Clearly, the great majority base their audit plan on some combination of (macro) enterprise-level risks and (micro) risks at a lower level of the organization. Somewhat more have weighted their plan towards the micro level than the macro level. So what does this all mean?
For most Canadians and Canadian Charities the Anti-Terrorism rules are a red herring to be reviewed only in the rarest of situations, if at all. However, recent events in Israel provide some motivation for Canadian Charities doing work abroad to take a closer look at these rules. According to international news reports the Israeli authorities have arrested the Gazan head of an international Christian charity on the allegation that he was funneling international aid donations to Hamas.
In connection with the establishment of the Ontario Securities Commission’s new Whistleblower Program in July 2016, which includes monetary incentives for whistleblowers in Ontario, the Ontario government has approved amendments to the Securities Act (Ontario) to provide additional protection to persons who report a potential violation of Ontario securities law or a by-law or other instrument of a self-regulatory organization. The amendments were proclaimed into force on June 28, 2016.
On June 3, 2016, the Supreme Court of Canada released two important decisions dealing with requests made by the Canada Revenue Agency (“CRA”) for information. The cases highlight the fact that when an individual or an organization receive such a request from CRA, they should consider whether any of the information requested is subject to solicitor–client privilege. If solicitor–client privilege applies, the information should not be produced.
On August 16, 2016, Public Safety Canada (“PSC”) issued a consultation paper, launching a public consultation as part of PSC’s development of an updated national cybersecurity strategy. The consultation will close on October 15, 2016. Businesses may want to consider making submissions in respect of some key questions posed around possible regulation or standard-setting regarding Internet of Things and connected devices, certification for E-commerce activities, and information sharing (especially in respect of critical infrastructure).
Getting your contracts in writing is half the battle. You must also ensure that your contract says what you want it to say, and says it clearly. The main issue in the following case was the interpretation of an employment agreement.
Have your provided comments on the COSO ERM draft? Please share your views on this important document. I submitted my comments some time ago. I realize that some of you prefer the ISO 31000:2009 global standard on risk management. But let’s recognize that nearly half of the risk management functions around the world are
influenced by if not using the COSO framework.
Pension and benefit plan provider breaches privacy law causing employee to lose life insurance coverage
Many of us have called service providers to change basic information, such as a mailing address. You pick up the phone, speak to a representative, and the change is made; no big deal, right? This seamless scenario may not always be the case. Any little misstep on an organization’s part can cause grief not only for the customer, but also for the organization itself. This proved to be true when an employee complained, to the Office of the Privacy Commissioner of Canada, that her employment pension and benefit provider disclosed her personal information to a third party without her consent.
The Ontario Ministry of Finance is proposing a new regulation under the Employer Health Tax Act, to include special Employer Health Tax rules for registered charities. The new regulation could be effective as early as January 1, 2017.
I am going to use a metaphor involving the board game of Monopoly to illustrate how I feel about risk management. The players compete to win by either having more money when the game ends (if there is a time limit) or by being the only one left standing after all the others have gone bankrupt. Let’s imagine our executive team is playing a game against its main competitors.
U.S. online payment processor Dwolla fined $100,000 for misrepresenting data security practices: Lessons for Canadian companies
In March, 2016 the U.S. Consumer Financial Protection Bureau (“CFPB”) issued a Consent Order against Dwolla Inc., an online payment platform, for deceiving consumers about its information security practices. The CFPB levied a $100,000 civil monetary penalty against the company, a first for the CFPB. While Canada has different privacy and consumer protection regimes, the lessons from the Dwolla case point to a new direction in enforcement approaches.
Whether it is assisting Syrian refugees to settle in Canada or helping those fleeing from floods and fires, the goodwill of the people and charities in Canada always make headlines. In times of disaster, it seems many charities want to raise money and get on the bandwagon to help those in need. Although this may be a laudable goal for charities that want to show their benevolence, sometimes it could simply get them into trouble.
The King Code of Corporate Governance has been a fine source of principles and practice for governance, including risk, assurance, and compliance, ever since its initial release. In this post, I want to talk about two areas I find interesting in the draft Code.
As anyone who’s ever left a USB key in a Kinko’s knows, it’s easy to lose a mobile device containing sensitive user information. As a recent statement from the Newfoundland and Labrador’s Office of the Information and Privacy Commissioner shows, taking preemptive steps to make the user information on a mobile device more secure could protect the information – and your organization – if the device ever falls into the wrong hands.