. There are
a number of tests of processing that are set out below. Processing controls also include physical se-
curity of the equipment. Access to the computer should be permitted only to people who are
authorized to operate the equipment, and operators should be given access only to information they
need to set up and operate the equipment. Programs should be controlled and accessible only to the
computer operators. Programmers should not have uncontrolled access to the computers, data files,
or records.
a. Posting check. Compares the contents of the record before and after updating.
b. Cross-footing. This compares the sum of the individual components to the total figure.
c. Zero-balance check. This is used when a total sum should be 0. All of the numbers are added
together and this is compared to 0.
d. Run-to-run control totals. During a process, critical information is checked to ensure that it
is correct to that point. This allows for the earlier identification of a mistake.
e. Internal header and trailer labels. Properly labeling the data ensures that only the correct
data is processed.
f. Concurrency controls. This is the process of managing the situation when two or more pro-
grams are trying to access the same information at the same time.
g. Key integrity checks. Keys are the characteristics of records that allow them to be sorted. A
key integrity check makes sure that the keys are not changed during data processing.
In reviewing processing controls, the auditor should assess whether the application is processing in-
put data in an accurate and timely manner, as intended by management, and with no unauthorized
data modifications. This includes:
• Reviewing the use of the above controls.
• Determining whether duties are properly segregated or if not, if compensating controls exist.
• Determining whether transactions are retained so data files can be reconstructed, if necessary.
• Determining whether transaction trails are adequate to trace data back to the point of origin, and
whether the date, terminal ID and responsible person are shown on transaction trails.
• Observing processing and determining what controls exist to make sure that processing options
are set correctly.
• Determining what procedures are followed to reprocess transactions that are in error.
• If a suspense file is used, determining whether suspense items are being cleared in a timely
manner.
• Reviewing operators’ run instructions so that if an operator is unfamiliar with the jobs, they will
be able to complete the necessary tasks.
3) Output controls provide some reasonable assurance that the processing result (e.g., account
listings or displays, reports, files, invoices or disbursement checks) is accurate and that only author-
ized personnel receive the output. Controls should be in place to make sure that the output
information is sent to the right people, that it is accurate and is sent in a timely manner and that the
proper reports are retained for the appropriate time period. The output of the system is supervised
by the data control group.
One type of output control is forms control, such as physical control over company checks. Checks
should be kept under lock and key, and only authorized persons should be permitted access. In addi-
tion, because checks are prenumbered, the preprinted check number on the form must match the
computer-generated number that is also printed on the check. The preprinted numbers on the
checks are sequential, and the computer-generated numbers also are sequential. If the starting
computer-generated number does not match the first check in the stack, it must be investigated be-
cause it could mean that one or more checks are missing. Any other prenumbered forms should be
controlled in the same manner as checks.
Output control also concerns report distribution. For example, a payroll register with all the em-
ployees’ social security numbers and pay rates is confidential information and thus its distribution
must be restricted. There should be an authorized distribution list, and only enough copies of the
report to permit one report to be distributed to each person on the list should be processed. For a
confidential report, it is preferable to have a representative pick the report up personally and sign for
it. If this is not possible, a bonded employee can be used to hand deliver the reports. Random
checks on this distribution should be made by the employee’s supervisor.
Note: Confidential reports should be shredded when they are no longer needed.
Output control also includes the handling of exceptions when transactions are rejected. If the trans-
action is correct, the problem could be an equipment malfunction or operator error. Error logs should
be sent to the proper people for investigation and correction.
Internal auditors should review the following:
• Determine whether output is supervised by a data control group. The control group (or the user)
should balance and reconcile the output.
• Determine whether exceptions are flagged for follow-up.
• Determine whether totals on reports are being examined for reasonableness.
• Determine whether reports are relevant, timely, reliable, and sorted properly.
• Determine whether an up to date distribution list is maintained for all reports, whether there is
an output log, if reports are being lost or misrouted, and if a user control group has a checklist to
determine whether all reports have been received.
• Determine whether it is possible to create extra copies of reports without having to rerun the en-
tire process.
• Determine whether dual-custody controls are being used to protect negotiable documents such
as checks and stock certificates and sensitive outputs such as payroll listings.
• Review retention policies for outputs such as hard copy reports. Auditors should also determine
whether reports are being properly disposed of (shredded).
Question 121: Electronic data processing control procedures are classified as general controls or
application controls. The primary objective of application controls in a computer environment is to:
a) Provide controls over the electronic functioning of the hardware.
b) Maintain the accuracy of the inputs, files and outputs for specific applications.
c) Ensure the separation of incompatible functions in the data processing departments.
d) Plan for the protection of the facilities and backup for the systems.
(CMA Adapted)
Question 122: Payroll master file updates are sent from a remote terminal to a mainframe program on a
real-time system. A control that works to ensure accuracy of the transmission is a(n):
a) Echo check.
b) Protection ring.
c) Hash total.
d) Integrated test facility.
(CIA Adapted)
Question 123: When assessing application controls, which one of the following input controls or edit
checks is most likely to be used to detect a data input error in a customer account number?
a) Limit check.
b) Validity check.
c) Control total.
d) Hash total.
(CIA Adapted)
Question 124: Omen Company is a manufacturer of men’s shirts. It distributes weekly sales reports to
each manager. The quantity 2Z5 appeared in the quantity sold column for one of the items on the weekly
sales report for one of the sales managers. The most likely explanation is that:
a) The output quantity has been stated in hexadecimal numbers.
b) The computer has malfunctioned during execution.
c) The printer has malfunctioned and the “Z” should have been a decimal point.
d) The program did not contain a data checking routine for input data.
(CIA Adapted)
Control Frameworks CIA Part 3
Question 125: Which the following statements accurately describes the impact that automation has on the
controls normally present in a manual system?
a) Transaction trails are more extensive in a computer-based system than in a manual system
because there is always a one-for-one correspondence between data entry and output.
b) Responsibility for custody of information assets is more concentrated in user departments in a

computer-based system than it is in a manual system.
c) Controls must be more explicit in a computer-based system because many processing points that
present opportunities for human judgment in a manual system are eliminated.
d) The quality of documentation becomes less critical in a computer-based system than it is in a

manual system because data records are stored in machine-readable files.
(CIA Adapted)
Control Frameworks
Information system (IS) internal control frameworks are based upon two documents:
1) The report of the Committee of Sponsoring Organizations, Internal Control – Integrated Framework
(COSO), and
2) Control Objectives for Information and Related Technology (COBIT), authored by the IT Governance
Institute and published by the Information Systems Audit and Control Association (ISACA).
In Internal Control – Integrated Framework, internal control is defined as a process designed to provide
reasonable assurance that the company’s objectives will be achieved in the areas of effectiveness and
efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
According to that document, the internal control system is the responsibility of the company’s board of
directors, management and other personnel. It should consist of five interrelated components:
1) The control environment,
2) Risk assessment,
3) Control activities,
4) Information and communication, and

18
5) Monitoring.
Control Objectives for Information and Related Technology defines control, as “the policies, procedures,
practices, and organizational structures designed to provide reasonable assurance that business objectives
will be achieved and that undesired events would be prevented or detected and corrected.” 19 “COBIT is a tool
that allows mangers to communicate and bridge the gap with respect to control requirements, technical
issues, and business risk.” 20 The COBIT control framework links the goals of the business with the goals of IT
so that IT resources are able to provide the information that the enterprise needs to achieve its objectives.
COBIT has become an IT governance tool that helps assist management with implementing adequate controls
over IT processes.
18
Internal Control − Integrated Framework, copyright 1992, 1994 by the Committee of Sponsoring Organizations of the
Treadway Commission, two volume edition 1994, Vol. 1, pp. 3-5.
19
Control Objectives for Information and Related Technology (COBIT) 3rd Edition, copyright 2000, IT Governance Institute,
www.itgi.org.
20
COBIT 3rd Edition, pg. 7.
Section F Control Frameworks
Common exposures to loss include competitive disadvantage, deficient revenues, loss of assets, inaccurate
accounting, business interruption, statutory sanctions, erroneous management decisions, fraud and
embezzlement, and excessive costs. These are exposures to loss that result from a failure to implement
proper internal controls.
The ultimate responsibility for internal control lies with management and the board.
Further, controls should be subjected to cost/benefit analysis. This means that management should not spend
more on controls than the amount expected to be received in benefits from the controls. This is a matter of
judgment on the part of management to determine what is required to attain reasonable assurance that
the control objectives will be met without spending more than can possibly be gained.
Even though COSO and COBIT are both based on the internal control of information systems, COBIT is
specifically focused on IT controls, whereas COSO provides entity-wide control guidance.
COBIT was designed with three distinct audiences in mind. These targeted audiences are:
1) Management. Managers need to be able to balance risk and control investments in the often-
volatile IT environment.
2) Users. The system’s users need assurance about the security of, and controls over, internal and
third party IT services.
3) Information Systems Auditors. IT auditors must be able to substantiate their opinions conveyed
to management and others about the state of internal controls.
The best way that we will be able to better understand COBIT is to view it as a three-dimensional framework
(shown on the next page). As you can see, the three parts of the framework are Information Criteria, IT
Processes and IT Resources.
1) Information Criteria are the minimum standards necessary to meet the business goals. Infor-
mation Criteria has three parts, consisting of:
• Quality requirements include quality, cost, and delivery.
• Fiduciary requirements include the effectiveness and efficiency of operations, reliability of in-
formation, and compliance with laws and information.
• Security requirements include confidentiality, integrity, and availability.
2) IT processes are required in order to ensure that the information is properly gathered and meets
the Information Criteria. The IT processes are organized into four stages (domains):
• The Planning and Organization stage concerns integration of the IT processes into the organi-
zation and communication of overall business objectives. It covers how IT can be used in a
company to help achieve the company’s goals and objectives as well as the organizational form
that IT should take in order to maximize its benefits.
• The Acquisition and Implementation stage is where solutions are acquired or developed and
eventually implemented. It covers identifying the requirements for IT, acquiring the technology,
and implementing it. It also provides guidance for developing and adopting a maintenance pro-
gram in order to prolong the life of the IT system.
• The Delivery and Support stage will include training of staff, maintaining security, and control-
ling the actual delivery of services such as the execution of the applications within the IT system.
• The Monitoring stage includes getting feedback so that management is able to assess the IT
needs of the company and whether or not the current IT system still meets the business objec-
tives for which it was designed. It also involves assessing controls.
Control Frameworks CIA Part 3
3) IT Resources are required for information to be obtained. The required resources will include:
• People - Staff needs to have the proper skills, awareness and productivity to plan, organize, ac-
quire, deliver, support and monitor information systems and services.
• Application systems – Understood to be the manual and programmed procedures.
• Technology – This covers the hardware, operating systems, database management systems,
networking, etc.
• Facilities – These are the resources necessary to house and support the information system.
• Data – Data can be of any form, i.e., external or internal, structured or unstructured, graphics,
sound, etc.
The four stages (domains) mentioned in Item 2 above contain a total of 34 IT processes. The purpose of the
IT processes is laid out by 318 specific, detailed control objectives. A detailed listing of the 34 IT
processes is presented in Appendix A.
It is not necessary to memorize these 34 IT processes, or the 318 detailed control objectives. It is only
necessary to know that COBIT exists to help management achieve its business objectives.
COBIT Components
Information Criteria
Domains
Application Systems
IT Processes
Processes
Technology
Facilities
Data
People
Activities
Section F Control Frameworks
Question 126: What is COBIT?
a) It is a tool that allows management to communicate and bridge the gap with respect to control
requirements, technical issues, and business risk.
b) It is a set of risks that respond to changes in technology.
c) It is the list of control objectives published by the Treadway Commission.
d) It is the updated version of the Russian tax code.
(HOCK)
Question 127: COSO and COBIT are concerned with providing reasonable assurance that company
objectives will be achieved. What is the primary difference between the two control systems?
a) The COSO internal control systems take precedence over COBIT.
b) COBIT focuses on entity-wide internal controls, whereas COSO is focused specifically on the control
of international transactions.
c) COSO addresses internal controls on an entity-wide basis, whereas COBIT focuses specifically on IT
controls.
d) Their functions are the same.
(HOCK)
Functional Areas of Information Operations

The organization of the Information Operations is an important part of a business’s control structure. While
there are many possible ways to organize the Information Operations depending on the size of the business,
many businesses now have a Chief Information Officer (CIO) who reports directly to the CEO. The CIO is
responsible for all of the IT operations including strategy, controls, and compliance.
Under the CIO, Information Operations are further divided into departments based on the size of the
business. As an example, here is one way that the IT functions might be divided:
• Operations – responsible for the day-to-day functions such as data entry, computer and network
setup and configuration, and the internal help desk.
• Systems Development – responsible for planning and development of new IT systems, beginning
with the initial analysis through programming and testing.
• Security – responsible for ensuring that all information systems are secure, including contingency
planning and disaster recovery.
• Data and Databases – responsible for overseeing the company’s databases and policies, including
who has access to the data.
• Technical Support – responsible for providing support to all of the Information Operations, includ-
ing user training.
The most important consideration when auditing the functional areas of a business’s Information Operations is
to be sure that the segregation of duties is appropriate and that all general and application controls are in
place and effective. The auditor must understand the IT environment, the division of the departments, and
the roles of the key individuals in the departments. The auditor also needs to know what functions, if any, are
outsourced. While reputable vendors most likely will not need to be audited, it may be helpful for the auditor
to understand how the outsourced functions operate and connect with the business.
Systems Development CIA Part 3
Systems Development
When an entire business processing system is designed from the ground up, this is called business
reengineering. In developing a new computer system, positive results are more frequently obtained when
the systems development process is structured, documented, and controlled. Following such a process
decreases the chances of an expensive mistake by creating a system that does not function as needed to
support the business.
Therefore, the systems approach to problem-solving is used in the development of large, highly structured
application systems. Using the systems approach to develop an information system solution involves a
process called the systems development life-cycle approach (SDLC, or systems approach), which is
based on the assumption that any information system has a limited life because of the ever-changing needs
of an organization and changes in technology. A new lifecycle begins when it is identified that the current
system is no longer adequate. The systems development life cycle involves planning, analysis, design and
implementation and provides a framework for planning and controlling the detailed activities involved in
systems development.
General characteristics of the systems approach include: (1) development by a project team, which
usually includes systems analysts, programmers, accountants and representatives of the end users, and (2)
an information systems steering committee that works with the project team. This committee should
be comprised of senior level managers that provide high level planning and establish priorities. The
information systems steering committee should have at least one auditor to ensure that the new system will
have adequate controls and will be auditable. The internal auditor also needs to make sure that the
development follows the organization’s procedures for systems development.
The steps that are involved in the process are broken down differently depending on the exact methodology,
but the main steps are:
Project Definition:
Statement of Objectives
Systems Investigation and Feasibility Study
Project Initiation:
Systems Analysis
Systems Design
Systems Implementation
Systems Evaluation
Project Definition Stage:
1) Statement of Objectives. A proposal is prepared, including the need for the new system, the
support for it within the organization and timing issues in terms of need and employee availability.
2) Systems Investigation and Feasibility. A study determines whether a new or improved system is
a feasible solution. The study should include an analysis of the existing system to determine whether
a new system is really needed, or whether the existing system can be fixed. Control deficiencies in
the existing system identified in previous audits should also be considered. Three feasibility stud-
ies are needed:
a. Technical feasibility — Answers the questions, “Is the necessary hardware available, and is
the necessary software available? If not, can it be developed in the required time?”
b. Economic feasibility — A cost-benefit study is required to determine whether expected cost

savings, increased revenue or profits, reductions in required investment and other benefits will
make the cost of the new system worthwhile. The auditor should evaluate whether the cost es-
timates are reasonable.
Section F Systems Development
i. The cost-benefit analysis must include both tangible and intangible costs and benefits.
If costs and benefits can be quantified, they are considered tangible. If they cannot be
quantified, they are considered intangible.
ii. Tangible costs are the costs of hardware, software, salaries and other costs necessary to
develop the new system.
iii. Tangible benefits include increased sales and profits, lower maintenance and operating
costs, lower personnel costs, increased profitability or decreased investment in inventory.
iv. Intangible costs could include loss of customer goodwill or employee morale created by
problems arising from the new system.
v. Intangible benefits involve better customer service, improved employee morale or bet-
ter information availability for management.
A financial evaluation of the new system is a necessary tool for determining whether the bene-
fits outweigh the costs of the new system. The methods to financially evaluate a system will be
the same as with any capital investment project. These investment evaluation methods are:
• Payback period – The payback period is the length of time it takes for the project to recov-
er its initial project investment. A project would be considered acceptable if its expected
payback is within a certain period of time (e.g. four years). If the payback were longer than
four years, then the project would not be considered acceptable.
• Return on Investment (ROI) – The ROI of the project is simply measuring the return on
investment during the project’s life. The equation is:
Average annual profit

