Dear Jill,

The controls should address the risks associated with the processes represented by sub processes,activities.This -control - is scenario specific.A control that could be effective for a scenario may be ineffective for the other.For example a depot - tiny retail outlet having a low volume of Turnover-manager can handle issue of goods,invoicing and the receipt of money.But this scenario will be a serious SOD issue for scenarios other than for tiny retail outlets.controls are complex in nature and work differently for different scenarios..

The control environment,Firm's maturity,management's risk appetitte-all these have a telling effect on the risks and controls.

While a general understanding of the risks and the relevant controls is certainly a good idea;adapting generic controls to the business situations without analysing the risks,its impact will be dangerous.Any control before being implemented should be simulated and approved by the risk/control/process owners.

My 2 cents.

Regards

Ramesh

Hello Jill,

Never really tried this in practical but yes, considering how much efforts can be avoided for the re-work by doing this; this surely sounds like a good planing task.

However, for this to work effectively there would be an underlying assumption that all the clients acknowledge to take all these risks and Mitigation Controls for their landscapes. So for this, you should be very particular about the word "Generic" and identify them as per the best practices across clients which might be from the same industry or different, as per your scope of work.

Regards,

Hersh.

http://www.linkedin.com/in/hersh13