First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Author Archive - Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more

Is your ERM program as useful as a GPS?

An ERM program. like a GPS, helps with making informed and (hopefully) intelligent decisions so that objectives can be reached safely and on time.

 

, , ,

Why do we need risk management?

Risk management is about helping an organization achieve its objectives in the face of uncertainty.

 

, ,

What is your consolidated risk exposure?

This article discusses consolidated risk exposure and different risk management tools.

 

, , , ,

Is it a management or board failure when no action is taken on audit findings?

How effective are your organization’s internal audit reports? An effective internal audit report and proper communication on the part if IAs can promote appropriate action on the part of management and the board.

 

, , , ,

Are you managing risk or are you managing the organization?

Stop managing risk – manage the business. Stop talking about accepting or managing risk and start talking about taking the right risks through informed and intelligent decisions.

 

, , , , ,

The essential competencies of an effective risk officer

I recently sparred gently with a good friend, a respected and influential risk practitioner and thought leader, about the key competencies necessary for a risk officer to be effective. He listed several competencies for effectiveness, saying that “without these competencies risk managers are useless to the business”.

 

, , , , , ,

The board and enterprise culture

This article looks at the Board’s involvement in managing enterprise culture. In the corporate context, culture is a system of values, beliefs and behaviors that shape how things get done within the organization.

 

, , , , , , ,

How significant is the risk of fraud?

fraud

The best resource for understanding the level of fraud risk is the Association of Fraud Examiners’ (ACFE) annual Report to the Nations, their global study of occupational fraud and abuse. Their 2018 Report is now available and, as always, shares some useful and important insights. The ACFE analyzed 2,690 cases from January 2016 to October 2017 from around the world (48% from the USA, the rest evenly split among other regions).

 

, , , , , , , ,

Jim Comey and the practitioner’s dilemma

It is often difficult to make the right decision when facing challenges in an organization. Maintaining integrity, standing your ground and doing what you believe to be right and part of your responsibilities can be difficult and can make you question the decisions you make.

 

, , , ,

My cyber confession

Should we give up auditing information security and the management of cyber risk? Not at all. But we should do so with eyes wide open. We should recognize the limitations of our knowledge, tools and techniques and the likelihood that hackers have new techniques that are unknown both to auditors and management.

 

, , , , , , , , , ,

New GRC guidance from OCEG might be missing a crucial point

GRC is “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity”. A new Guide from OCEG, A Practical Guide About GRC Metrics and Measurement, says, a major part of GRC is about “break[ing] down silos between governance, strategy, performance management, risk management, compliance management, internal audit and other departments”.

 

, , , , ,

Reporting on risk to the board

Those charged with reporting on risk to the board and to the executive team should understand what they are trying to achieve, what information they need to be successful and how they can help.

 

, , , , , , ,

Talking sense about technology risk and cyber

You have to have sponsorship from the CEO and throughout the company to really understand and diagnose IT risks, data security risks and business risks, and then prioritize them.

 

, , , ,

Don’t forget to audit controls!

It’s best to have management detect issues and for audit to assess whether those detective controls are adequate.

 

, , , , , , ,

An idea to help drive effective risk management

We want all decision-makers to consider all the potential consequences of their decision (in fact, all the potential consequences for each option on the table) before making an informed and intelligent judgment. What if the quality of decision-making was a significant factor in assessing performance? Thus affecting compensation and career progression. This idea could help drive effective risk management.

 

, , , , , , , ,

Previous Posts Next posts