ROI =
Average capital employed
• Net Present Value (NPV) – The project’s cash inflows and cash outflows are discounted
to their present value to reflect the time value of money. If the NPV is equal to or greater
than zero, then the project should be considered viable and accepted. Otherwise, the project
would most likely be rejected.
• Internal Rate of Return (IRR) – This is the discount rate at which the NPV of an invest-
ment will be equal to 0. An IT project would be considered viable if the IRR exceeds a target
minimum rate of return (greater than the organization’s cost of capital).
c. Operational feasibility asks, “Will the proposed system work?” For example, are manage-
ment, employees, customers and suppliers willing to operate, use and support the new system?
If the software is too difficult to use, it may prevent people from using it and/or create many
errors in its use.
Note: The internal auditors’ part in the feasibility study should be one of being mindful of the organiza-
tion’s objectives. They should make sure that the study is done by a group of representatives of all
departments that will be affected, and that at least one member is an expert in hardware and software
capabilities. Specifications for the new system should include projections of future growth in volume.
Project Initiation Stage:
3) Systems Analysis. Systems analysis consists of the following phases:
a. First, an organizational analysis or a systems survey is done to learn about the organiza-
tion, its management, employees, business, the other systems it interacts with, and its current
information system. The analyst must first understand the existing system and its strengths and
weaknesses before any changes can be proposed. This will involve personnel at all levels in the
organization and it is imperative that the employees support the project, otherwise the study will
not be effective.
b. Second, we identify the users’ information requirements and functional requirements. In-
formation requirements relate to the decisions that are made by users, their needs in terms of
inputs and outputs, database needs and characteristics of the system’s operation. Functional re-
quirements are those not tied to the hardware, software, network, data and people resources.
Functional requirements may include user interface requirements for data entry, processing re-
quirements such as automatic calculations, storage requirements such as databases for fast
retrieval, and control requirements such as error messages in data entry.
c. Identification of the system requirements to fulfill the information needs of the user is com-
pleted, i.e., how it will accomplish the users’ needs.
d. Evaluation of alternative designs for the proposed system using cost-benefit analysis.
e. The final step of the systems analysis is preparation of a systems analysis report, which doc-
uments the system specifications and the conceptual design of the proposed system.
4) Systems Design and Development. This involves translating the conceptual design of the system
into the physical design of the system. Phases in systems design and development include:
a. Detailed design specifications are developed, working backwards from the desired outputs to the
required inputs. This is top-down design, starting at the top level of output goals and working
down to the necessary details that will enable the system to meet those goals.
b. The processing requirements are assessed. The question is considered, “What processes will be
necessary to convert the available inputs into the desired outputs?” This involves determining
the workflow, what and where programs and controls are needed and what are the necessary
hardware, backups, security measures and data communications.
c. The storage component needs to be evaluated, as well, i.e., how much use of stored data is re-
quired and how much data must be created and stored for future use. The database is designed
and data dictionaries that document the specific contents of a database (fields and field descrip-
tions) are written.
d. Preparation of the systems design report is done next. The systems design report includes eve-
rything that is necessary to implement the proposed system: input requirements, processing
specifications, output requirements, control provisions and cost estimates.
e. Documentation is the process of writing all of the manuals, forms and other materials that will
be needed by the users and maintenance IT staff. Control over the documentation process is as
important as the documentation itself, in order to ensure that the documentation is completed
adequately.
f. Flowcharting is an essential part of the documentation of the system. A flowchart is a graphical

depiction of a system, the processing that takes place within it, and the flow of documents
through it.
g. The final step is the program development. This is the process of coding the program(s) to
meet the required specifications.
The modular, or structured programming, approach to designing the system may be used.
Structured programming involves developing design standards for the way the programmers
should use the programming language and stylistic guidelines as well as how the programs
should fit together. Using structured programming, each module can be coded by different peo-
ple, which leads to increased security because more than one person knows the entire
program. It also enables completion of the program in less time, because different people can
be working on different parts of the program simultaneously. Furthermore, structured pro-
gramming makes it easier to upgrade and adapt the parts of the program at a later time.
5) Systems Implementation. This involves acquisition of resources for the new system and its initial
operation. The new system is implemented, data files are converted, end users are trained and fol-
low-up occurs to determine whether previous weaknesses have been eliminated and whether or not
any new problems have arisen.
Controls that should be a part of any system conversion include things such as record counts, re-
viewing reports, hash totals, and reconciliations.
The system conversion can be done on a parallel basis, on a phased basis, by a direct conversion
(plunge) to the newly developed system, or by a pilot operation.
a. In a parallel operation, both the old and the new systems are run together for a period of time
to make certain that the new system is functioning properly. This method is the least risky but
requires the most effort, because double work has to be done. If a parallel conversion is not
done, the need for review during the first few days of the implementation is even more critical.
b. In a phased or modular, conversion, only parts of a new application or only a few locations at
a time are converted, allowing the implementation to take place gradually. The full conversion
takes additional time because of the need to implement the new system in each location.
c. Similar to a phased or modular conversion is a pilot conversion, where the new system is test-
ed in just one department or work site before full implementation.
d. A plunge (direct conversion) is accomplished by simply changing over from one system to
another and starting to use the new system exclusively. This is the most risky conversion
method.
e. One of the most important parts of the conversion is the training of the users in the new sys-
tem, which should be approached with the goal of reducing the users’ resistance to the new
system. The implementation of new methods of working result in a learning curve, which
means that users will make mistakes as they are adjusting to and learning the new system. As
experience is gained, these errors usually diminish. However, the learning curve can point out
areas where a system can be improved.
f. As they are learning how to use the new system, users will also be testing the new system to
make sure that it will meet their needs. The end users, along with information systems person-
nel, will perform troubleshooting on the new system to identify problems and work out
solutions for the problems.
6) Systems Evaluation and Maintenance. A post-implementation review will be conducted to ensure
that the new system meets the objectives established for it. A maintenance process is utilized to cor-
rect errors. In addition to continual monitoring, the system will be audited to make sure it continues
to operate properly.
Maintenance also includes modifying the system as necessary to adapt to changing needs. Modifica-
tions of the system should be subjected to controls, as well. All modifications should be authorized
by management, should be made in accordance with the same systems development procedures
used to develop the system, and should be tested fully and approved by the user as well as the IT
management. A full systems test should be performed in order to ensure that the changes work as
planned and that they do not cause unintended results.
Question 128: The processing of monitoring, evaluating, and modifying a system as needed is referred to
as systems:
a) Analysis
b) Feasibility study
c) Maintenance
d) Implementation
(CMA adapted)
Question 129: Which of the following should be emphasized before designing any system elements in a
top-down approach to new systems development?
a) Types of processing systems being used by competitors.
b) Computer equipment to be used by the system.
c) Information needs of managers for planning and control.
d) Controls in place over the current system.
(CIA Adapted)
Question 130: An insurance firm that follows the systems development life-cycle (SDLC) concept for all
major information system projects is preparing to start a feasibility study for a proposed underwriting
system. Some of the primary factors that the feasibility study should include are:
a) Methods of implementation such as parallel or cut-over.
b) Technology and related costs.
c) Possible vendors for the system and their reputation for quality.
d) Exposure to computer viruses and other intrusions.
(CIA Adapted)
Question 131: A new information system application is requested by a firm’s management. It will be
designed, programmed, and implemented in-house. Upon cutover, results will be provided to the
appropriate users. With this sequence of events, what strategy should be used for determining the
requirements of the new application?
a) Determine the amount of uncertainty associated with developing such an application and its
potential for success.
b) Make an evaluation of the costs and benefits expected from the application.
c) Evaluate the degree of the structured, unstructured and semi-structured decisions resulting from
the application.
d) Interview the users, evaluate existing applications, and develop a prototype of the proposed
application.
(CMA Adapted)
Question 132: Errors are most costly to correct during:
a) Programming
b) Conceptual design
c) Analysis
d) Implementation
(CMA Adapted)
Question 133: The analysis tool for the systems analyst and steering committee to use in selecting the
best systems option is:
a) User selection
b) Cost-benefit analysis
c) Decision Tree analysis
d) Systems design
(CMA Adapted)
Question 134: A possible alternative to parallel operations when converting to a new system is:
a) A pilot operation.
b) To perform a walkthrough.
c) The involvement of auditors in systems design.
d) The use of embedded logic and other self-checking features.
(CMA Adapted)
Question 135: An MIS manager has only enough resources to install either a new payroll system or a new
data security system, but not both. Which of the following actions is most appropriate?
a) Giving priority to the security system.
b) Leaving the decision to the MIS manager.
c) Increasing MIS staff output in order for both systems to be installed.
d) Having the information systems steering committee set the priority.
(CISA adapted)
Object-Oriented Analysis and Design (OOAD)

Object-oriented analysis and design (OOAD) is a system design technique that considers a problem by
breaking it down into component parts called objects, often modeled after things in the real world. Objects
have a defined set of operations that can be performed on them or with them, including interactions between
objects. Thus an object has a state that affects its behavior, and its state can be changed by itself or by other
objects performing actions on it. Conceptually, objects are categorized into classes, which define the
characteristics for similar objects.
To demonstrate the difference between an object and a class, consider a very simple view of the IIA
registration system. The class Member defines the properties and actions available to any member of the IIA.
The properties of the Member class might include various information such as name, address, birth date,
education level completed, exams passed, certificates granted, etc. The Member class would also have
various operations available on it, such as changing address, marking exams as passed, marking that a
member has received his or her certificate, etc. So, each IIA member would be an object of the Member
class. There may be tens of thousands of Member objects, but only one Member class that defines what it
means to be an IIA member.
A complex system could have hundreds of classes and millions or billions of objects. For example, a trucking
company might have a class Warehouse and class Truck. Perhaps this company has 5 warehouses and 37
trucks, so their system would have 5 Warehouse objects and 37 Truck objects. The Warehouse class might
have operations to load and unload a truck, clock workers in and out (Employees could be yet another class),
receive cargo from an adjacent rail line (the Train class, perhaps), etc. The Truck class would have
information such as what cargo is loaded, operations to load and unload cargo, indicate that the truck is
moving to another warehouse, etc.
The above example shows both how OOAD can help to think of a problem in terms of real-world information
and scenarios, and then how the program can be designed in terms of the real world objects and their
interactions. Another benefit of OOAD is that classes developed for one application can be re-used in another.
For example, if the trucking company expands to use ocean ports in addition to warehouses, they will be able
to re-use the Warehouse class because a port and a warehouse have many things in common. This is called
inheritance when new classes are made by starting with the features of another class, called the parent
class. Thus, future software development can benefit greatly from OOAD done during previous projects.
Some popular object-oriented programming languages include C++, C#, Java, Objective-C, Perl, PHP,
Python, Ruby and VB.NET. Even some older languages such as COBOL and Pascal have been reworked to
include object-oriented features.
Prototyping as an Alternate Method of Systems Development

At times, the strict application of structured development is not appropriate, due to the nature of the
application being developed. Prototyping can be used when user requirements are difficult to specify in
advance. In prototyping, assurance that systems requirements are adequate can only be obtained through
actual user experience with the system as it is being developed.
Prototyping is an iterative process. Initially, user requirements are estimated and implemented in a
prototype, which is then tried out by the users. As a result, user requirements may be modified or new
requirements may be recognized, and the program is revised to incorporate the new or modified require-
ments. The process continues until the users are satisfied.
Advantages of prototyping:
• It is useful when it is difficult to know in advance what the user requirements are.
• It allows users to try a system before extensive development costs are incurred.
• A system can be developed in a short period of time.
Prototyping also has several disadvantages:
• A system might be accepted as final before it is actually finished, and thus the program may lack
important testing, documentation and controls when put into service.
• A process that entails frequent changes is difficult to manage and control. It might never be fin-
ished, because users continue to request minor changes.
• Prototyping can be expensive.
Rapid Application Development (RAD)

Rapid Application Development (RAD) was introduced by James Martin in 1991 in his book Rapid
Application Development. Originally, Martin’s process was focused on prototypes, but the term was broadened
over time to mean reusing software components and using fewer formal development methods. Today, there
are many free and commercial RAD tools available that allow programmers to develop applications very
quickly using pre-built components. Popular examples include NetBeans, Microsoft Visual Basic, Apple Xcode,
FileMaker, and Ruby on Rails. All of these RAD tools provide a vast library of functionality “out of the box” and
only require the developer to create the relationships that process data between and within the various
components of the program.
Advantages of RAD:
• When used in conjunction with prototyping, RAD enjoys the same benefits as prototyping.
• Systems can be built more rapidly by reusing existing software components than designing every-
thing from scratch.
Disadvantages of RAD:
• When used in conjunction with prototyping, RAD suffers the same drawbacks as prototyping.
• Choosing the wrong RAD tools may slow development or lead to systems that cannot be completed
without a costly conversion to a different RAD framework.
Question 136: A systems development approach used to quickly produce a model of user interfaces, user
interactions with the system and process logic is called:
a) Neural networking
b) Prototyping
c) Reengineering
d) Application generation
(CIA Adapted)
Program Development and Documentation Controls

The documentation of a program is all of the documents that explain and support the application. They are
used by operators, other users, new employees, auditors, programmers and control personnel.
The documentation of programs (and the computer system as a whole) should be in a limited and controlled
access area. There should also be a set standard for the coding, modification and flowcharting procedures.
The auditors consider documentation to be an important internal control activity. The different types of
documentation are:
• System documentation includes narrative descriptions, flowcharts, input and output forms, file and
record layouts, controls, the authorizations of any changes and backup procedures.
• Program documentation includes the description of the programs, program flowcharts, program
listings of source code, input and output forms, change requests, operator instructions and controls.
• Operating documentation provides the information about the actual performance of the program.
• Procedural documentation provides information about the master plan and the handling of files.
• User documentation includes all of the necessary information for a user to use the program.
System and Program Change Controls

Top management should be involved in any changes made to existing systems after they have been
implemented. This may be achieved through the use of the steering committee. This committee approves
or recommends projects and then reviews their progress.
Any changes to existing programs or systems must be strictly controlled (change controls) and all changes
should be required to be authorized by the appropriate personnel. When a system or program is changed, the
changes should not be made to the actual program that is being used, but rather to a copy. Only the librarian
should have the authority to move the program with its changes into the processing environment. Security
software should be used to “lock out” programmers from the production library. Any changes must also be
properly reflected in all of the related documentation.
A history, or an audit trail, of all program changes should be maintained, and individuals who have
authorized, initiated, and implemented the changes should be listed in the audit trail. Without the proper
signatures, the librarian should not implement a change.
Detailed listings of each line of source code that has been changed should also be available. When a program
does not function correctly, it is frequently due to a recent change. The prior version of the changed code
should be retained so that the cause of an error can be quickly identified.
Updates to vendor-supplied packages can cause problems if the organization has done any customizing of the
program. Installation of a new release will cause the organization’s custom changes to be lost, so these “in-
house” changes must be identified so they can be reinstalled on top of each new upgrade release. If a good
audit trail of program changes does not exist, it will be very difficult to do this.
Another concern with vendor update releases when in-house changes have been made is that these changes
may need to be not only reinstalled, but completely rewritten. The changes made to the prior release of the
program might not work properly with the vendor’s new release.
When changes are being tested, they should be tested not only by using correct information, but also by
using incorrect information to make sure that the program will detect any errors and has the necessary
controls.
• Test data should test all branches of the program, including the program’s edit capabilities. The
edit function includes sequence checks, valid field tests, reasonableness checks and other
tests of the input data. The expected results would then be calculated and compared with the actual
performance. These results should include both accurate output and error messages.
• Unauthorized changes can be detected by comparing the code of the program (code comparison)
to the master copy.
The auditor needs to be aware that programs are written in source code, which is the language that the
programmer uses for coding the program, and they also exist in object code, which is the machine language
that the processor can understand. The source code file is converted to object code by means of a program
called a compiler, and the object code, not the source code, is what actually runs on the computer. This is
important because although in theory the source code and the object code should correspond, the
computer does not require them to correspond. It would be possible for a knowledgeable person to
make a copy of the source code, rewrite portions of the instructions, compile the modified source code into a
new object code file for use by the computer, and then destroy the modified source code file, leaving the
authorized source code file unchanged. The result is that the executable object code – the actual instructions
used by the computer – will not match the authorized source code. This is a weakness that can be used to
commit computer fraud if controls over the compiling and cataloging activities are not adequate. Despite the
strongest internal controls over day-to-day operations in user departments, a fraudulent change to a program
could divert company funds to an individual, and the fraud could continue for some time without being
detected.
However, computer fraud is not the primary reason for having strong controls over program changes. Lack of
proper testing and implementation errors are responsible for more losses over time than is computer fraud.
The internal auditor must determine whether program changes have been properly authorized, tested and
implemented. Internal auditors should perform tests such as the following:
• Examine change authorization documents to determine whether changes were properly authorized.
• Determine whether controls are adequate over program and job control language libraries.
• Compare the executable versions (the object code) of programs from one period to the next to
detect signs of unauthorized program changes. When programs have been changed, the changes
should be traced back to the authorizing documents.
• Procedures for making emergency changes should be reviewed. Emergency changes are needed at
times because programs occasionally stop running or start producing incorrect results. The urgent
goal is to correct the situation, and usually time is not sufficient for formal approvals. In these cases,
there should be a follow-up process and subsequent review of the changes.
• Determine whether management reports are available indicating the number of emergency changes,
as well as the number of program changes that have had to be backed out due to subsequent prob-
lems.
Computer Programs and Software CIA Part 3
Computer Programs and Software

Computer programs are sets of instructions that are written in programming languages, such as C/C++,
Java, BASIC, Pascal, COBOL, or many other languages.
Systems Software
Programs that manage and support the computer system are systems software, and all modern operating
systems are systems software. Systems software enables the computer to execute application programs,
monitor data communications, and control the input and output, file management, and file access.
Operating Systems
The five basic functions of an operating system are:
1) Provide a user interface that allows the user to communicate with the computer in order to load
programs and access files as well as accomplish other tasks. User interfaces can be command-
driven, menu-driven or a graphical user interface (GUI).
2) Resource management to manage the hardware and networking resources of the system.
3) File management to control the creation, deletion and access of files, and also keep track of the
physical locations of files on secondary storage devices.
4) Task management programs to manage the accomplishment of the computing tasks. Task man-
agement enables multitasking, so that several computing tasks, such as typing, playing music and
printing, can occur at the same time.
5) Utilities and support services perform housekeeping and file conversion functions such as data
backup, data recovery, virus protection, and data compression.
There are a number of operating systems in use. The most popular are:
• Microsoft Windows.
• UNIX – Originally developed by AT&T, UNIX is used for many Web and network servers. It can be
used on mainframes, servers, and personal computers.
• Linux – Developed as open-source software by Linus Torvalds of Finland as an alternative to UNIX.

