First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Author Archive - Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more

Is it a management or board failure when no action is taken on audit findings?

How effective are your organization’s internal audit reports? An effective internal audit report and proper communication on the part if IAs can promote appropriate action on the part of management and the board.

 

, , , ,

Are you managing risk or are you managing the organization?

Stop managing risk – manage the business. Stop talking about accepting or managing risk and start talking about taking the right risks through informed and intelligent decisions.

 

, , , , ,

The essential competencies of an effective risk officer

I recently sparred gently with a good friend, a respected and influential risk practitioner and thought leader, about the key competencies necessary for a risk officer to be effective. He listed several competencies for effectiveness, saying that “without these competencies risk managers are useless to the business”.

 

, , , , , ,

The board and enterprise culture

This article looks at the Board’s involvement in managing enterprise culture. In the corporate context, culture is a system of values, beliefs and behaviors that shape how things get done within the organization.

 

, , , , , , ,

How significant is the risk of fraud?

fraud

The best resource for understanding the level of fraud risk is the Association of Fraud Examiners’ (ACFE) annual Report to the Nations, their global study of occupational fraud and abuse. Their 2018 Report is now available and, as always, shares some useful and important insights. The ACFE analyzed 2,690 cases from January 2016 to October 2017 from around the world (48% from the USA, the rest evenly split among other regions).

 

, , , , , , , ,

Jim Comey and the practitioner’s dilemma

It is often difficult to make the right decision when facing challenges in an organization. Maintaining integrity, standing your ground and doing what you believe to be right and part of your responsibilities can be difficult and can make you question the decisions you make.

 

, , , ,

My cyber confession

Should we give up auditing information security and the management of cyber risk? Not at all. But we should do so with eyes wide open. We should recognize the limitations of our knowledge, tools and techniques and the likelihood that hackers have new techniques that are unknown both to auditors and management.

 

, , , , , , , , , ,

New GRC guidance from OCEG might be missing a crucial point

GRC is “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity”. A new Guide from OCEG, A Practical Guide About GRC Metrics and Measurement, says, a major part of GRC is about “break[ing] down silos between governance, strategy, performance management, risk management, compliance management, internal audit and other departments”.

 

, , , , ,

Reporting on risk to the board

Those charged with reporting on risk to the board and to the executive team should understand what they are trying to achieve, what information they need to be successful and how they can help.

 

, , , , , , ,

Talking sense about technology risk and cyber

You have to have sponsorship from the CEO and throughout the company to really understand and diagnose IT risks, data security risks and business risks, and then prioritize them.

 

, , , ,

Don’t forget to audit controls!

It’s best to have management detect issues and for audit to assess whether those detective controls are adequate.

 

, , , , , , ,

An idea to help drive effective risk management

We want all decision-makers to consider all the potential consequences of their decision (in fact, all the potential consequences for each option on the table) before making an informed and intelligent judgment. What if the quality of decision-making was a significant factor in assessing performance? Thus affecting compensation and career progression. This idea could help drive effective risk management.

 

, , , , , , , ,

Is the goal of risk governance taking boards in the wrong direction?

The board is discharging its responsibilities to ensure stakeholders get the performance they should: value creation as well as (and not just) value protection. The board should make sure the management team is effective in running the organization, and that is not done by focusing on a list of harms. Effective governance of an organization is limited if the board focuses on risks.

 

, , , , , , , ,

How do you manage culture?

psychological safety

There are many aspects or dimensions to culture, just as there are many dimensions to the behavior you want it to drive. They may include:

 

, , , , , ,

The SEC is changing the rules for SOX s302 certifications to include cyber risks

You may know that the SEC just published new guidance on the disclosures they are required to make related to cybersecurity. But did you realize that the SOX s302 certification now has to address whether disclosure controls are adequate in ensuring that the proper disclosures are made?

 

, , ,

Previous Posts