Internal Control Effectiveness (ICE) Methodology in Practice

In the previous articles we have been unpacking various risk-based methodologies, such as the P2ST2 and the Internal Control Methodology. Based on this departure point, Crest Advisory Africa (Pty) Ltd, always start with these questions to determine the maturity of a company’s risk and control processes.

Table of Contents

Enquire Now

Got questions? Let's help you find the answers.
By clicking "Submit" you agree to have read the Privacy Policy and agree to the terms. You can unsubscribe at any time by clicking the link in the footer of our emails.
ISO Training Courses

Introduction

In the previous articles we have been unpacking various risk-based methodologies, such as the P2ST2 and the Internal Control Methodology. Based on this departure point, Crest Advisory Africa (Pty) Ltd, always start with these questions to determine the maturity of a company’s risk and control processes.

And very view companies can answer these questions. This creates for us and the client a dilemma, as we need to educate the specific committee, whether Board Risk Committee, Executive Risk Committee, Departmental risk Committee or various Operational Committees, before we can commence with the risk assessment process to create or review the Strategic Risk Register, the Tactical Risk Registers or the Operational Risk Registers.

To address a risk that is specifically addressing the Objective of the Company, on whichever level the risk register is (Strategic, Tactical or Operational), you must have performance in mind and without verifiable, repeatable and validated information, how can one provide the Assurance to the leadership.

And without statistics, graphs, and trend analysis, the information you provide to the leadership is in-complete.

The ICE Methodology in Practice

Many companies have specific Governance, Risk and Compliance (GRC) software that they are using. This usually provides the client with a number of reports, based on the information that is captured within the system.

The question is always, what is the methodology used? Do you have a variety of performance indicators to measure the Management Controls? How are these controls assessed? How can the performance be verifiable, repeatable and validated? What is the base of departure?

Let’s get to the practical example. In my previous article titled P2ST2 Methodology in Risk Control and ICE Methodology in Risk Control, I have explained these two methodologies.

The extract in the P2ST2 article we have demonstrated the Contributing Factor (CF) and the analysis of the CF in terms of the P2ST2 methodology. Now we will take this a step further and evaluate the Management Control (MC) listed against the ICE Matrix Criteria. The result is as follows:

The table above indicates the golden threat between the Strategic Objectives, the Tactical Objectives, and the Management Controls (MC) listed against every Contributing Factor (CF). The specific Control is then measured in terms of the Internal Control Effectiveness (ICE) percentage evaluation, for each control. Not overall.

The result of this assessment provides a mathematical assessment of what is the percentage Level of Assurance (LoA) provided for this control. This percentage is then used to determine the Level of Risk (LoR) which needs to be treated.

This could easily be displayed using Business Intelligence (BI) software. The figure below shows the performance of a company’s controls over a number of departments. This is measured over 1581 internal controls listed between all the departments. This is indicative of a verifiable, repeatable and validated process and performance. Based on the two (2) methodologies, P2ST2 and ICE.

The following figure indicates the Top 10 performance of the P2ST2, based on the ICE measurement. The results of the P2ST2 methodology is different and needs to be interpreted in terms of the Top 10 risks of the company.

The performance indicates that the company is very people driven, which needs to be controlled by robust processes, from top down. Systems have been implemented to enable the company in its performance and the 54% performance indicates that there is a lot of growth needed to lift the company. But in the changing global environment, technology implementation and enablement are of critical importance.

Conclusion

The measurable criteria for Risk Management must be verifiable, repeatable and validated. The results of the various assessments are indicative of a process and results that can be trusted by the leadership.

The question that every risk register need to answer is, can the Level of Assurance (LoA) provided by the Risk Owner be accepted as a single version of the truth of the performance on a strategic, tactical or operational level.

There are a number of graphs available to analyse the performance, from a strategic perspective and deploy the internal audit resources to conduct audits on the controls on a random basis, within the below tolerance criteria as well as the well performing controls.

These articles are steadily proceeding through the structure of a Risk Register and how to optimise the risk management process as a trusted process within the Strategic Management ecosystem of any company.

Comments

Leave a Reply

More Quality Articles

Strategic Risk Assessment: Navigating ISO/IEC 27001:2022 and ISO 31000:2018

Strategic risk assessment is a critical component of an organization’s risk management framework.

What is a Combined Assurance Matrix?

Unlock the power of effective risk management with a Combined Assurance Matrix (CAM)!

10 Reasons to Acquiring the ISOLTX GRC-A Software System

Discover how the ISOLTX GRC-A Software System can enhance operational efficiency, streamline compliance, and foster collaboration among your…

Unlocking Success: How Internal Audit Strengthens Risk Management for Strategic Goals

Internal Audit verifies and enhances Risk Management’s role in achieving strategic objectives.

Conducting Internal Context Analysis: A Guide to ISO/IEC 27001 and ISO 31000 Integration

Internal context analysis is crucial for effective risk management and information security in organizations.

Continuous Evolution: Implementing Continual Improvement in Your ISMS

Continual improvement is a fundamental principle of effective Information Security Management Systems (ISMS).

Driving Continuous Improvement: Implementing Management Review for Effective ISMS Performance

Management review is a critical process within the performance phase of an Information Security Management System (ISMS).

Ensuring Compliance and Continuous Improvement: Implementing Internal Audits in ISMS Performance

Internal audits are a critical component of the performance phase in the management of an Information Security Management System (ISMS).
Receive our latest news

Subscribe To Our Newsletter

Get notified about GRC-A training, advisory, auditing and software.