Linux is a low-cost, powerful, and stable operating system that is being used more and more for
network servers and Web servers. Linux is sold with extra features and support services added by
companies such as Red Hat.
• Mac OS X – Released in 2001 as Apple’s next-generation operating system, Mac OS X is based on

UNIX with an additional graphics layer and other Apple-specific technologies.
Unless controls over the operating system’s implementation and maintenance are adequate, the system may
experience excessive downtime, processing inaccuracies, and even computer fraud.
Installation of systems software should be subject to approvals, documentation, adequate testing, and
signoff, following a process such as the System Development Life-Cycle Approach. Changes to operating
systems carry high risk because they affect the entire information system.
Application software may require modifications to the operating system to enable the application software to
work properly. If this is the case, any upgrades made to the operating system may require that the operating
system be modified again so the application software can continue to work.
Section F Systems Software
Some utility programs can bypass many security controls, because they can be used to modify both data and
programs without any audit trail, and that is a matter for the auditor’s concern. Data file utilities are
necessary, for example, if a data file becomes corrupted, but their use must be controlled because of their
power. Data file utilities can be used in a fraudulent manner to change data directly in the data file, without
any processing taking place and no record of any transaction having been performed. Access to these utilities
should be limited to systems programmers, and each use of them should be authorized and documented.
Internal auditors should ascertain whether change control procedures for the operating system are adequate,
and whether operating system changes are documented, approved, and installed at low-risk times (such as
after business hours). The auditor should find out whether operating system releases are kept up to date,
whether powerful utilities are restricted and their use documented, and whether systems programmers have
application responsibilities. The auditor should also ask whether the company is paying any annual
maintenance fees on software that is no longer being used, and whether an appropriate process is being
followed when new system software is required.
Evaluation and Selection of Vendor-Supplied software

Any vendor-supplied software package should be carefully evaluated. Some of the factors for consideration
are:
• The vendor’s stability.
• The satisfaction of current users.
• The vendor’s quality control standards.
• Processing speed of the software on the organization’s system(s).
• Documentation availability and adequacy.
• Vendor’s user help line.
• Reporting capabilities of the system.
• Availability of a report writer that users can use to develop their own reports.
Maintaining the Integrity of the Data

Maintenance procedures are the second control factor to be considered by the internal auditor when
evaluating vendor-supplied software. Important considerations are:
• Upgrade releases must be kept “in sync.” If different versions of different modules are being used,
the systems may not interact properly.
• Today’s software applications are large and complex, and inevitably will have bugs and/or security
vulnerabilities that need to be patched. The upgrade process must be carefully managed to ensure
that new vulnerabilities are not introduced during an upgrade. Applications like web browsers require
special attention, because they connect to outside systems and are at the greatest risk of being
compromised. Unnecessary features and plug-ins (e.g. Java, ActiveX, Flash, etc.) should be disabled
to prevent exploits of those features. E-mail programs also need to be carefully managed to ensure
that they are providing adequate protection against spam, viruses and phishing attacks and do not
contain any vulnerabilities that could compromise the entire system.
• Custom changes of vendor source code can create future problems if they are not properly con-
trolled. The internal auditor should review change controls to make sure that all custom changes are
properly identified. Not doing so can result in postponement of needed upgrades because of the
problem of identifying and reinstalling all of the custom changes.
Systems Software CIA Part 3
Software Piracy
Software piracy is a form of software theft involving the unauthorized copying and use of software. Software
is intellectual property that is protected by copyright law and end user licensing agreements. In most cases,
the purchase of a software application is not a purchase of the software itself but the purchase of a license to
use it. Therefore, software cannot be legally transferred from one user to another. Recently, software
developers have begun securing their copyrights by requiring “activation” of the software by the end user. A
unique serial number is assigned to each copy of the software, and once a particular serial number has been
activated, it cannot be activated again on another computer until one of the existing installations is de-
activated.
Shareware is software that is made available to users for a small fee and is often distributed over the
Internet. Most shareware programs allow you to try them for a certain period of time before requiring you to
purchase them, or limit you to using just certain features until you pay.
Freeware is less restrictive than retail or shareware, in that it allows for the unlimited copying and
distribution over the Internet. Many open source (meaning that the source code is available for free)
programs are distributed as freeware. The Linux operating system is one of the best-known examples of
freeware.
Auditors should be aware of the legal issues associated with software piracy and the methods to avoid legal
liability. Software licensing agreements permit users to download either a specified or an unlimited
number of copies of a software product at given locations or throughout the company. Such software licensing
agreements are often much cheaper than purchasing individual copies of software for each computer.
On a periodic basis, internal auditors should review management’s policies concerning software licensing in
order to make sure that software copyright laws are being followed. These periodic reviews can mitigate the
risk of penalties and negative publicity from the illegal use of copyrighted software. In addition, internal
auditors need to be aware that “pirated” software also increases the chance of introducing computer viruses
or errors into the organization. This is because pirated software is less likely to have been tested for viruses,
or it may have been modified, causing it to behave unexpectedly or erratically.
Controls that should be implemented to prevent the use of unlicensed software include:
• Establishing policies that guard against unauthorized usage or copying of software.
• Establishing a log of all licensed application and systems software.
• Centralizing software installations so that only licensed software can be used.
End-User Computing
In the end-user computing (EUC) model, end-users are responsible for installing systems, application
software and performing software upgrades. In effect, the systems programming and development is shifted
from a centralized IS department to the various end-user departments.
Some reasons for moving to the EUC model are:
• Unprecedented systems-development backlog. If a user department wants to add or edit a

program, it will need to go through the IS department to modify the system. With typically increas-
ing user requirements and relatively limited IS resources, this can create a systems-development
backlog.
• More demanding and better-educated users. Today’s systems are more user friendly and users
are increasingly becoming better educated in the use of information systems.
• Timely information as a corporate resource. In order to remain competitive, companies need

timely information. Users require information faster than in the past, and therefore cannot depend
and rely on a centralized IS reporting system.
• Acceptance of the computer environment. Users are more willing to accept changes in a system
if they are able to participate in its development.
• Increasing sophistication of business analysis. This supports the notion that the users are in a
better position to determine how they want the system to function.
However, in moving to the EUC model there are some potential shortfalls that the internal auditor needs to be
aware of. The IIA performed a study on the subject and indicated the following:
Audit and control concerns:

• The potential for a decrease in internal controls.
• The potential decrease in application reliability.
• The potential effect on the financial statements.
• The lack of a data processing role in developing applications.
• The potential decrease in organizational control over computing resources.
• The lack of effective evaluation procedures to ensure that the right system is developed.
Risk of organizational inefficiencies:

• The lack of computing direction.
• The lack of central control and responsibility.
• The potential for data incompatibility.
• Non-defined ownership and responsibility for systems.
Potential problems with end-user computing:

• Long-term planning could become more difficult.
• The lack of economic analysis of application developments.
• The lack of standardized application controls.
• The potential for an unclear definition of responsibilities.
Suggested recommendations to IS management:

• Benchmark end-user computing practices.
• Planning, budgeting, billing and evaluation processes should be formalized.
• Organize EUC resources to satisfy documented client needs.
• Enlist the participation of both the end-users and the IS department for EUC policy development.
• Provide proper training and education.
• Create procurement guidelines that promote fast response, but ensure that products foster connec-
tivity and interoperability.
• Maintain tight data security to protect the hardware, software and data.
• Create extended audit programs for compliance and substantive testing when material financial or
operational risks are identified.
Question 137: The marketing department’s proposal was finally accepted and the marketing employees
attended a class in using the mainframe report writer. Soon, the marketing analyst found that it was
easier to download the data and allow employees to manipulate it on their own workstations than to
perform all the data manipulation with the mainframe report writer. One analyst became highly skilled at
downloading data and wrote downloading command sequences for the other employees. When the
analyst left the company for a better job, the department had problems making modifications to these
command sequences. The department’s problems are most likely due to inadequate:
a) Documentation
b) Data backup
c) Program testing
d) Anti-virus software
(CIA Adapted)
Question 138: Traditional information systems development procedures that ensure proper consideration
of controls may not be followed by users developing end-user computing (EUC) applications. Which of the
following is a prevalent risk in the development of EUC applications?
a) Management decision-making may be impaired due to diminished responsiveness to management’s

request for development of EUC applications.
b) Management may be less capable of reacting quickly to competitive pressures due to increased
application development time.
c) Management may place the same degree of reliance on reports produced by EUC applications as it
does on reports produced under traditional systems development procedures.
d) Management may incur increased application development and maintenance costs for EUC systems
compared with traditional (mainframe) systems.
(CIA Adapted)
Organizing the Information Systems Function

Centralized processing was necessary in the early years of computing when large mainframe computers
were used exclusively via dumb terminals that had no processing capability of their own, requiring that all
processing be done by the mainframe. As PCs became less and less expensive and more and more common
through the late 1980s and early 1990s, computing became decentralized and distributed.
In a totally centralized system, all data processing is done in one processing center. Users’ terminals
function only as input devices, communicating all requests to the centralized system. With this type of
system, there is a large centralized IT staff with its associated costs. On the other hand, because of the size
of the processing department, it is possible for the company to benefit from economies of scale in its
operation.
In a totally decentralized system, each remote location processes its own data and has its own processing
staff. Under this system, the processing systems more closely match the needs of the users because they are
developed locally. However, it will cost the company more to develop and maintain systems in multiple
locations and the level of systems expertise at each location may not be as high as having a dedicated central
staff.
In a distributed data processing system, the processing needs of the company as a whole are considered
and then a corporate decision is made as to where the processing should be done. This will generally lead to
having some processing done locally while some is maintained at the central processing facility.
Many companies plan their computer systems to be fault tolerant, i.e., to have fully functional backup
systems in order to provide fail-over (or fail-safe) capability where the system can continue to operate at
full capacity even if there is a major failure in one of its components.
Totally centralized systems and totally decentralized systems are at the two extremes. Most systems are
hybrid systems that fall somewhere in between the two extremes. Today’s intranets (discussed later) provide
centralized control with decentralized components.
Some companies have spun off their Information Systems function into a subsidiary that offers IS services to
other organizations, both related and not related. Some corporations have outsourced their IS operations,
turning over all or parts of the operation to outside contractors called systems integrators. Furthermore,
many companies outsource their software by using application service providers (ASPs) that provide and
support the software that the company uses via the Internet.
The biggest disadvantage to outsourcing IS services is that the company loses the flexibility of tailoring its
Information Systems to its specific needs. On the other hand, outsourcing is usually cheaper, faster and more
reliable because outside experts have more specific experience in designing, implementing and running such
systems. Today, system integrators and ASPs offer such a wide variety of services that most companies’
needs can be met without custom design.
Question 139: A major disadvantage of distributed data processing is:
a) The increased time between job request and job completion.
b) That data processing professionals may not be properly involved.
c) That small jobs cannot be processed efficiently.
d) The disruption caused when the mainframe goes down.
(CMA Adapted)
Processing Modes
Companies use different methods to process data.
In batch mode, transactions and information are held until there is a group of transactions and then these
transactions are all processed together. This is used for transactions that may be processed at intervals of
time and include similar transactions, such as payroll. Batch processing is also used to consolidate groups of
transactions from several offices into a larger group for processing. Batch processing is the oldest method for
processing data and it is still used for processing large volumes of transactions. Batch processing offers the
most control, because manual totals of items and dollar amounts can be compared to batch totals calculated
by the computer. If the totals do not match, the error(s) can be found and corrected in the batch before the
transactions are posted and the files are updated.
Remote batch processing enables a user in one location to start a batch-processing job at another location.
The batches are created at the remote location and posted online to the computer at the other location.
Online or real-time processing connects the computer with the processing unit so that transactions are
processed as they are entered. This means that the master files are updated continuously and may be
accessed as transactions are occurring. In real-time processing, feedback from the transaction is received so
quickly that it may be used in the decision or control processes immediately. For example, most inventory
systems would be real-time systems, because knowing if an item is in stock or almost sold out might have a
real impact on the business.
However, control totaling cannot be used with real-time processing. This means although they have the
advantage of being up to date continuously, they pose a greater inherent risk. Strong controls are needed,
such as identification of the operator who performed each update, levels of password security, and restriction
of certain functions at certain terminals.
In evaluating inherent risk in a real-time system, the auditor needs to consider the risk of fraud because of
the possibility that assets or liabilities are intentionally misstated, or assets are stolen. Other inherent risks
involve the importance of the system to the company, the competitive advantage that the system provides to
the company, and how technologically advanced the system is. The greater the system’s importance to the
company’s operations, the greater the competitive advantage it confers, and the more technologically
advanced it is, the higher the inherent risk will be.
Online entry with memo posting and batch processing applications provide the advantages of an online
system with online data entry and online inquiry, but the master files are updated using batch processing,
usually after business hours. After the master files have been updated each evening, a “memo” copy of the
updated master file is created. It is this memo copy that is then used for inquiry and online updating during
the following day. After the day’s transactions have been verified, the memo file is then used to post the
day’s transactions to the master file. Banks in particular use memo posting so that bank personnel can see
each customer’s current balance and monitor cash withdrawals. However, the actual posting of the
transactions to the customers’ accounts occurs after the close of business, when the paper documents such as
checks and deposit tickets are batch processed, using traditional controls.
A timesharing system is one in which many companies (or departments or users) have access to the same
processing unit. In this type of system, each user’s transactions will be processed in turn, enabling many
users to use the same system without any downtime in the system.
Service bureaus are similar to timesharing systems because they actually perform the processing for their
clients. This is offsite processing and the user does not need to have the computer power or the personnel,
but does have to prepare the information and transport it to the service bureau. A common example of this
type of processing is payroll processing, where a company contracts with a service bureau to prepare its
payroll and submit all of its payroll tax returns.
Question 140: Misstatements in a batch computer system caused by incorrect programs or data may not
be detected immediately because:
a) Errors in some transactions may cause rejection of other transactions in the batch.
b) The identification of errors in input data typically is not part of the program.
c) There are time delays in processing transactions in a batch system.
d) The processing of transactions in a batch system is not uniform.
(CPA adapted)
Section F Data Communications and Telecommunications Networks
Data Communications and Telecommunications Networks

Modern telecommunications and data networks have significantly impacted almost all aspects of business. Use
of computer networks, especially the Internet, has driven incredible changes to the worldwide business
environment, including dramatically faster worldwide communication, electronic commerce between and
among businesses and consumers, online processing that facilitates immediate credit card processing and
sales processing, and instant access to a worldwide market, just to name a few. Amazingly, the speed and
quality of telecommunications and data networks continues to increase, while costs continue to decrease. The
next few pages describe the more technical aspects of networking, followed by a discussion of electronic
commerce.
A telecommunications network is like any means of communication: there is a sender who transmits a
message to a receiver over a channel consisting of some kind of medium. When the message is data,
transmitting it requires special hardware, software and communications technology. There are five basic
categories of components to a telecommunications network:
1) Terminals. The terminals may be networked PCs, network computers or “dumb terminals,” which
are simply keyboards/monitors with virtually no processing capabilities.
2) Telecommunications processors. Telecommunications processors, such as modems, switches and

routers perform support and processing functions. They code and decode data and control the flow
of communications between computers and terminals in the network.
3) Telecommunications channels. These are the media over which data is transmitted and received.
They may be copper wires, coaxial cables, fiber-optic cables or wireless systems.
4) Computers. Networks can connect all sizes and types of computers. A large mainframe computer
can be the host computer for a large network, while a personal computer can act as a network serv-
er for a small network.
5) Telecommunications control software. This category includes programs that control telecommu-
nications activities, such as network operating systems for network servers, Web browsers, or
telecommunications monitors for mainframe host computers.
Network Connections
Adapters are used to connect computers to the network. An adapter is needed to connect to any network,
whether it is a cabled network or a wireless network.
Bandwidth
Bandwidth is a term that is used to classify communications speed and capacity of telecommunications
networks. Bandwidth determines the maximum transmission rate for data. Data transmission rates are
usually measured in bits per second (BPS). A bit is either a 0 or 1; bits are the lowest level language of
computers and digital communication. A single letter (a byte) is comprised of 8 bits.
There are three types of bandwidth: narrow band, medium band and broadband.
• Narrow band uses unshielded twisted-pair lines that are normally used for telephone voice
communications. Data is transmitted by means of modems.
• Medium band uses shielded twisted-pair lines. Shielded twisted pair cabling provides shielding
from electromagnetic interference. Transmission speeds are faster than narrow band.
• Broadband uses coaxial cable, microwaves, fiber optics, radio waves, infrared or satellite transmis-
sion. Transmission rates are much faster than medium band.
Data Communications and Telecommunications Networks CIA Part 3
Voice over Internet Protocol (VoIP)

