Search results

Using the backdrop of an (apparently) extended visit to the West Indies, analogies with key concerns of internal audit are drawn. An unusual and refreshing way of exploring the main themes ‐ a discussion between Bill and Jack on tour in the islands ‐ forms the debate. Explores the concepts of control, necessary procedures, fraud and corruption, supporting systems, creativity and chaos, and building a corporate control facility.

Using the backdrop of an (apparently) extended visit to the West Indies, analogies with key concerns of internal audit are drawn. An unusual and refreshing way of exploring the main themes ‐ a discussion between Bill and Jack on tour in the islands ‐ forms the debate. Explores the concepts of control, necessary procedures, fraud and corruption, supporting systems, creativity and chaos, and building a corporate control facility.

This study aims to investigate how the dynamics of compliance, internal controls and ethics can generate tensions in the domain of project governance. Moreover, it investigates the tensions between these constructs and the search for project success from a practice-based perspective.

A methodological approach is taken, with a case-based research carried out in a large European multinational company. Data were gathered through 21 interviews, between project managers and other key stakeholders, and documentary data from 64 projects for triangulation and critical analysis.

As a result, four patterns of tensions were identified: Tension A between compliance and project success, Tension B between internal controls and project success, Tension C between compliance and internal controls and Tension D between compliance and ethics.

Some limitations should be acknowledged. The first, ontological, is inherent in the post-positivist perspective, accepting human subjectivity and the complexity of social reality intrinsic to research applied to the social sciences, respectively implying interpretive bias and incompleteness in the comprehension of the facts. The second limitation comes from the use of a single case study, in which singular contextual characteristics make it difficult to generalise the results.

This study has implications for practice, as it highlights weaknesses that may occur in organisations owing to tensions between the elements of compliance, internal controls and ethics. This, therefore, implies ways of strengthening the consistency of project governance. The project governance domain and its tensions affect the project-success holistic view in both efficiency and effectiveness, since the elements of internal control and compliance can create tensions that favour one project success perspective to detriment of the others. Understanding the nature of tensions, their implications and the long-term holistic perspective can lead to better decisions by managers.

The results suggest that a formal code of ethics, a project management methodology, internal controls and a well-established training programme are not sufficient, because, in the practical context, the interaction between these elements creates tensions that impact their logical consistency lost when interacting with each other.

The purpose of this paper is to increase the degree of automation within information security compliance projects by introducing a formal representation of the ISO 27002 standard. As information is becoming more valuable and the current businesses face frequent attacks on their infrastructure, enterprises need support at protecting their information-based assets.

Information security standards and guidelines provide baseline knowledge for protecting corporate assets. However, the efforts to check whether the implemented measures of an organization adhere to the proposed standards and guidelines are still significantly high.

This paper shows how the process of compliance checking can be supported by using machine-readable ISO 27002 control descriptions in combination with a formal representation of the organization’s assets.

The authors created a formal representation of the ISO 27002 standard and showed how a security ontology can be used to increase the efficiency of the compliance checking process.

This paper aims to investigate whether executive compensation and internal control can prevent overseas compliance risks through the mediating influence of multinational corporation (MNC) legitimacy and the moderating role of institutional distance.

Based on a law and economics perspective and the “bad apple,” the “red barrel” and the “bad cellar” theory of business misconduct, this paper constructs a systematic framework of “compliance motivation MNC legitimacy overseas compliance risk prevention” from the individual, organizational and systematic levels and uses data of Chinese MNCs for empirical analysis.

Empirical data from Chinese MNCs show that overseas compliance risks are comprehensively affected by the factors of the individual, organizational and systematic levels. Higher executive compensation and internal control will reduce MNCs’ overseas compliance risks through MNC legitimacy acquisition; institutional distance hinders the positive effect of internal control on MNC legitimacy and therefore aggravates overseas compliance risks.

This paper contributes to the understanding of the overseas law-abiding and offence behavior of MNCs from a law and economics perspective and offers valuable insights on how to prevent the ever-increasing overseas compliance risks.

Although the literature has analyzed the factors of compliance behavior, they are not interrelated, let alone integrated in a systematic risk prevention framework. This paper applies a law and economic analysis framework to the study of the overseas compliance risks for the first time.

The purpose of this study is to examine change requests in buyer-supplier relationships. Change requests arise when a channel partner wants an addition or alteration to the agreed-upon deliverable. Although these requests are intended to enhance consumer satisfaction and supply chain performance, they complicate development and production processes and may delay time to market. Responses to change requests may embody compliance or malice, yet research to date has not examined these requests in interfirm relationships. To this end, the authors examine supplier reactions (compliance and opportunism) to change requests made by the buying firm.