VoIP uses the Internet for voice telephone calls rather than traditional phone lines and circuit switching.
Skype is probably the most well known public VoIP system, but there are also many VoIP solutions that are
installed internally within a company. While VoIP can significantly reduce the cost and overhead of setting up
a phone system, it can also perform poorly if there is insufficient bandwidth, resulting in dropped or broken
calls (similar to a cellular phone with a poor connection). Because VoIP calls are transmitted over the
Internet, they must be encrypted in order to be secure. Auditors should ensure that all internal VoIP calls are
being made using a system that supports encryption and that the encryption is enabled. Calls made to
outside phones cannot be encrypted because those calls will either have to be sent to another VoIP system
unencrypted or travel over traditional phone lines, neither of which can be secured.
Types of Networks
A network is a system that connects computers together. These networks allow users to share resources
(hardware and software) among various users.
There are six types of networks that you should be familiar with. They are summarized in the following table
and some are discussed further in the pages that follow.
Public-switched This type of network uses the standard public telephone lines. Though this is
network probably the cheapest option, the telephone lines limit the speed of the
connection.
Value-added network These are networks that lease the public telephone lines, but then add services
(VAN) such as mailboxes, error correction and speed enhancements.
Local Area Network This is a local computer network set up within a home or office. Either each
(LAN) computer is connected to all of the other computers (a peer-to-peer
network) or through one or more servers (a client/server network).
A gateway connects networks or devices that would otherwise be incompati-
ble, such as connecting the LAN to the Internet. Ethernet is the most common
way of connecting a LAN and allows different computers to talk to each other.
Wide Area Network This is like a LAN, but spread over multiple offices that may widely separated,
(WAN) even internationally. The different locations are usually connected by high-
speed broadband connections.
Internet The three main parts of the World Wide Web are the servers that hold the
information, the clients who are viewing the information and the protocols
that enable the servers and clients to communicate with each other.
Virtual private A VPN uses the Internet to network computers in different locations. The
network (VPN) greatest risk with this type of network is the security of the information
transmitted through the VPN. Security is reliant on firewalls and other security
features of a company’s Internet and intranet connections. In addition, if the
VPN is used in an extranet between a company and its customers and/or
suppliers, the security is also reliant upon the security of the Internet
connections of the other organizations in the extranet.
Question 141: A local area network (LAN) is best described as a(n):
a) Method to offer specialized software, hardware and data handling techniques that improve
effectiveness and reduce costs.
b) System to allow computer users to meet and share ideas and information.
c) Computer system that connects computers of all sizes, workstations, terminals and other devices
within a limited proximity.
d) Electronic library containing millions of items of data that can be reviewed, retrieved and analyzed.
(CMA Adapted)
Network Properties
Networks are categorized based on three properties:
• Architecture
• Protocol
• Topology
Networks use standard protocols, standard communications hardware, and standard software interfaces
between the users and the computer systems to maintain open telecommunications.
Network Architecture
The purpose of network architectures is to promote open, flexible and efficient telecommunications
environments. Network architectures are master plans for the development of data communications networks.
A network’s architecture may be one of two major types: peer-to-peer or client/server.
• Peer-to-peer networks permit users to share files and resources such as printers and Internet
access on their own computers and access files and resources on other computers in the network. In
a peer-to-peer network, there is no server and all computers have the same ability to use all the
resources available on the network.
Advantages of a peer-to-peer network are that it is less expensive because there is no need for a
dedicated server, and it is simpler to set up by simply reconfiguring existing software. Disadvantages
of the peer-to-peer configuration are that because it is decentralized, there is no central storage of
files and applications and thus there is no access to a centralized backup routine. It also does not
provide the security that would be available on a client/server network. Due primarily to the lack of
control, use of peer-to-peer networks is usually limited to small workgroups.
• The primary architecture of networks used in businesses is the client/server architecture. In a

client/server network, the server provides centralized Internet access, e-mail, file and printer shar-
ing, and security across the network. Client/server networking is discussed in detail in the following
pages.
Network Protocols
Protocols specify a common set of rules and signals that computers on the network use to communicate with
each other. The protocol is responsible for taking data packets from one device and sending those packets to
other devices. Common network protocols are TCP/IP, UDP, NetBeui, and Bonjour (Apple’s Zeroconf
implementation).
TCP/IP is a system of protocols used on the Internet and by intranets and extranets. Client/server networks
using TCP/IP technology are commonly called IP networks. TCP/IP has become so widely used that it is
almost equivalent to a network architecture, even though it is a protocol.
Question 142: When two devices in data communications system are communicating, there must be
agreement as to how both data and control information are to be packaged and interpreted. Which of the
following terms is commonly used to describe this type of agreement?
a) Asynchronous communication.
b) Synchronous communication.
c) Communication channel.
d) Communication protocol.
(CIA Adapted)
Network Topologies
Network topologies are network structures. All computer networks, regardless of their topologies, rely on
point-to-point and/or multi-point connections.
• Point-to-point connections provide a direct link between two devices, such as a computer that is
connected directly to a printer.
• Multi-point connections link three or more devices on a network.
The most common ways to configure (connect) the computers and devices within either a wide area network
or a local area network are star, ring and bus.
• A star network connects each end user computer individually to the central host computer. All
communications go through the host. Thus, star topology is a passive topology, in that the con-
nected computers do not pass the messages on to other computers. Since all the computers in the
star are dependent on the central computer, if it fails, the whole network goes down. Advantages of
a star network are that all users have access to up-to-date data at all times, and if a computer other
than the host fails, no other computer will be affected.
• A ring network connects all the computers in the shape of a closed loop. With a ring network, there
is no central computer that contains all the data. Communications flow in one direction only around
the ring, from computer to computer. Ring topology is an active topology, which means that each
connected computer is responsible for moving data from itself on to the next computer. An ad-
vantage of a ring network is that it requires less cabling and therefore is less expensive than some
other topologies. However, it is difficult to add a computer to the network or to remove a computer
without closing down the network. Furthermore, if one computer stops working, it brings down the
whole network.
• A bus network uses one long cable, and all the network devices are connected to it using short
drop cables. The word bus means communications channel, and all computers share the same
bus. All the computers can communicate with each other directly, without having to go through the
server. A message passes other computers on its way to its destination computer.
A bus network is a passive topology, because the connected computers only listen for a signal to
determine whether the signal is for them; they do not pass the data from one computer to the next,
as they do in a ring network. Therefore, if one computer goes down it does not affect the others.
Since the early 1990s, the network configuration of choice has been the star topology. The central network
unit is either a hub or a switch. These devices act as a go-between for the devices by receiving transmission
signals from one device and sending them out to other devices.
An Ethernet network using a star topology is called a star-bus network. Each networked device is connected
point-to-point to the hub. All messages go through the central hub, and if one computer goes down, the rest
of the network can continue to operate.
Connecting Networks to Each Other

Networks can be connected to one another using a several different kinds of devices:
• A bridge connects networks of the same type. It directs the network traffic based on the destination
address of the packet that is being sent.
• A gateway connects networks of different kinds. A gateway is used to connect a local area network
to the Internet, to another local area network, or to a corporate intranet. A gateway acts as a “pro-
tocol converter” to connect the different types of networks.
• A router connects several networks. A router is used to connect several LANs across a WAN if, for
example, a company has several LANs at several different offices. A router also directs the commu-
nications traffic and can look for alternate communication routes if one link fails.
• Switches are another type of device used to link LANs and to route packets among them. Unlike a
router, however, a switch does not have any logic and serves only to transmit data.
Question 143: Using a telecommunications provider affects in-house networks. To prepare for changes
resulting from enhanced external network services, management should:
a) Optimize in-house networks to avoid bottlenecks that would limit the benefits offered by the
telecommunications provider.
b) Plan for rapid implementation of new capabilities in anticipation of ready acceptance of the new
technology.
c) Downsize the company’s disaster recovery plan to recognize the increasing role of the telecommu-
nications provider.
d) Enhance the in-house network management to minimize dependence on the telecommunications

provider for network management.
(CIA Adapted)
Client/Server Networking
Client/server networks have become the primary architecture of computing used in businesses. While main-
frame computers remain important for very intensive applications requiring vast amounts of speed or storage,
client/server computing is more accessible and much less expensive. Microsoft Windows 2008 Server, Mac OS
X Server, and Novell Open Enterprise Server are examples of client/server network operating systems.
In client/server network operating systems, the network centralizes functions and applications in one or more
dedicated servers. The servers are the heart of the system, providing access to resources and files while
providing security. Individual workstations, called clients, are linked by local area networks and access the
resources on the file servers by requesting the server to perform a task. The server’s job is to perform the
tasks requested by the client(s), retrieve and update data, and return responses to client requests.
The server manages shared resources such as databases, printers, Internet access and other communication
links. Software applications, such as word processing or spreadsheet programs, generally reside on the client
computers, while the databases and their related software such as accounting systems are stored on the
server(s). The benefit of a central server is simultaneous access to the shared resources. For example, a
server may control the Internet connection or central database for hundreds of clients at once.
A client/server system has three interacting components:
1) The presentation component, which is what the user sees on the screen.
2) The application logic component, which refers to the logic involved in the processing done by a
specific application. Unlike a terminal connected to a mainframe computer, the client has the ability
to manipulate or query the data or to process a transaction. The processing tasks in each application
are shared between the client and the server, with their division depending upon the application. Cli-
ent/server systems enabling distributed processing are called “distributed applications systems” or
“distributed logic systems.”
3) The data management component, which refers to the databases used and how they are stored
on the system. In a large client/server network, databases are copied onto several servers, enabling
fast access to their data. These are called “distributed database systems.”
Advantages of a client/server network are:
• It is centralized. Resources and data security are controlled through the server.
• It is scalable. Client workstations can be added or removed fairly easily. Or, if necessary, the server
can be replaced with a larger and faster server or with multiple servers.
• It is flexible. New technology can be integrated into the system.
• It has interoperability. All of the components — client, network and server — work together.
• It is accessible. The server can be accessed remotely.
• Reduced telecommunications costs result due to faster access to data by personnel.
• Thin-client systems can be installed using diskless microcomputers instead of more expensive PCs.
When thin clients are used, all the application software resides on the server and is executed on the
server. The thin client processes and transmits only user interface information like keystrokes and
mouse clicks over the network to the server. Costs to deploy and maintain a thin client/server net-
work can be significantly lower, network administration is simplified, and network security is
improved.
Disadvantages of a client/server network include:
• Expense. It requires an initial investment in one or more dedicated servers.
• Maintenance. A large network requires a staff of administrators to ensure efficient operation. Even
a small network may require the services of an on-call consultant. The need for maintenance will in-
crease the expense.
• Operations are completely dependent upon the server. If the server goes down, all operations
across the network cease.
• Distributed data. Multiple copies of the same file may be stored on various servers in the system,
making backup and recovery more difficult and causing difficulties in data synchronization.
• System maintenance is more difficult. Upgrading to a new version of an application can be more
difficult because the system usually requires consistency in these programs across servers.
• User access and security are more complex. Access privileges can vary widely among employ-
ees, and a client/server system requires proper access rights be set for all users.
Question 144: Which one of the following is not a characteristic of the client-server network model?
a) It consists of desktop computers (clients) that request data from the server.
b) It permits multiple clients to access different records in the same file simultaneously.
c) It can be configured in various ways, including ring, star and bus topologies.
d) It processes client requests to the server for an entire file of records rather than a subset of the
data.
(CMA Adapted)
Section F The Internet
The Internet
The Internet is an international network of computers and smaller networks that are linked together
electronically. The Internet began as ARPANET, a project of The Advanced Research Projects Agency
Network of the U.S. Department of Defense. It was the world's first operational packet switching network, and
the predecessor of the global Internet. ARPANET and its successor networks have all been shut down or
transitioned to what we now know as the Internet.
Accessing the Internet involves going through a series of progressively larger networks. Individual computer
users connect to small Internet Service Providers (ISPs), and small ISPs connect to larger ISPs. The largest
ISPs maintain high-speed “backbones” for an entire nation or region through fiber-optic lines, undersea cables
and satellite links. The term "Internet backbone" now loosely refers to these high-speed “trunk”
connections of the Internet that carry vast amounts of information between the largest ISPs. As such,
there are multiple backbones. These backbones may be operated by commercial, academic or governmental
agencies. The most significant advantage of this design is that the failure of a single backbone will not cause
a major disruption; Internet communications can be automatically re-routed onto other backbones.
Because there is no central computer system or telecommunications center for the Internet, it has no
headquarters or governing body. Communications standards have been developed by international standards
groups of individual and corporate members, such as the World Wide Web Consortium. These standards are
the key to the flow of information on the Internet.
Internet addresses begin as a domain name, also called a Universal Resource Locator (URL), such as
www.google.com. When you type an Internet address into your browser, your browser communicates with a
domain name server, which translates the text-based domain address into a numeric Internet Protocol
(IP) address such as 64.233.187.99. Every device connected directly to the Internet has a unique IP
address, making it possible for you to connect to any server on the Internet. Online search engines like Yahoo
or Google enable users to locate web pages containing any information they require by clicking their way
through the hyperlinked pages of businesses, government, public interest and various other websites.
Many services besides the World Wide Web are available via the Internet. Most Internet users send and
receive e-mail. Internet e-mail messages are usually transmitted within minutes to anywhere in the world,
and can carry attachments with sounds, photos, videos or virtually any other type of file. Newsgroups and
chat rooms provide an easy way for users to communicate with many other people all over the world. Voice
over IP (VoIP) programs such as Skype allow voice calls at very low cost among Internet users.
E-commerce, of course, is also part of the online experience. Huge “eTailers” such as Amazon.com offer a
vast selection of products and have stores in many countries, including the United States, the United
Kingdom, China, Japan, Germany and France. Many so-called “Brick and Mortar” retailers also offer online
stores to reach a wider audience. You may have acquired this textbook through an E-commerce transaction
with our web site, www.hockinternational.com.
In addition to electronic commerce, business use of the Internet has grown to include online collaboration
among business partners and workgroups, customer and vendor support, marketing, sales and customer
relationship management applications. Applications have developed for engineers to hold virtual meetings and
exchange and manipulate blueprints. Manufacturing applications permit manufacturing processes to be
monitored remotely. Human resources functions have been automated, allowing employees to update their
own employee records. Automated customer service websites save the time of customer service employees
and thus their employers’ money.
Other benefits provided by the Internet to businesses include the opportunity to attract new customers
through an attractive website, reduction of selling costs because of automated processing of sales generated
online, development of web-based markets and distribution channels, and the opportunity to develop new
information-based products for distribution on the Web, such as materials published online.
In what is actually a very short period of time, the Internet has become a dominant factor in business
worldwide, and it continues to evolve very rapidly.
The Internet CIA Part 3
Intranets
An intranet is a local network inside an organization that uses Internet technologies to allow those who are
part of the intranet to transmit and receive information to and from other members of the intranet. This is
often used within a company to enable its employees to access the company’s internal network without
making their information available to outside parties.
Simply, an intranet can be thought of as an internal Internet. That is to say, an intranet uses all of the same
technologies as the Internet, but it is designed to be accessed only by employees of that company and not
the Internet as a whole. Because intranets use the same technologies as the Internet, the Web browser is
commonly used to access many intranet resources.
Specifically, intranets provide an enterprise information portal that permits authorized users to:
• Use e-mail, discussion forums, online chat, whiteboard and audio- and video-conferencing for collab-
oration, meetings, training or any other purpose where in-person communication may be slow,
impossible or expensive. Online tools allow organizational groups in different floors, different build-
ings or even different countries to rapidly exchange ideas. In particular, the use of e-mail has had a
tremendous impact on the speed of business and many corporate employees in service jobs spend a
significant amount of time every day corresponding via email.
• Use corporate applications such as order processing and inventory control, and access corporate
databases. These applications may be software applications, or can be accessed using Web brows-
ers, or maybe both. Customer Relations Management (CRM) software provides a central database for
all customer information. For example, using a CRM package allows sales personnel to track conver-
sations with the same customer, even if the customer speaks to a different representative each time.
Or, after the customer places an order, the support personnel would be able to see what product(s)
that customer has purchased and provide support for the exact product purchased.
• Write, publish and share documents in a variety of formats. This can include an intranet web net-
work with internal corporate web sites set up as a service to other divisions within the company. For
example, the Human Resources Department could develop an internal web site that provides com-
monly needed forms, upcoming personnel events, vacation guidelines, etc. Or, the Accounting
Department may create an online reimbursement submission and tracking site so that employees
can quickly and easily submit expenses for reimbursement.
An intranet uses security measures such as passwords, encryption and firewalls. However, authorized users
can still access an intranet via the Internet through connections like a virtual private network. Therefore, an
intranet’s security is not perfect once it is opened up to any outside connections. Most large corporations will
have an individual or team dedicated to monitoring network security and policies.
Extranets
An extranet is an intranet within a company that also allows access by its customers and/or suppliers through
interfaces between its intranet and their intranets. Thus, extranets are interconnected intranets. Companies
may establish virtual private networks between themselves and other companies using the Internet as the
extranet link. To maintain security, the participants rely on encryption of data and firewalls. Or, to further
guard the security of their transmissions, two companies may directly set up an actual private network
between themselves, without using the Internet, by installing a dedicated line.
Section F The Internet
Telecommunications and Network Auditing

An internal auditor needs to be able to assess the integrity, security, reliability and performance of
networks in order to determine whether data is being transmitted accurately and in a timely manner.
Network audits need to be done on a regularly scheduled basis, and the data needs to be historically
compared. Many security events are not detectable when they occur. Historical audit data can be used to
identify when systems have been compromised, because often the operational characteristics will have
changed. Without consistent auditing and results comparison, these changes in systems are hard to detect.
Local Area Network audits are generally made with the help of network auditing software. Collecting the audit
data is handled in three phases:
• Host identification - Building databases of the active hosts connected to the network.
• Host profiling - Scanning the hosts to identify their operating system, running network services
and version information. Data is collected by running port and/or vulnerability scanners against the
list of active hosts.
• Service profiling - Monitoring inbound traffic flow to identify what network services are active.
Using the host profile, data traffic monitoring access lists can be created and installed to monitor and
detect network traffic patterns.
A primary threat to a corporate LAN is peer-to-peer software that employees may have running on their
workstations. If a user uses file sharing software to search for a file and then downloads it, this could open
the door to malware that shared files are frequently infected with. Most peer-to-peer applications run on ports
that start from port 1025 and go up. So it would also be important to design a filter to look for any outbound
connection attempts on ports from 1025 or higher, which could help detect P2P software.
Most of the network audit software available sends dummy data to the network in order to cause traffic to
increase. This test, which determines network capacity, is especially important if the business uses the
network heavily and relies on its use of the network.
Here are some other risks that exist in all telecommunications systems:
• Data can be corrupted during transmission.
• Data can be lost, changed, or copied during transmission.
• The network can “go down,” i.e., be inoperable for a period of time.
• Eavesdropping (passive wiretapping) can result in the loss of confidential information.
• Transmission time may slow down, causing customer irritation and/or adversely affecting business
functions.
• Unauthorized persons can insert fraudulent information (active wiretapping) into the network.
• Costs can become excessive if equipment that is incompatible with the telecommunications network
is purchased.
These are some of the controls in use for telecommunications systems:
• Sequencing of messages - Messages are numbered. If there is a duplicate number or a gap in the
numbers, the receiving computer detects it.
• Encryption – The data being transmitted is scrambled and can be unscrambled only with the key.
• Self-checking algorithms – Mathematical error-detecting techniques are used that send “redun-
dant” (extra) information along with the data, similar to check digits. If any error is detected, the
data is retransmitted. Cyclical redundancy checking is one type of this, and it is used frequently
to check telecommunication transmissions.
System Security CIA Part 3
• Network-monitoring software – Software that permits operators to identify weak points in a

telecommunications network.
• Automatic dial-back – Used to keep hackers out of commercial databases. A dial-back system
accepts an incoming call and the caller enters an ID and a password. The connection is then discon-
nected, and the computer immediately calls back a prearranged telephone number to establish a
connection. The prearranged number is tied to the caller’s ID and password.
• Dedicated lines – A dedicated line provides greater security and transmission quality. It is appro-
priate for an organization that transmits significant amounts of data regularly. The cost is high, but
the benefit is greater reliability and control over data transmissions.
• Restart/recovery procedures – Data can be lost or duplicated when a telecommunications system

fails. Proper restart/recovery procedures and controls need to be in place so that personnel can deal
with technical problems that may arise when the system is brought back online. If a journal is kept
by the system, the databases can be returned to the state they were in just prior to the problem.
The depth of an auditor’s review of telecommunications controls depends on how dependent the organization
is on telecommunications. If telecommunications are only used for inquiries, hardware controls may be
adequate. However, if funds are being transferred or asset balances are being changed by means of
telecommunications, additional controls will be required.
The auditor should find out what the standards and policies are for network control. For critical applications,
have user controls been instituted? Do audit trails exist for transactions submitted over the network? Is
network monitoring software needed? Is sensitive data encrypted?
System Security
Once a company is connected to an outside network (most usually the Internet), there are a number of
additional security issues that must be properly addressed. The company must make sure that the policies
that it puts in place allow the intended and authorized users to have access to the network as needed.
However, accessibility also creates vulnerability.
Electronic eavesdropping can occur if computer users are able to observe transmissions intended for
someone else. Therefore organizations must ensure that information sent over the network is properly
protected to maintain the confidentiality of company information. Furthermore, the company must ensure
that company files cannot be accessed or changed without authorization.
At a minimum, the system should include user account management, a firewall, anti-virus protection
and encryption.
User account management is the simple process of giving people accounts and passwords. In order for this
to be as effective as possible, the company must keep these up-to-date. Inactive accounts should be
eliminated and active passwords changed frequently.
One very important consideration about system security is to remember that the level of security applied and
maintained on a system should be consistent with the level of risk in the event of a breach or failure. Not
every system needs the highest level of security. For example, a web server, which by design should contain
only public information, does not need the same level of security as an internal system that manages
personnel data. The auditor should categorize the security risk with each system and make sure that the
appropriate controls are in place based on the risk.
Section F System Security
Viruses, Trojan Horses and Worms

A computer virus is a program that alters the way another computer operates. Viruses can damage
programs, delete files or reformat the hard disk. Other viruses do not do damage but replicate themselves
and present text, video and audio messages. Although these viruses may not cause damage directly, they
create problems by taking up computer memory and causing erratic behavior or system crashes that can lead
to data loss. To be considered a virus, a virus must meet two criteria:
1) It must execute itself. A virus often places its own code in the path of the execution of another
program.
2) It must replicate itself. A virus can replace other executable files with a copy of the virus-infected
file.
A virus can be received from an infected disk, a downloaded file or an electronic bulletin board.
A Trojan horse is different from a virus. A very important distinction between Trojan horses and viruses is
that Trojan horses do not replicate themselves, whereas viruses do. The purpose of a Trojan horse is not
to spread like a virus, but to have a particular target — a particular computer — on which to run a program. A
strict definition of a Trojan horse is, “any program that does something besides what a person believes it will
do.” A Trojan horse can appear to be something desirable, but in fact it contains malicious code that, when
triggered, will cause loss or even theft of data. A typical example of a Trojan horse is a program hidden inside
of a humorous animation that opens a back door into the system. Another example of a Trojan horse is
commercial software that collects data on the person running the program and sends it back to the
originating company without warning the target.
You can get a Trojan horse only by inviting it into your computer. Two examples are by:
1) Opening an e-mail attachment or
2) Downloading and running a file from the Internet. Many mass-mailing worms are considered Trojan
horses because they must convince someone to open them. The SubSeven server, which is software
that lets an attacker remotely control any computer it is installed on, is an example of a program
typically embedded in a Trojan horse.
A worm is a program that replicates itself from system to system without the use of any host file. The
difference between a worm and a virus is that the worm does not require the use of an infected host file,
while the virus does require the spreading of an infected host file. Worms generally exist inside of other files,
often Word or Excel documents. However, worms use the host file differently from viruses. Usually the worm
releases a document that has the “worm” macro inside the document. The entire document spreads from
computer to computer, so the entire document is, in essence, the worm.
A virus hoax is an e-mail telling you that a file on your computer is a virus when it isn’t. These e-mails often
tell you to look on your system for a file with a specific name and, if you see it, delete it because the file
contains a virus that is unrecognizable by your anti-virus program. Everyone will find that file, because it is a
system file that is needed for the computer to operate correctly. If you believe this e-mail and delete the file,
your computer may malfunction.
Note: The difference between a virus and a Trojan is that a virus replicates itself, but a Trojan does not.
The difference between a virus and a worm is that the virus requires an infected host file in order to
replicate itself, while the worm can replicate itself without a host file.
Antivirus software, regularly updated with the latest virus definitions, is the best defense against viruses,
Trojan horses and worms. Antivirus software recognizes and incapacitates viruses before they can do
damage. You must keep your antivirus software up-to-date, however, because new viruses appear constantly.
Programs that specifically defend against Trojan horses are also available.
Question 145: An organization installed antivirus software on all its personal computers. The software was
designed to prevent initial infections, stop replication attempts, detect infections after their occurrence,
mark affected system components and remove viruses from infected components. This major risk in
relying on antivirus software is that antivirus software may:
a) Not detect certain viruses.
b) Make software installation overly complex.
c) Interfere with system operations.
d) Consume too many system resources.
(CIA Adapted)
Question 146: The primary objective of security software is to:
a) Control access to information system resources.
b) Restrict access to prevent installation of unauthorized utility software.
c) Detect the presence of viruses.
d) Monitor the separation of duties within the applications.
(CIA Adapted)
Cybercrime and Defenses Against Cybercrime

The Internet, online communications and e-business are all subject to computer crime and this threat is
growing every day.
A very broad definition of computer crime according to the FBI National Computer Crime Squad (NCCS) is
“crimes where the computer is a major factor in committing the criminal offense.” The NCCS investigates
violations of the Federal Computer Fraud and Abuse Act (CFAA) and is concerned with all computer crimes
that cross multiple state or international boundaries. CFAA was intended to control interstate computer crime
and since the advent of the Internet, almost all computer use has become interstate and international in
scope.
The NCCS explicitly lists the following as the most serious computer crimes:
• Intrusions of the Public Switched Network (the telephone company).

• Major computer network intrusions.
• Network integrity violations.
• Privacy violations.
• Industrial espionage.
• Pirated computer software.
The Association of Information Technology Professionals (AITP) defines computer crime as:
• The unauthorized use, access, modification or destruction of hardware, software, data or network.
• The unauthorized release of information.
• The unauthorized copying of software.
• Denying an end user access to his or her own hardware, software, data or network resources.
• Using or conspiring to use computer or network resources to illegally obtain information or tangible
property.
Some specific computer crimes include:
• Copyright infringement such as the illegal copying of copyrighted material, whether intellectual
property, such as computer programs or this textbook, or entertainment property such as music and
movies.
• Denial of Service (DOS) attacks in which a website is accessed repeatedly so that other, legitimate
users cannot connect to it.
• Theft of credit card numbers from retailers’ files.
• Phishing, a high-tech scam that uses spam e-mail to deceive consumers into disclosing their credit
card numbers, bank account information, Social Security numbers, passwords or other sensitive per-
sonal information.
• Installation of malware on a computer without the user’s knowledge. Malware can be a keylogger
that records every keystroke and sends it back to the hacker. Keylogging software has been used to
gather bank information, credit card information, and passwords. Other malware turns a PC into a
“zombie,” giving hackers full control over the machine. Hackers set up “botnets” — networks consist-
ing of millions of zombies — that can be made to each send out tens of thousands of spam emails or
emails infected with viruses, and the PC users don’t even know it is happening.
Using port scans, hackers can look for a particular make of computer or a particular software program,
because they know of weaknesses in those computers or programs that they can exploit. Once a hacker has
identified a vulnerable computer or software application, they can leave a back door open in the computer in
order to re-enter it at any time. If the original entry point is detected and closed, the back door functions as a
hidden, undetected way back in.
The best defense against port scans is a good firewall. A firewall serves as a barrier between the internal and
the external networks and prevents unauthorized access to the internal network. A properly configured
firewall makes a computer’s ports invisible to port scans. In addition to protecting a computer from incoming
probes, a firewall can also prevent backdoor applications, Trojan horses and other unwanted applications from
sending data from the computer. Most firewalls will usually prepare a report of Internet usage, including any
abnormal or excessive usage and attempts to gain unauthorized entry to the network. A firewall can be in the
form of software directly installed on a computer, or it can be a piece of hardware that is installed between
the computer and its connection to the Internet.
Auditors should ensure that firewalls are working properly and cannot be bypassed or disabled. Working with
the network administrators, auditors should review the firewall rules, and ensure that all rules are kept up to
date. Firewall logs can be helpful to determine if the firewall is working correctly. It is also important to
remember that firewalls have limitations; while they can prevent unauthorized access of data over the
Internet, they cannot prevent someone from removing data on a physical device like a CD or USB drive.
An organization may also use a proxy server, which is a computer and software that creates a gateway to
and from the Internet. The proxy server contains an access control list of approved web sites and handles all
web access requests, limiting access to only those sites contained in the access control list. This enables an
employer to deny its employees access to sites that are unlikely to have any productive benefits. The proxy
server also examines all incoming requests for information and tests them for authenticity. In this way, a
proxy server functions as a firewall. The proxy server can also limit the information that is stored on it to
information that the company can afford to lose. Thus, if this server is broken into, the organization’s main
servers remain functional.
A sniffer is a piece of software that grabs all of the traffic flowing into and out of a computer attached to a
network. Sniffers have legitimate as well as illegitimate uses. Intrusion Detection Systems (IDS) use sniffers
to match packets against a rule set designed to flag things that appear malicious or strange. Network
utilization and monitoring programs often use sniffers to gather data necessary for metrics and analysis.
Most personal computers are on Local Area Networks (LANs), meaning they share a connection with several
other computers. If a network is not switched (a switch is a device that filters and forwards packets between
segments of the LAN), traffic intended for any machine on a segment of the network is broadcast to every
machine on that segment. This means that every computer actually sees the data traveling to and from each
of its neighbors, but normally ignores it. The sniffer program tells a computer to stop ignoring all the traffic
headed to other computers and instead pay attention to that traffic. The program then begins a constant read
of all information entering the computer.
Anything transmitted in plain text over the network is vulnerable to a sniffer — passwords, web pages,
database queries and messaging, to name a few. Once traffic has been captured, hackers can quickly extract
the information they need. The users will never know their information has been compromised, because
sniffers cause no damage or disturbance to the network environment.
Tools called antisniffers are available to defend against sniffers. When a sniffer program is active on a
computer, the computer’s network interface card (NIC) is placed in a state called promiscuous mode. The
antisniffer scans networks to determine if any network interface cards are running in promiscuous mode.
Antisniffers can be run regularly to detect evidence of a sniffer on the network. A switched network is also
a deterrent, because it eliminates the broadcasting of traffic to every machine, although there are programs
that a hacker can use to get around the switched network.
The best defense against phishing is in the hands of the recipient. Recipients need to know not to respond to
any e-mail that requests personal or financial information and not to click on any link given in such an e-mail
that could take them to a spoofed website. Similarly, recipients of unexpected e-mail attachments need to
know not to open them, even if a virus scan has not identified any virus in the attachment. New viruses
appear every day and one could slip past an antivirus program, even one that is updated regularly. Thus,
employee education is a vital part of Internet security.
New e-mail authentication methods, which match the IP address of the server sending an inbound e-mail
against a list of servers authorized to send mail from the sender, may offer some defense against phishing.
Yahoo has developed a system called Domain Keys that gives e-mail providers a way to verify the domain of
each e-mail sender and to check whether messages have been altered during transit. The verified domain can
be compared with the domain used by the sender in the “From” field of the message to detect a forgery. Any
messages identified as forgeries are dropped. Other large Internet Services Providers are beginning to use the
same technology.
Another online scam is directed against companies that advertise on search engines on a “pay-per-click”
basis. Google is probably the best-known example of a search site that charges advertisers each time a visitor
clicks on the ad links. In one version of this scam, a competitor will write a software program that repeatedly
clicks on a business’s ads in order to run up its advertising charges. Ultimately, after too many clicks within a
24-hour period, the ad is pushed off the search engine site, resulting in lost business for the company along
with the inflated advertising fees.
Other tools of hackers include:
• Password crackers, which is software that creates different combinations of letters and numbers in
order to guess passwords.
• War dialing or programs that automatically dial random telephone numbers in search of a modem
connection.
• Logic bombs or errors in the logic of computer programs that result in the destruction of computer
data or a malicious attack when specific criteria are met.
• Buffer overflow, which sends too much data to the buffer in a computer’s memory, crashing it or
enabling the hacker to gain control over it.
Some computer crime tactics involve efforts in person as well as computer activities. Tactics involving
personal effort include social engineering and dumpster diving. Social engineering involves calling up
company employees and deceiving them into divulging information such as passwords. Dumpster diving is
sifting through a company’s trash for information that can be used either to break into its computers directly
or to assist in social engineering.
However, it is not only outsiders who commit computer crimes against a company. Insiders — or company
employees — are a primary source of trouble. Employees who are planning to leave one employer and go to
work for a competitor can use their company e-mail to transmit confidential information from the current
employer to the future employer.
Insider crime can also include using the company computer for private consulting, personal financial business,
playing video games on company time or browsing pornography sites. A legitimate use of sniffers, described
earlier, is monitoring network usage to reveal evidence of improper use. Some businesses install software
that enables them not only to monitor their employees’ access to websites but also to block access to certain
websites. Improper use of the Internet and e-mail at work can get an employee fired immediately.
Encryption
The best protection against traffic interception resulting in data leaks is encryption. Encryption converts data
into a code and then a key is required to convert the code back to data. Unauthorized people can receive the
coded information, but without the proper key, cannot read it. Thus, an attacker may be able to see where
the traffic came from and where it went, but not the content.
The encryption process can be either in the hardware or in the software. There are two methods of software
encryption: secret key and public key/private key.
• In a secret key system, each sender and recipient pair has a single key that is used to encrypt and
decrypt the messages. The disadvantage to this method is that every pair of senders and receivers
must have a separate set of keys that match. If several pairs all used the same set, then anyone
having the key could decrypt anyone else’s message and it wouldn’t be a secret. This is impractical
over the Internet, because any one company could have thousands of potential customers as well as
others from whom it would need to receive messages.
• The public key/private key encryption system is a better system for companies to use. In a
public-key/private-key encryption system, each entity that needs to receive encrypted data publish-
es a public key for encrypting data while keeping a private key to itself as the only means for
decrypting that data. Anyone can encrypt and send data to the company using its published public
key, but only the company’s private key can be used to decrypt the data and only the company that
published the public key has the private key.
A company obtains a public key and the private key to go with it by applying to a Certificate Authori-
ty, which validates the company’s identity and then issues a certificate and unique public and private
keys. The certificate is used to identify a company, an employee or a server within a company. The
certificate includes the name of the entity it identifies, an expiration date, the name of the Certificate
Authority that issued the certificate, a serial number and other identification. The certificate always
includes the digital signature of the issuing Certificate Authority, which permits the certificate to
function as a “letter of introduction” from the Certificate Authority. One example of public/private
encryption keys is SSL (Secure Socket Layer), used on secure web sites.
Encryption strength is determined by the bit length of the keys, such as 256-bit or 2048-bit. Different
encryption methods have different bit lengths, so you can’t necessarily compare the bit length of two different
encryptions to say which is stronger. However, for the same encryption method, a longer key will always be
more secure (i.e. 2048-bit RSA is always stronger than 1024-bit RSA).
Auditors should ensure that encryption is actually being used everywhere that it should be and that all
encryption keys are being protected against disclosure. Encryption keys are frequently created with
passwords, so there should be guidelines in place and enforced for creating sufficiently strong passwords.
Auditors should also ensure that SSL (Secure Sockets Layer) is being used with web sites sending or
receiving sensitive information. SSL is a built-in encryption system in all modern web browsers and doesn’t
require any technical knowledge to use (the web browser automatically handles the encryption with the web
site being accessed). Sniffers, discussed previously, can be used to verify that data is encrypted during
transmission.
Question 147: A controller became aware that a competitor appeared to have access to the company’s
pricing information. The internal auditor determined that the leak of information was occurring during the
electronic transmission of data from branch offices to the head office. Which of the following controls
would be the most effective in preventing the leak of information?
a) Asynchronous transmission.
b) Encryption.
c) Use of fiber-optic transmission lines.
d) Use of passwords.
(CIA Adapted)
Privacy
Privacy is the right to say how your personal information is collected, stored and used. Any information that
can be tied back to a specific individual is considered personal information. In the context of information
technology, privacy applies to both customers and employees. While it is necessary to collect certain
information about both customers and employees to process business transactions, it is also important for
them to feel that their privacy is respected.
While specific privacy laws vary by country, the common standards with regards to privacy include what are
known as the Fair Information Practice Codes:
• Notice: People should be told who is collecting the data, what data is being collected, how that data
will be used and how that data is being protected.
• Choice: People should be able to choose how their personal information is used, both for the imme-
diate business purpose and in the future (e.g. such as signing up for email newsletters).
• Access: People should be able to easily view and update their stored personal information.
• Security: Companies should take reasonable steps to ensure adequate controls over personal
information. This includes preventing unauthorized access, use or distribution of the information.
• Enforcement: The privacy policies must actually be enforced. A privacy policy is worthless if it is
not enforced at all levels within the company.
The auditor’s role with regards to privacy is to be sure that privacy laws, regulations and policies are
communicated and enforced. Employees need to understand how the privacy policies affect the execution of
their job and what the penalties are for non-compliance.
Section F Contingency Planning
Contingency Planning
In any computer system, it is essential that the company have plans for the backup of data and the
recovery of data, especially in the context of disaster recovery.
Several different processes and back up plans function as part of the backup and recovery plan.
• Program files, as well as data files, should be backed up regularly. Backup systems need to be very
methodical, ensuring that all backups are properly stored, labeled, and secured. At least two backup
storage media should be used to protect against failure. Types of media include hard drives, optical
discs (CD, DVD, or Blu-ray), magnetic tapes, and flash memory.
• Copies of all transaction data are stored as a transaction log as they are entered into the system.
Should the master file be destroyed during processing, computer operations will roll back to the
most recent backup; recovery takes place by reprocessing the data transaction log against the
backup copy.
• Backups should be stored at a secure, remote location, so that in the event data is destroyed due to
a physical disaster, it can be reconstructed. It would do very little good to have a backup tape in the
same room as the computer if that area were destroyed by fire. Backup data can be transmitted
electronically to the backup site through a process called electronic vaulting. The security of the
remote location needs to be evaluated periodically.
• Grandparent-parent-child processing is used because of the risk of losing data before, during or
after processing work. Files from previous periods are retained and if a file is damaged during updat-
ing, the previous files can be used to reconstruct a new current file. These files should be stored off-
premises.
• Computers should be on an Uninterruptible Power Supply (UPS) to provide some protection in