Survey data gathered from 118 third-party developers (i.e. suppliers) reporting on their relationship with the software buyer provide an initial test for the authors’ proposed model.

The results of a path analysis indicate that change requests are related positively to supplier compliance with those requests and supplier opportunism. Outcome-based control decreases supplier compliance when there are extensive change requests. Behavioral control, in contrast, increases supplier compliance particularly when the buyer provides support for the requested changes.

Future research should examine relational governance and ex ante control mechanisms as alternatives to outcome-based and behavioral control.

The authors’ results suggest that buyers requesting extensive changes should use behavioral control mechanisms and provide support to the supplier implementing the changes.

The authors provide a preliminary examination of suppliers’ reactions to change requests made by buying firms. The authors argue that these requests may limit the autonomy of the supplying firms, creating reactance effects. The authors investigate outcome-based control, behavioral control and buyer support as factors that influence supplier reactions to change requests.

This paper aims to contribute to our understanding of the impact of regulation on management control practices. It explores the processes by which the institutionalised properties of certain management controls are adapted to organisational contexts and underpin organisational routines. The authors are interested in the voluntary adoption of management controls with highly developed institutional logics, how organisations respond initially to the institutional logics of new management controls and by what means those logics become a workable basis for institutionalising controls in the organisation.

The paper explores some of the ways in which the institutional logics of management control come to have organisational effects, studying a seemingly simple organisational response to institutional processes: compliance. The argument is illustrated with examples from university accreditation as a management control institution that combines cultural and administrative controls. The paper is based on participant observation in three universities.

The authors find that compliance requires considerable organisational meaning-making and that organisational work of compliance separates into adaptation and execution. Moreover, the process of compliance produces distinctions between experts of the accreditation logic, users of the accreditation logic, agnostics and sceptics. Rather than passive acquiescence, compliance with regulated management control is a creative process of arranging and translating general prescriptions for use in a specific context.

This is the first study of university accreditation as a management control institution. It adds to a still emerging literature on the effects of institutional logics, and in particular regulatory logics, on organisational management control.

This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation.

This study has followed a two-step approach; first, synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO/IEC 27001:2013.

The findings of this work include the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR.

This paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.

The authors' paper aims to examine the organizational issues that come from the recent establishment of the compliance function in Italian banks.

The authors' paper takes as a starting point the Bank of Italy's regulations and the existing literature on compliance, in order to create a theoretical model of an efficient internal control system.

For each organizational structure of compliance, the authors' paper describes strengths and weakness. It also outlines the scopes of compliance and internal audit in order to avoid overlaps. Having regard to the similarities between operational risk and compliance risk, the study identifies cooperation areas so as to achieve synergies, in terms of costs, and a better operational efficiency.

The authors' paper focuses mainly on the relationship between compliance, on one side, and internal audit and risk management on the other. It focuses also on the positioning of compliance within the internal control system, as it has been regulated by the Italian disposals. Further research could concern the relationship with other functions and the regulations of other countries.

The authors' paper identifies cooperation forms between the internal control system functions. This is the way to suggest organizational solutions able to improve banking efficiency.

This subject has not been analyzed in depth to date. This article attempts to obtain an identification of the roles and responsibilities of the main functions involved in the internal controls system, in order to define organizational models characterized by complementarity of interventions and thus oriented towards the objectives of effectiveness and efficiency.

The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and, therefore, the cost efficiency of the information security compliance checking process. The authors advanced the state-of-the-art by developing and applying the method to ISO 27002 information security controls and by developing a semantic decision support system.

The research has been conducted under design science principles. The formalized information security controls were used in a compliance/risk management decision support system which has been evaluated with experts and end-users in real-world environments.

There are different ways of obtaining compliance to information security standards. For example, by implementing countermeasures of different quality depending on the protection needs of the organization. The authors developed decision support mechanisms which use the formal control descriptions as input to support the decision-maker at identifying the most appropriate countermeasure strategy based on cost and risk reduction potential.

Formalizing and mapping the ISO 27002 controls to the security ontology enabled the authors to automatically determine the compliance status and organization-wide risk-level based on the formal control descriptions and the modelled environment, including organizational structures, IT infrastructure, available countermeasures, etc. Furthermore, it allowed them to automatically determine which countermeasures are missing to ensure compliance and to decrease the risk to an acceptable level.