the event of a power failure. Software is available that works in tandem with the UPS to perform an
orderly shutdown of the system during that short period of power maintenance that the UPS can give
the computer.
• Fault-Tolerant Systems are systems designed to tolerate faults or errors. They often utilize re-
dundancy in hardware design, so that if one system fails, another one will take over. Computer
networks can be made redundant in several ways:
o With multiple processors, consensus-based protocols specify that if one processor disagrees
with the others, it should be ignored.
o With two processors, the second processor can serve as a watchdog processor. If something
happens to the primary processor, the watchdog processor takes over.
o A computer or server could have two disks and all data on the first disk is mirrored on the sec-
ond disk. This is called disk mirroring or disk shadowing. Should one disk fail, the processing
continues on the good disk.
o Rollback processing may be used to prevent any transactions being written to disk until they
are complete. If there is a power failure or another fault during processing, the program auto-
matically rolls itself back to its pre-fault state at its first opportunity.
o Duplicate circuitry is the double wiring of key hardware elements to ensure that if one circuit
malfunctions, the other will take over.
o A redundancy check is the process of sending repeated sets of data to confirm the original data
sent. Summary processing is a redundant process using a sum, which is compared with the
control total from the processing of the detailed items.
o An echo check is the process of sending the received data back to the sending computer to
compare what was actually sent to make sure that it is the same.
o In a dual read check, data is read twice during input and compared.
Contingency Planning CIA Part 3
o Boundary protection is protection against unauthorized entry (read or write) to a tape, disk or
other storage device.
o Graceful degradation means that if a part of the system malfunctions, other components can
be programmed to continue the processing, although on a less efficient basis.
o Overflow check means that the data is checked and an error message activated if data is lost
through arithmetic operations that exceed the planned capacity of the receiving fields.
Question 148: Management’s enthusiasm for computer security seems to vary with changes in the
environment, particularly with occurrence of the other computer disasters. Which of the following
concepts should be addressed when making a comprehensive recommendation regarding the costs and
benefits of computer security?
I. Potential loss if security is not implemented.
II. Probability of occurrences.
III. Cost and effectiveness of the implementation and operation of computer security.
a) I only.
b) I and II only.
c) III only.
d) I, II and III.
(CIA Adapted)
Disaster Recovery
Not many firms could survive for long without computing facilities. Therefore, an organization should have a
formal disaster recovery plan to fall back on in the event of a hurricane, fire, earthquake, flood or criminal or
terrorist act. A disaster recovery plan specifies:
• Which employees will participate in disaster recovery and what their responsibilities will be. One
person should be designated in charge of disaster recovery and another should be second in com-
mand.
• What hardware, software and facilities will be used.
• The priority of applications that should be processed.
Arrangements for alternative facilities as a disaster recovery site and offsite storage of the company’s
databases are also part of the disaster recovery plan. An alternative facility might be a different facility owned
by the company, or it might be a facility contracted by a different company. The different locations should be
a significant distance away from the original processing site.
Disaster recovery sites may be either hot sites or cold sites. A hot site is a backup facility that has a
computer system similar to the one used regularly. The hot site must be fully operational and immediately
available, with all necessary telecommunications hookups for online processing. A cold site is a facility where
power and space are available to install processing equipment, but it is not immediately available. If an
organization uses a cold site, its disaster recovery plan must include arrangements to get computer
equipment installed there quickly.
There are also several companies that operate “mobile recovery” centers. On a contracted basis, in the event
of a disaster that destroys operations facilities, they arrive within hours in a tractor-trailer or van that is fully
equipped with their client’s platform requirements, 50 to 100 workstations and staffed with technical
personnel to assist in recovery.
Section F Contingency Planning
Personnel should be trained in emergency procedures and re-training should be done regularly to keep their
knowledge fresh. The disaster recovery plan should be tested periodically by simulating a disaster in order to
reveal any weaknesses in the plan. This test should be conducted using typical volumes, and processing times
should be recorded. The disaster recovery plan should be reviewed regularly and revised when necessary, and
the members of the disaster recovery team should each keep a current copy of the plan at home.
The internal auditor needs to determine two basic things with respect to the planning and preparation for
disaster recovery:
1) Could the organization survive a massive information system disaster?
2) If so, what is the likely extent of a disaster?
The auditor will need to determine how dependent the company is on its information systems, whether a
disaster recovery plan has been developed and if so, whether the plan is adequate. Does the plan include
priorities for which are the critical applications that are to be executed first and which can be omitted? Are
there backup means of transmitting data as well as plans to restore the data center itself? Disaster recovery
plans should also be tested at periodic intervals to insure that operations can be resumed in the event of a
real disaster, and corrections can be made if any problems are found. The internal auditor should observe a
simulation of a disaster and execution of the disaster recovery plan, and should help assess what parts of the
plans worked and what areas need to be improved.
Question 149: A critical aspect of a disaster recovery plan is to be able to regain operational capability as
soon as possible. To accomplish this, an organization can have an arrangement with its computer
hardware vendor to have a fully operational facility available that is configured to the user's specific
needs. This is best known as a(n):
a) Uninterruptible power system.
b) Parallel system.
c) Cold site.
d) Hot site.
(CMA Adapted)
Question 150: Good planning will help an organization restore computer operations after a processing
outage. Good recovery planning should ensure that:
a) Backup/restart procedures have been built into job streams and programs.
b) Change control procedures cannot be bypassed by operating personnel.
c) Planned changes in equipment capacities are compatible with projected workloads.
d) Service level agreements with owners of applications are documented.
(CIA Adapted)
Databases CIA Part 3
Databases
A database is a series of related data files that are combined in one location in order to eliminate unnecessary
redundancy of data within a system or company. Data records are consolidated into databases that provide
data for many different application programs. Before discussing databases, however, it is useful to examine
the basic data hierarchy and how files are stored and accessed on a computer.
Basic Data Structures

• A bit is either a 0 or a 1 and is part of binary code.
• A byte is a group of 8 bits. A byte usually represents a single character.
• A field is an item within a record (such as an address, phone number or account number).
• A record is a group of fields related to the same item.
• A file is a logical collection of records.
• A key is an attribute of a record that allows the record to be sorted. The primary key is the primary
identifier for the record, and a secondary key may used to further sort the records.
• A database is a collection of related data.
Accessing Files
All data records usually contain identification fields, or keys, to identify the record. The primary key is the
main identifier. A logical record is what is stored and the physical record is where and on what medium it
is stored.
There are various ways of organizing data for access by programs:
• One of the most basic ways to access data is by sequential access. Records are physically stored in a
predefined sequence according to the primary record key in each record, and they can only be ac-
cessed in that order. If there are 5,000 records in a file, and the needed record is at the end, all
4,999 other records must be accessed before reaching the last record. For this reason, sequential file
organization is not very efficient.
• An indexed file, also called an inverted file, is stored on a disk drive. It uses an index to locate
records on the disk, and the records do not have to be in any predefined sequence. Locating the rec-
ords is a two-step process. First, the index is consulted for the matching record number, which tells
the computer where the information is stored on the disk. Then, the record is loaded from the disk.
This process is faster than sequentially searching every record on the disk.
• Indexed-sequential files are sequential files stored on a disk drive that are indexed and physically
sorted on the same field. Indexed-sequential files are called ISAM files, short for indexed-sequential
access method. ISAM is a compromise between sequential and direct access files. The processing of
a batch of records can be done sequentially, while inquiries to the file can be done using the index. A
limitation of indexed-sequential files is that all of the indexes must be updated every time the files
are updated.
• Direct access files permit records to be almost instantly retrieved without the use of an index. Direct
access file systems assign each record to a location on the disk drive by using a key field in the rec-
ord. The record can be directly accessed without any searching. The main advantage is that several
master files can be updated at the same time, but the main disadvantage is that records cannot be
located without a key. For example, with direct access it would be extremely fast to locate Invoice
47154, but getting a list of all invoices would be very difficult and/or time consuming. Therefore, di-
rect access file organization is best used when activity is low and files are very large.
Volatility is the measure of the number of additions, deletions and changes to a file during a period of time.
Section F Databases
History of Database Development

Since the first computers were built, “databases” have consisted of large numbers of records and files. Before
there were database management systems, these records and files were stored as flat files. A flat file is
composed of a sequential set of records and requires sequential access.
As computing power grew and computer hardware became capable of handling more and more data, flat files
became problematic. The difficulties involved finding the right file for the information desired, duplication of
the same data in different files, and no standardization of formats or files. Furthermore, because the data was
stored in flat files, anytime the file was changed or updated, the whole file had to be rewritten. Indexed
sequential files solved many of the problems with flat files.
Ultimately, the database management systems (DBMSs) that we are familiar with today were developed.
Early relational databases, like Foxpro and DB2, were run on personal computers. Database management
systems standardized storage, manipulation, and retrieval of data. Under a database management system,
data is stored in a standard format using Data Definition Language (DDL), which allows the database
administrator to define the logical structure of the database (the schema). Data is edited, updated,
manipulated and extracted using a Database Manipulation Language (DML). Finally, data is retrieved
using a Query Language, which allows the user to request information from the database. The database
management system provides all these languages in statement (i.e., command) form, and these are what
the database administrator uses to create a database. Because of its standardized format, a database can be
accessed and updated by multiple applications.
In a relational database, the most commonly used type of database, data is stored in tables rather than in
flat files. When the database is developed, specific data fields and records are defined. The database
administrator also specifies ways in which the data records and fields will be related to each other and how
they will be viewed or reported. In order to do this, the records and fields must be structured.
Entity-Relationship Modeling
The Entity-Relationship (E-R) Model is a tool used by database administrators to plan and analyze database
files and records. An entity-relationship diagram is drawn to represent the relationships between and
among the different entities in the database. An entity-relationship diagram utilizes symbols to represent
items in the database and to illustrate their relationship to one another. For instance, a rectangle represents a
database entity, and a database entity is each resource, event, or agent, such as a customer. An oval
represents an attribute, such as the customer’s telephone number. An oval with an underline represents the
primary key, such as the customer’s account number.
The three most important relationship types are (a) one-to-one, (b) one-to-many, and (c) many-to-many.
These relationship types are known as database cardinalities. They show the nature of the
relationship between the entities.
Note: Database cardinalities show the nature of a relationship between two entities in a database.
Relationships between entities can be one-to-one, one-to-many, or many-to-many.
For example, for each employee in an organization, there will probably be many paychecks issued. This is a
one-to-many relationship. The database might contain one file with employee names and employee ID
numbers, and a second file with the employee ID number of each employee and all the paychecks issued for
each employee ID number. The employee ID number in the first file serves as the primary key. In the second
file, the employee ID number serves as the foreign key that ties the two files together. The database can
locate all of the paychecks issued for one particular employee by name by using the employee ID number
attached to the person’s name in the employee file and locating all the individual paycheck records for that
employee ID number in the other file.
Database Structure
Databases are structured according to one of several different models. The model used will determine the
relationships among the individual records stored in the database. Different database management system
packages use different models. The five fundamental structures used in designing databases are:
• Hierarchical structure
• Network structure
• Relational structure
• Multidimensional structure
• Object-oriented structure
A hierarchical structure organizes information into regular records so that each set of records forms a
hierarchy, or tree-like structure. Records are arranged in multilevel structures consisting of a root record and
any number of subordinate levels. The entity relationships among records are one-to-many. These
databases are highly structured and were used by early mainframe DBMSs. Hierarchical databases are
suitable for data that consists of tightly coupled records, for example, customer information to purchases
made to support calls placed. Hierarchical databases accumulate redundant data, i.e., the same data in
more than one place. They can be difficult to query because data is accessed by moving progressively
downward from the root until the desired record is located.
A network structure is still used by some mainframe DBMSs. It allows many-to-many entity relation-
ships among records. A data element can be accessed by following any of several paths, because any one
can be related to any number of other data elements. For example, departmental records can be related to
more than one employee record, and employee records can be related to more than one project record.
The relational model is the most popular and widely used database structure. All data elements are stored
in the form of tables. Data from various tables is linked by means of one field, such as customer number, that
is common to all the tables. Thus, one table might contain customer numbers and customer names. Another
table would have customer numbers and customer addresses. All the necessary information about a customer
could be accessed by means of the customer number, which is common to both tables. The relational model is
used by most microcomputer DBMS packages and also by midrange and mainframe systems. Relational
databases permit complex queries to be made, and they eliminate redundant data. They are best for
situations where a lot of records are being cross-referenced and combined. For example, a relational database
could be used to make production decisions where information about inventories, part specifications,
personnel availability, costs, sales and supplies needs to be analyzed. However, if the database design is
faulty, the advantages of a relational database can be lost and the result will be less maintainable than a less
stringent model would be.
A multidimensional database is a variation of the relational model. It uses multidimensional structures to

organize the data and to express the relationships between the data. A multidimensional database uses the
concept of a “data cube” to represent the dimensions of data available. “Sales” can be viewed in the
dimensions of product model, geography, time or some other dimension. Hierarchies and levels can be
created within a dimension, for example, state and city levels within a regional hierarchy. Multidimensional
databases are frequently used for data warehousing and are created from relational databases.
The object-oriented database model is the newest type of database structure and is conceptually similar to
object-oriented programming because the database is modeled after real-world entities. Each object has
fields that contain the information, as well as a set of actions that can be performed upon the data. Just like
in object-oriented programming, database objects can inherit properties from a parent, allowing easy reuse
and extension of existing database objects. Object-oriented databases are also designed to store more
complex data types, such as sounds, images, or even video, although the newest relational database
management systems have also added more media storage capabilities. Nevertheless, object-oriented
databases are considered one of the key technologies in our increasingly media-oriented world, especially on
the Internet. For example, Amazon.com now allows customers to post not only text reviews of products that
they have purchased, but video reviews as well.
Section F Databases
Distributed Databases
A database may be stored in more than one physical location. This is most often done to enhance database
performance, but may also be done as a backup strategy or to provide a fail-over database in case of
disaster. A database that is stored in more than one location is a distributed database.
When you have a distributed database, you will need to have a process to bring the two or more parts of the
data together to form the complete set of data. This is done through replication (or the snapshot
technique), which makes duplicate copies of the entire database, or some subset of tables, on a regular
schedule, and then sends these copies to the other locations where they will be used. With replication, the
users update only the original database. The copies are used in query-only mode and may not be updated lest
they become out of sync with the original. Some databases, such as Oracle, offer automatic replication as an
option.
If a company uses the fragmentation (or partitioning) system, the system stores items of data where they
are most needed. For example, information on sales in San Francisco is kept and updated on a database
server in San Francisco, while information on sales in New York is kept and updated on a database server in
New York. Then, if the information is needed somewhere else, it is retrieved from the place where it is stored.
Deadly Embrace
A deadly embrace occurs when two different applications or transactions each have a lock on data that is
needed by the other application or transaction. Neither process is able to proceed, because each is waiting for
the other to do something. In these cases the system must have a method of determining which transaction
goes first and then it must let the second transaction be completed using the updated information after the
first transaction.
Question 151: Of the following, the biggest advantage of a database architecture is:
a) Data redundancy can be reduced.
b) Conversion to a database system is inexpensive and can be accomplished quickly.
c) Multiple occurrences of data items are useful for consistency checking.
d) Backup and recovery procedures are minimized.
(CIA Adapted)
Database Management System (DBMS)

A database management system is a system software package that serves as an interface between users
and the database. It is used to create the database, maintain it, safeguard the data, and make the data
available for applications and inquiries. For example, if you use Microsoft Access to create tables and then
enter data into the tables you have created, you are using a database management system. Any database
management system performs four primary functions:
1) Database development, enabling database administrators to develop databases and create data-
base records.
2) Database maintenance, including record deletion, alteration of database information and reorgani-
zation of records when necessary.
3) Database interrogation, permitting users to ask simple questions in a query language in order to
select subsets of records to extract information from the database.
4) Application development, such as developing queries, forms, reports and labels for a business
application and permitting several different application programs to easily access a single database.
Database management systems contain various programs, including utilities to use to back up data;
commands to use in a Data Definition Language (DDL), Data Manipulation Language (DML), and
Query Language; and program creation packages. A database administrator uses the DBMS not only to
create a database, but also sometimes to create an application that will access the data in the database.
Note: A Database Management System is not a database, but rather a set of separate computer programs
that enable the database administrator to create, modify and utilize database information, and also enable
applications and users to query the database.
Database Development
The DBMS is used to create a description of the logical and physical structure or organization of the database
and the relationships among the data elements in the database. This is called the schema. The schema is a
map or plan of the entire database. It specifies the names of the data elements contained in the database and
their relationship to each other.
A subschema defines the data required for specific end-user applications and limits the data elements and
functions available to each application. A subschema is the description of a particular part of the database,
often called a view. One common use of views is to provide read-only access to data that only certain users
are allowed to update but many users need to query. Any particular user or application program will use only
a subset of the information in the database. Subschemas determine what data each user or application
needs and protect data from unauthorized access.
The database administrator uses a Data Definition Language (DDL) to create or modify the schema,
subschema and the record structure of the database. In defining the record structure for each table, the
database administrator gives each field a name and a description, determines how many characters the field
will have and what type of data each field will contain (i.e., text, integer, decimal, date, etc.), and may
specify other requirements such as how much disk space is needed for the table.
The format of the input is also defined (i.e., a telephone number will be [XXX] XXX-XXXX). The input mask
for a data field creates the appearance of the input screen, so that a user who is inputting data into the table
will see a blank field or fields in the style of the format (e.g., a date field will appear as __/__/____). The
input mask helps ensure input accuracy.
This information is stored in a database of data definitions and specifications called a data dictionary. The
data dictionary contains metadata, i.e., data about data. The data dictionary contains the names and
descriptions of all the different data records and their relationships. It also contains the requirements for user
access, use of the application programs, database maintenance, and security.
Once the record structure of the database table has been created, the records can be created.
Section F Databases
Database Use and Maintenance

A data manipulation language (DML) is used to maintain a database and consists of “Insert,” “Delete” and
“Update” statements. Databases are usually updated by means of transaction processing programs that utilize
the data manipulation language, so that the users do not need to know the specific format of the data
manipulation commands.
A query of a database may be made using a query language.
Structured Query Language (SQL) is a DML, a DDL, and a query language. It has been adopted as a
standard language by the American National Standards Institute (ANSI). All relational databases in use today
allow the user to query the database directly using SQL commands. SQL uses the “Select” command to query
a database. However, business application programs usually provide a graphical user interface (GUI) that
creates the SQL commands to query the database for the user, so users don’t need to know the specific
format of SQL commands. Almost every relational database uses SQL for the description and querying of
records.
A DBMS also enables a user to reorganize an entire file of database records quickly and easily by sorting.
Before the advent of database management systems, when records were written sequentially on a disk or a
tape, sorting required the physical rewriting of the records in the desired order. In a database management
system, the records can be indexed, creating a table of record keys and disk addresses that is separate from
the data itself but contains pointers to each physical record of data. Indexing accomplishes the same thing as
sorting, since records can be retrieved in index order, and it is faster and more efficient than sorting.
DBMS packages usually include one or more programming languages that can be used to develop custom
applications by writing programs that contain statements calling on the DBMS to perform the necessary data
handling functions. When writing a program that uses a database that is accessed with a DBMS, only the
name of the data item is needed, and the DBMS locates the data item in the storage media. Thus, the
application programs are independent from the physical arrangement of the data.
Note: One of the key characteristics of a database management system is that the applications that
access the database are programmed to be independent of the data itself. This means that the programs
do not refer to a specific number or item, but rather to the name of the data item. This is like when
changing a number in a spreadsheet, you don’t need to change the formulas, because the formulas relate
to the cell and not to the number itself.
Question 152: One advantage of a database management system (DBMS) is:
a) The decrease in the cost of the data processing department as users become responsible for
establishing their own data handling techniques.
b) The independence of the data from the application programs, which allows the programs to be
developed for the user's specific needs without concern for data capture problems.
c) A decreased vulnerability because the database management system has numerous security
controls to prevent disasters.
d) The responsibility and control assumed by each organizational unit for its own data.
(CMA Adapted)
Question 153: Which of the following is a false statement about a database management system
application environment?
a) Data is used concurrently by multiple users.
b) Data is shared by passing files between programs or systems.
c) The physical structure of the data is independent of user needs.
d) Data definition is independent of any one program.
(CISA adapted)
The Database Administrator

The database administrator is the person who has the overall responsibility for developing and maintaining
the database and developing the controls needed to maintain the integrity and security of the database.
Therefore, only the database administrator should be able to update the data dictionaries.
Once the database is created, the company must decide upon the best way to store the data. It is easiest to
use a single medium to store all of the data, but there is a risk in that if something happens to that single
medium, then the entire database is lost, or at least temporarily inaccessible. Therefore, great care has to be
taken that the data is properly stored and backed up. One way of doing this is to have the database
information always stored in different places.
This responsibility for making sure the database is stored efficiently and securely and backed up properly falls
to the database administrator. The database administrator position is a position of high confidentiality and
strong trust. A person under consideration for that position must be carefully investigated because the
position is a highly security-sensitive one.
Question 154: The increased use of database processing systems makes managing data and information
a major information service function. Because the databases of an organization are used for many
different applications, they are coordinated and controlled by a database administrator. The functions of a
database administrator are:
a) Data input preparation, database design and database operations.
b) Database design, database operation and equipment operations.
c) Database design, software support and database security.
d) Database design, database operation and database security.
(CMA Adapted)
Question 155: Each day after all processing is finished, a bank performs a backup of its online deposit
files and retains it for 7 days. Copies of each day’s transaction files are not retained. This approach is:
a) Valid, in that having a week’s worth of backups permits recovery even if one backup is unreadable.
b) Risky, in that restoring from the most recent backup file would omit subsequent transactions.
c) Valid, in that it minimizes the complexity of backup/recovery procedures if the online file has to be
restored.
d) Risky, in that no checkpoint/restart information is kept with the backup files.
(CIA Adapted)
Section F Enterprise Resource Planning
Enterprise Resource Planning

Enterprise Resource Planning (ERP) integrates processes in manufacturing, logistics, distribution, accounting,
finance and human resources into a single system called an ERP system. ERP systems can track the status
of sales, inventory, shipping and invoicing, forecast raw material requirements, and analyze human resource
requirements. All of these functions are also integrated with the accounting process. ERP systems are used in
reengineering business processes for increased efficiency and responsiveness to customers and suppliers.
Note: The major components of an ERP system are: Production Planning, Integrated Logistics, Accounting
and Finance, Human Resources, and Sales, Distribution and Order Management.
Any subdivision of any of the above components is, by itself, not a component of an ERP system.
The two largest ERP vendors are SAP AG and Oracle. PeopleSoft, another well-known ERP vendor, was
purchased by Oracle in late 2004.
The main focus of an ERP system is tracking all business resources and commitments regardless of
where, when, or by whom they were entered. For example, a customer support representative using an
ERP system would be able to look up a customer’s order, see that the product that they ordered is on
backorder due to a production delay, and provide an estimate for the delivery based on the expected arrival
of the required raw materials. Without the sales, support, and production systems being tightly integrated
through an ERP system, this level of customer service is very difficult – or impossible – to achieve.
Writing a program that serves the needs of finance as well as human resources and those in the warehouse is
not an easy task. This is because each of the individual departments in a company usually has its own
computer system and software to help perform its specific work. However, through ERP all of them are
combined into a single, integrated software program through business re-engineering.
All of the data for the entire company is also stored in a single location – called an enterprise-wide
database, also known as a data warehouse. By having all of the company’s information from different
departments in the same location, a company is able to more efficiently manage and access this information.
Through data warehousing and data mining facilities, individuals in the company can sort through and utilize
the company’s information more quickly and easily than if it were stored in separate locations. In data
mining, the data in the data warehouse is analyzed to reveal patterns and trends and discover new
correlations to develop business information.
Advantages that companies have experienced from utilizing ERP are:
• Integrated back-office systems result in better customer service and production and distribution
efficiencies.
• Centralizing computing resources and IT staff reduces IT costs versus every department maintaining
their own systems and IT staff.
• Cross-functional information is quickly available to managers regarding business processes and

performance, significantly improving their ability to make business decisions. This allows the busi-
ness to adapt more easily to change and quickly take advantage of new business opportunities.
Disadvantages or pitfalls of ERP systems include:
• Business re-engineering (i.e. developing business-wide integrated processes for the new ERP sys-
tem) is time-consuming and requires careful planning.
• Converting data from existing systems into the new ERP system can be time-consuming and/or
costly and, if done incorrectly, can result in an ERP system that contains inaccurate information.
• Training employees to use the new system disrupts existing workflows and requires employees to
learn new processes.
Enterprise Resource Planning CIA Part 3
• Most significantly, an unsuccessful ERP transition can result in system-wide failures that disrupt
production, inventory management, and sales, leading to huge financial losses. Because the entire
business relies on the new ERP system, it is critical that it be completely functional and completely
understood by all employees. There is no opportunity to “work out the bugs” or “learn the ropes”
when your entire business relies on the one system.
Internal auditors need to be intimately involved in two areas with respect to ERP software: (1) the evaluation
and selection process for the ERP system, and (2) maintaining the integrity and security of the data.
Question 156: Which of the following statements about ERP systems is correct?
a) While business re-engineering is usually done prior to implementing a new ERP system, it can be
done afterwards without much difficulty.
b) ERP systems require each department or business segment to set up and manage their own
information systems.
c) The most common causes of failure when implementing a new ERP system are inadequate
planning, development and/or training.
d) ERP systems provide mainly transaction processing support, and little in the way of data analysis.
(HOCK)
Question 157: An enterprise resource planning (ERP) system integrates the organization’s computerized
subsystems and may also provide links to external parties. Advantages that companies have experienced
using ERP are:
I. Improvement in customer service.
II. It is neither a complex nor expensive system to install and maintain.
III. Cross-functional information is quickly available to managers regarding business performance.
IV. Improvement in just-in-time inventory management.
a) I only.
b) I, II, IV.
c) I, III, and IV.
d) I, II, and III.
(HOCK)
Appendix A 34 IT Processes
Appendix A – 34 IT Processes
Planning and Organization Domain
1) Define a strategic IT plan.
2) Define the information architecture.
3) Determine technological direction.
4) Define the IT organization and relationships.
5) Manage the IT investment.
6) Communicate management aims and direction.
7) Manage human resources.
8) Ensure compliance with external requirements.
9) Assess risks.
10) Manage projects.
11) Manage quality.
Acquisition and Implementation Domain

12) Identify automated solutions.
13) Acquire and maintain application software.
14) Acquire and maintain technology infrastructure.
15) Develop and maintain procedures.
16) Install and accredit systems.
17) Manage changes.
Delivery and Support Domain

18) Define and manage service levels.
19) Manage third-party services.
20) Manage performance and capacity.
21) Ensure continuous service.
22) Ensure systems security.
23) Identify and allocate costs.
24) Educate and train users.
25) Assist and advice customers.
26) Manage the configuration.
27) Manage problems and incidents.
28) Manage data.
29) Manage facilities.
30) Manage operations.
Monitoring Domain
31) Monitor the processes.
32) Assess internal control adequacy.
33) Obtain independent assurance.
34) Provide for independent audit.
Answers to Questions CIA Part 3
Answers to Questions
1 a – When the risk of loss is high and the likelihood is high, the best course of action is probably to avoid the
risk. This might include selling the business unit or in some other way eliminating this activity from the
company.
2 d – Value at Risk provides a confidence interval which provides a range of results with a percentage chance
that the result will be within that range.
3 b – In any delegation, it is critical that the task or outcome be precisely defined. Additionally, it is good if
there is discussion about how it will be done. The manager does not want to dictate how it should be done
and also should not let the subordinate decide how it will be done, because that may lead to a lot of wasted
time and resources if the subordinate chooses an inappropriate method for completing the task.
4 b – A mechanistic approach is used when there is an assembly line type system where there is not a need
for a lot of decision-making. This system is motivated by efficiency and trying to produce as much as possible.
5 a – In a dynamic and complex environment, the company will face more uncertainty because the
environment is changing. As a result, it will need a more organic structure in order to react better to the
changes.
6 c – Discount stores gain their market edge by selling at a lower price and therefore need to minimize their
costs. This is done by not offering as much sales help or the more “decorated” stores as their competitors
provide.
7 a – As companies grow, they tend to expand their efforts and the products or services they offer. Their
expansion may also be outside of their initial industry as well as within it.
8 c – By definition, in a professional bureaucracy, management has to give up a lot of control.
9 c – A bureaucratic structure does not allow for much creativity. This is one of the disadvantages of this
structure.
10 b – In a divisional structure, each division may have its own staff to perform a function that all divisions
have. An example may be payroll or HR. Each division may have its own payroll or HR department, and as
such, the company as a whole has duplicate departments.
11 b – In a matrix organization, there is a combination of organizational methods. As such, an employee may
end up reporting to a functional manager as well as to a project team manager, or other multiple managers.
12 d – The number of people in an organization does not impact the span of control that a manager would
have.
13 c – Generally, if the jobs are fairly similar and procedures are alike, then a wider span of control would be
most effective.
14 c – Theory of constraint analysis would be used in this problem. TOC is used for revenue maximization
and cost management in the face of bottlenecks.
15 c – Senior management should not be involved in setting standards for production, because this is a very
low-level activity that is best done by the people more directly involved.
16 d – The internal auditor should not become directly involved in the implementation of the redesign
process. The internal auditor’s direct involvement would impair the auditor’s objectivity and independence.
17 b – By definition.
18 c – By definition.
19 c – The number of units that are currently held in inventory does not affect how many units should be
held in inventory.
20 c – The greater the increase in the variability of lead time, the more safety stock must be held to guard
against a stockout when the lead time is unusually long.
21 a – E-commerce does not relate to data storage.
22 c – EDI is the electronic transfer of documents between businesses.
23 a – An audit trail allows for tracing of transactions from initiation to conclusion.
24 d – The decline stage is marked by declining sales and declining profits. In some cases, the organization
becomes so large that management becomes complacent, which causes a leadership problem. Because of
this, the board may try a change of leadership to save the company.
25 b – In the growth stage, if an entity is reasonably profitable, then it could need financing in excess of the
funds it has available from internal sources (i.e. trade receivables). Additional debt financing could result in
CIA Part 3 Answers to Questions
unreasonable financial leverage and public equity financing is generally not yet available. Therefore, a
company in the growth stage is most likely to seek and obtain venture capital.
26 c – When formal communication is insufficient, rumors will fill the gap due to employees’ anxiety and
desire to know what is happening. Such a situation may have a negative effect on morale and reduce the
employees’ productivity.
27 b – Communication is dependent upon the receiver understanding the message properly. If the receiver
does not understand it, then communication has not taken place.
28 b – Managers spend most of their time communicating, while the technical aspects are being performed
by those supervised.
29 b – Suppressing informal communication is neither effective nor desirable. Management should instead
make good use of it.
30 c – The medium chosen by the clerk was wrong because there is no written record of the telephone order
to substantiate any claim, as there would have been if a purchase order had been issued.
31 b – The only acceptable way to let an employee know that their employment is being terminated is face to
face.
32 b – Filtering is presenting information in such a way that it will be received favorably.
33 b – Many different issues within a short time period will impede comprehension and is therefore unlikely
to lead to desired changes in attitudes.
34 d – A change in the behavior of the receiver is the aim of an effective communication.
35 d – An effective communicator has to take into account the receivers’ needs and opinions to make sure
that they do not interfere with the message and the message is received and understood properly.
36 a – Effective listening is best achieved by resisting internal and external distractions. Distractions, i.e.
noise, make it more difficult for the listener to truly understand the message.
37 a – Information overload and misrepresentation of feelings and emotions are considered to be
disadvantages of electronic communication. Information overload, such as numerous irrelevant memos, could
lead to lost time and inefficiencies. Also, email cannot accurately convey feelings and tone intended by the
person initiating the communication. Thus, the receiver may misinterpret the email.
38 b – Market synergy is a type of business synergy. It arises when products or services positively
complement each other. The bundling of products distributed through the same channels is a type of market
synergy.
39 b – Corporate-level strategies address the entire strategic scope of the firm. This is the “big picture” view
of the firm and includes deciding in which product or service markets to compete and in which geographic
regions to operate.
40 d – When inelastic demand exists, cutting prices will not increase sales. Thus, this situation is atypical of
an intensely competitive industry.
41 d – Buyers want lower cost, better quality products and more services. All of these factors can influence
the buyer’s bargaining power.
42 b – Strategic group are made up of organizations with similar strategic characteristics, following similar
strategies or competing on similar bases. Organizations with similar profitability is not a distinguishing feature
of a strategic group.
43 b – A focus strategy seeks to be a cost leader in a particular segment. The theory behind the focus
strategy is that a narrow market can be better served.
44 b – Threat of new entrants and bargaining power of suppliers are two of the five basic forces that drive
industry competition and ultimately profitability. The other three forces are rivalry, bargaining power of
buyers, and threat from substitutes.
45 c – Firms that can successfully differentiate their products (e.g., by developing a desirable image,
providing better services, being a cost leader, or other means) are in a more favorable competitive position.
Thus, in these situations, competitors will find it more difficult to acquire the firm’s customers.
46 c – The most effective response to an aggressive move by a competitor is to initiate a move in the market
where the competitor is strong. This is an effective method to signal displeasure and raise the threat of more
serious retribution without directly triggering destructive moves and countermoves.
47 b – Flanking defense involves the company watching its weaker flank. This is done by the company
strengthening its competitive position by introducing new products, and other tactics.
48 d – A flanking attack involves not attacking another company head-on, but seeking to identify and attack
the competitor’s weak points. This is ideal for the challenger that does not have sufficient resources.
49 a – A market challenger tries to increase its market share in order for it to become the market leader.
50 a – The proper order is: 1) Planning and directing the system; 2) Collecting the data; 3) Analysis of the
data; 4) Disseminating the data; and 5) getting feedback from the decision-maker.
51 b – Targeting a stronger competitor forces the firm to improve its own line of products.
52 b – This is would be considered a star. A market growth rate greater than 10% is considered to be high. A
relative market share greater than 1.0x indicates that the SBU has a strong competitive position. Stars have a
high market share and a high market growth rate.
53 c – The SBU would be in the Build Selectively quadrant. The strategies for SBUs in this quadrant are to
invest heavily in most attractive segments, build up ability to counter competition, and emphasize profitability
by raising productivity.
54 d – These are the characteristics of a cash cow. Cash cows have large market share in a mature, slow
growth industry. Cash cows, as the name indicates, generate good cash flow.
55 a – By offering a discount or some other marketing scheme, the company is signaling its aggressive
intent.
56 c – A company has to be careful about bluffs because there is always a chance that the company could
lose creditability for future announcements.
57 b – The learning curve effect is when personnel become more familiar with their jobs and can perform
their jobs more effectively and efficiently.
58 a – Rather than the introduction stage, the majority of products today are in the maturity stage, where
sales growth usually slows and profits stabilize.
59 b – The decline stage is really the beginning of the end of the product. The first symptom that the
company has entered this stage is a decline of product sales.
60 a – During the introduction stage, there needs to be extensive sales promotion in order to educate the
consumer about the product. Thus, due to high costs of sales promotion, this stage is characterized by slow
profit growth.
61 b – During the growth stage, firms attempt to improve upon their products in order to increase sales and
maximize market share. Thus, during this stage, new products and features are introduced.
62 c – During the maturity stage, competition will be the greatest and prices will be at their lowest. During
this stage, firms will be more inclined to engage in competitive price-cutting measures, resulting in the lowest
prices.
63 c – During the maturity stage, competition will be the greatest; thus, during this stage it would be
appropriate to advertise that the company’s product is the lowest price and best quality of all competitors.
64 b – It is during the growth stage that the opportunity for cost reduction is the greatest. This is because
production volume is increased at a high rate; therefore, manufacturing fixed cost can be spread over more
units of production.
65 c – Strategies such as franchising and horizontal mergers are commonly used in fragmented industries.
Fragmented industries have low entry barriers, and economies of scale and learning curves are generally not
present.
66 c – Standardized products means that a firm is able to maintain the same product in different locations or
markets. Franchises use standardized products in order to reduce costs.
67 d – Items I, II, III and IV are all characteristics of a fragmented industry, i.e., the absence of visible
market leaders; low entry barriers; the absence of scale economies; and high transportation costs.
68 a – Entry barriers tend to be low in an emerging industry, not high. The remaining answers are all
characteristics of an emerging industry, i.e., few producers, underdeveloped markets, and the firm may have
difficulty in securing raw materials.
69 d – Limitations to an emerging industry could be the difficulty in securing raw materials, lack of consistent
product quality, and lack of available infrastructure (in regards to distribution channels, etc.).
70 c – Declining industries experience declining demand for their products over the long run.
71 b – A source of competitive advantage is the production economies of scale. This means that the next unit
produced will be cheaper than the one before. This favors large concentrated producers on a global scale.
72 c – Government restrictions to global competition are generally imposed for the reasons of protecting local
firms and jobs or developing new industries. Restrictions often serve to protect industries that cannot
compete effectively with global firms. In the short run, government restrictions may also have the effect of
raising revenues, but in the long run, tax revenue will decline because of reduced trade.
73 b – Vertical integration is when a company becomes its own supplier or distributor. Thus, the milk
producer acquiring dairy farms to supply milk is an example of vertical integration.
74 a – A key issue for management is to avoid overcapacity. Overcapacity tends to be a long-term problem
because firms are more likely to compete rather than reverse their expansion.
75 b – A production-oriented business concentrates on production issues, whereas market-oriented
businesses focus on the market in which the company operates. Market-oriented firms allow the wants and
needs of customers and potential customers to drive all of the firm’s strategic decisions.
76 b – The ability to raise mobility barriers after the firm has entered the industry is a reason to target an
industry. Also, a firm may be able to recognize that entering a fragmented industry will start a process of
consolidation and increased entry barriers.
77 b – Under exponential smoothing, the most recent results are given more weight than results from in the
past. Since the last nine months have seen a significant change, it is important to give more weight to recent
results.
78 c – A regression coefficient of .8 means that every change of 1 in the one item will result in a .8 change in
the other. In this question this means that for every $1 spent in advertising, the increase in sales will be only
$.80.
79 b – The relationship between these two variables is a perfectly direct relationship – as x increases by 1, y
decreases by 2. Since the variables move in the opposite direction it is a perfectly negative relationship,
represented by –1.
80 c – The regression coefficient must lie between −1 and +1. The closer the absolute value of the coefficient
is to 1, the stronger the relationship is. Among the alternatives, -0.89 has the highest absolute value that is
not greater than +1 or less than −1.
81 a – The company believes that by being known as a TQM and CI adherent, there will be a greater level of
customer satisfaction. The other choices may all result from this, but they are not the reason that this
decision was made.
82 a – As part of TQM, all employees are expected to be proactive in their education and self-improvement.
83 c – Self-actualization is the desire to become all that one is capable of becoming. The best employees will
be strongly motivated if they see that the work they perform is important and fully involves them.
84 b – The best course of action for the manager is to assign two employees to moderate the risk of failure.
According to McClelland’s theory of needs, high achievers thrive when the job provides for personal
responsibility, feedback, and moderate risk.
85 a – A happy, satisfied worker is not always more productive.
86 b – Written warnings exemplify negative reinforcement; this is a “stick” rather than “carrot.”
87 c – Positive reinforcement on a random basis has proved to be the most effective motivational tool in the
long run.
88 c – Job enrichment is the most effective technique for increasing motivation.
89 b – Salary is a dissatisfier. The lack of an adequate salary will make a person feel dissatisfied. Improved
salary will make the employee feel less dissatisfied, but it will not make the person feel satisfied if other
factors such as achievement and recognition are missing. Those other factors – satisfiers – are required in
order for the person to feel satisfied.
90 d – The lack of accountability can be a limiting factor associated with group decision making. This is why,
in many cases, the group only provides advice, and a particular person, such as a CAE, makes the final
decision. Thus, the CAE becomes accountable.
91 a – This is a true statement concerning “groupthink.”
92 d – Groups tend to make riskier decisions, and as such, individual responsibility is reduced.
93 c – According to Jewell and Reitz, a mature group is characterized by conflicts over substantive issues, not
emotional issues.
94 c – A good indication of politicking is when promotions are based an employee’s attitude rather than
based on specific job performance.
95 c – The effectiveness of a supportive management approach depends on the people supervised. It is

appropriate for those who want to grow and achieve.
96 c – Not all employees are usually eager to participate in organizational endeavors.
97 b – Monitoring and feedback is key to any plan to empower teams.
98 b – Skill development is not recognized as an approach to team building. Therefore, it should not be a
factor.
99 d – Quality circle is a form of participative management. But, management has final control over the
implementation of recommended solutions.
100 d – When a long-term well performing division starts to decline, something needs to be done. Drastic
changes may not be needed, but something needs to change the downward trend. Conflict in itself is not
automatically bad and may in fact help the division if it is beneficial conflict. Making some changes to the
management team and forcing it to look at what is happening may be very beneficial.
101 c – There are really two elements to this answer. The first is that conflict can be a healthy way to
facilitate growth in an organization and it is not, by itself, automatically bad. The second part of this answer is
that the audit report needs to be communicated, no matter what the result of that communication is.
102 a – Diffusion is the process of not avoiding the conflict, but also not making it the central part of the
interaction. Therefore, putting the conflict aside and coming to agreement on other areas is a very good
example of diffusion. The parties will have some success and by not focusing on the conflict issue, it becomes
less important to everyone involved. When the conflict is revisited later, it is possible that either it will be
resolvable, or it will not be viewed as so much of a conflict as it had been before.
103 a – When something like this is happening and the conflict is getting to the point of disrupting projects
and the schedule of the move, it needs to be solved. Therefore, the manager needs to sit down with the
parties and solve the problem.
104 b – Superordinate goals are the goals of the larger organization above the people in conflict. Superordi-
nate goals are a source of conflict resolution, not the conflict itself. The other choices all have the potential to
be the source of conflict.
105 d – Expanding the available resources is the best way to solve this problem. Unfortunately, in the real
world, this option is not always available to the company. Nevertheless, it is a choice and it is the best one.
106 c – In a distributive bargaining situation, there is a limited amount that can be negotiated. In this case,
the goal is to reach an agreement that is acceptable to each party. Neither party will be 100% happy with the
result, but it will be acceptable to both parties. This is done if the result is within the settlement range
(acceptable results range) for both parties.
107 a – In this situation there is only a limited amount of support services available. Therefore, whatever
support the one manager gets, the other will not. This is a distributive negotiation.
108 a – The primary disadvantage of using force in negotiations is that the other party will be less likely to
work with the negotiator in the future to achieve mutual goals. The type of win-lose negotiating style is not
good for building a relationship of trust and cooperation.
109 b – The principled negotiation method focuses on basic interests, mutually satisfying options, and fair
standards.
110 b – Arbitration is a situation in which a third party (either chosen by the parties or appointed under some
authority) decides the situation. This decision is binding to the parties.
111 c – Crashing activities DE and EF by one week would cost $10,000 + $8,800 = $18,800, whereas the
savings by shortening any other individual path along the critical path by 2 weeks would cost more than that.
While crashing activity BC 2 weeks is even cheaper, activity BC is not on the critical path.
112 a – Standard deviation of an activity in a PERT network is equal to the difference between the most
optimistic and the most pessimistic time divided by 6. That is (21 - 9) / 6 = 2.
113 b – The critical path is the longest path from the start to finish. The longest path from A to E is ADE of
5.5 days (AD) + 7.5 days (DE) = 13 days.
114 a – The only option that shortens the critical path by 1.5 days is shortening both AD and AB. After
crashing these activities both ABDE and ADE paths will become critical of 11.5 days. This is 1.5 days less than
the current critical path of ADE of 13 days.
115 b – The standard deviation of the project completion time is the square root of the sum of squares of
individual activities of the project. That is (62 + 82) 0.5 = 10.
116 b – In PERT analysis, the first activity to be crashed must lie on the critical path in order to shorten the
duration of the project, and it must be the one with the lowest unit crash cost to minimize the overall cost of
the project.
117 d – Slack refers to the number of days an activity can be delayed without forcing a delay for the entire
project.
118 d – A minimal spanning tree algorithm is a series of branches (arcs) that connects all of the nodes
together. One example would be a cable TV company that is laying cable in a new neighborhood. A minimal
spanning tree would be the one with the lowest total cost of installation of cable.
119 c – Management by Objectives (MBO) is a comprehensive approach and is related to planning and
control of projects. To be successful, MBO requires realistic expectations of goals, regular review of employee
progress to goals, honest and free communication between managers and subordinates, and commitment by
senior management.
120 a – The most important segregation in computer systems is between the programmers and the
operators. If the operators could also program the system, they would be in a position to change or alter
data.
121 b – Application controls are related to the inputs, files and outputs of an application program.
122 a – An echo check is the process of sending the received data back to the sending computer to compare
with what was actually sent to make sure that it is the same.
123 b – A validity check compares the input information with a list of correct information (such as personnel
numbers) to make sure that the information being entered is valid.
124 d – A program not performing a field check is the most likely explanation for reporting a quantity using a
character other than a digit.
125 c – The use of computers does not change the basic principles of control. However, the use of computers
may modify the control techniques used.
126 a – COBIT is a tool that allows mangers to communicate and bridge the gap with respect to control
requirements, technical issues, and business risk. COBIT has become an IT governance tool that helps assist
management with implementing adequate controls over IT processes.
127 c – COBIT is specifically focused on IT controls, whereas COSO provides entity wide control.
128 c – Maintenance is the process of monitoring, evaluating, and modifying a system as needed. Systems
maintenance must be undertaken by systems analysts and applications programmers continually throughout
the life of a system.
129 c – The top-down method begins with analysis of broad organizational goals, objectives and policies as a
basis for the design process.
130 b – A feasibility study is simply determining if something is possible. As such, the technology and costs
will be considered during the feasibility study stage.
131 d – Interviewing users, evaluating existing applications and developing a prototype are a perfect way to
determine requirements using an in-house team. Prototyping is less effective when used by an outside team
that does not have regular access to the end users of the application being developed. The other choices are
more a part of the feasibility study that should be completed prior to the systems analysis stage.
132 d – Errors are cheaper to correct the earlier in the process that they are discovered. Therefore, errors
discovered during implementation are the most expensive to correct.
133 b – A cost-benefit analysis is one of the best ways to select a system.
134 a – A pilot operation is an alternative to parallel operations.
135 d – Assessing the cost/benefit of a new payroll system should be conducted by those who are
responsible for making the decision. Thus, the information steering committee would be the appropriate
decision-maker.
136 b – Prototyping produces the first models for a new system more quickly than other development
models.
137 a – It is always a risk of end-user computing for knowledge to be limited to one person. The command
sequences should have been documented so that the other analysts could easily use and modify them.
138 c – The end-user program may not be reviewed by an outside party; therefore, it may lack appropriate
standards, controls, quality assurance procedures and documentation.
139 b – In distributed data processing, each location does its own processing. As such, however, the
professionals at the central location may not be involved as much as they should be and would be if all the
processing were done centrally.
140 c – Transactions for a batch system are grouped together and then processed. These batches may be
processed daily, weekly or monthly. Therefore, there may be considerable time between the initiation of the
transaction and the discovery of the error.
141 c – A Local Area Network (LAN) is a network within one office or company.
142 d – A protocol is a set of formal rules or conventions governing communications between a sending and
a receiving device.
143 a – In order to prepare the company for the changes resulting from the enhanced external network
services, management should optimize in-house networks to avoid bottlenecks that would limit the benefits
offered by the telecommunications provider.
144 d – Client requests are for specific information, and the server will return only that specific information.
The server always maintains ownership of the records.
145 a – Not detecting certain viruses is a major risk in relying on antivirus software. This software will work
only for known viruses and may not be completely effective for variants of those viruses.
146 a – The objective of security software is to control access to information system resources, such as
program libraries, data files and propriety software.
147 b – Encryption would be the most effective control over electronic transmission of data. It may be
possible to access the transmission line, but the encryption key would be necessary to understand the data
being sent.
148 d – All three should be addressed in an analysis of cost-benefit considerations.
149 d – A hot site is a backup facility with a computer system similar to the one used regularly that is fully
operational and immediately available.
150 a – It is important that the disaster recovery plan embrace data center recovery, critical application
recovery and network recovery. It should be updated and current with regard to recent test results and new
applications, equipment and network configurations.
151 a – In a database, data is organized in files and used by the organization’s various applications
programs. Because separate files for different applications programs are unnecessary, data redundancy can
be substantially reduced.
152 b – When information is in a database, changes can be made to the application programs without having
to change the structure of the data files as well.
153 b – In this kind of system, applications use the same database. Thus, there is no need to pass files
between applications.
154 d – The database administrator’s responsibilities include designing the database, maintaining it, and
providing for its storage and security.
155 b – This is a true statement about retention of backup files, but not each day’s transaction files. By not
retaining each day’s transaction files it is possible that the last backup file that was created will be lost.
156 c – Implementing a new ERP system requires careful planning, development and training. Inadequate
planning can lead to a system that does not meet the needs of the users; inadequate development can lead
to a system that does not function properly; finally, inadequate training can lead to employees not knowing
how to use the new system, causing disruptions to the entire business process.
157 c – The advantages are improved customer service, quicker availability of information for managers, and
improvement in a JIT inventory system. But, an ERP system is costly and complex to install and maintain.

CIA P3 Text V1 A4 Oct2013 PDF

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

CIA P3 Text V1 A4 Oct2013 PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

CIA Part 3

Volume 1: Sections A-F

Hard copy books purchased from HOCK international or from an authorized

Brian Hock, CIA, CMA

(866) 807-HOCK or (866) 807-4625

Published October 2013

Acknowledgement is due to the Institute of Internal Auditors for permission to use

© 2013 HOCK international, LLC

 Kekoa Kaluhiokalani for his assistance with copyediting the material,

Throughout these materials, we have chosen particular language, spellings, structures

This material is designed exclusively to assist people in their exam preparation. No

Brian Hock, CIA, CMA

Exam Introduction ............................................................................................................. 1

Section A – Governance and Business Ethics................................................................ 3

Section B – Risk Management ........................................................................................ 10

Section C – Organizational Structure/Business Processes and Risk ......................... 21

Electronic Data Interchange (EDI) 45

Section D – Communication ........................................................................................... 53

Section E – Management and Leadership Principles ................................................... 67

Competition in Global Industries ................................................................................. 116

Studies on Leadership 167

Section F – Information Technology and Business Continuity ................................. 198

The Internet .................................................................................................................... 237

Appendix A – 34 IT Processes ...................................................................................... 259

Answers to Questions ................................................................................................... 260

(This page intentionally left blank)

The Part 3 exam has eight sections:

• Section A: Governance and Business Ethics (5–15%)

• Section B: Risk Management (10–20%)

• Section C: Organizational Structure/Business Processes and Risks (15–25%)

• Section D: Communication (5–10%)

• Section E: Management and Leadership Principles (10–20%)

• Section F: Information Technology and Business Continuity (15–25%)

• Section G: Financial Management (13–23%)

• Section H: Global Business Environment (0–10%)

Additionally, the IIA syllabus refers to proficiency and awareness levels:

• Awareness: Candidates must exhibit knowledge of terminology and fundamentals.

(This page intentionally left blank)

Section A – Governance and Business Ethics

Corporate Social Responsibility (CSR)

Corporate Governance Principles

 Promoting appropriate ethics and values within the organization,

 Ensuring effective organizational performance management and accountability,

Principles of Good Governance

7) Leadership. The roles of board chair and CEO should be separate.

Cornerstone of Good Corporate Governance

The IIA Corporate Governance Model

The Governance Process Relationship with Risk and Control

Corporate Social Responsibility

There are five main aspects of CSR:

1) A company should operate ethically and with integrity.

2) A company should treat its employees fairly and with respect.

3) A company should demonstrate respect for human rights.

4) A company should be a responsible citizen in its community.

• Reducing pollution of the air, land, rivers, and seas.

• Recycling waste materials.

The Pyramid of Social Responsibility

• Philanthropic responsibilities: According to Carroll, charitable donations and contributions to local

• Economic responsibilities: Companies have economic responsibilities to shareholders (who require

Criticism of Corporate Citizenship

Section B – Risk Management

Risk Management Techniques

Organizational Use of Risk Frameworks