First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Fraud and Corruption

Real answers to common questions on cybersecurity

Every day there is something in the news about organizations generally of all different sizes that have been breached and have had to deal with the impact of the loss, compromise or destruction of data. Making key decision-makers aware of the general threat landscape is helpful, but more helpful is making them aware of the threat landscape specific to your organization.

 

, , , , , , ,

Lawful access: The Privacy Commissioner reiterates its position

Patricia Kosseim, Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis for the Office of the Privacy Commissioner of Canada, was asked, at the request of Commission’s counsel, to provide an overview of the legislation for protecting privacy in Canada and to answer questions about lawful access issues from a federal perspective.

 

, , , , , , , , ,

CCOs say policies are getting stronger; adoption of technology – not so much

KPMG recently published its latest survey of chief compliance officers. The report highlights the increasing value of effective Compliance. It also reveals growing pains of our industry, specifically in maximizing efficiencies.

 

, , ,

Why do so many practitioners misunderstand risk?

My apologies in advance to all those who talk about third–party risk, IT risk, cyber risk, and so on. We don’t, or shouldn’t, address risk for its own sake. That’s what we are doing when we talk about these risk silos. We should address risk because of its potential effect on the achievement of enterprise objectives.

 

, , ,

Copyright year in review 2016

This article highlights noteworthy Canadian copyright law decisions and developments from 2016.

 

, , , , , , , , , , , , , , ,

Selecting software to help manage user access risk

I believe software is essential in managing user access risk, not only for SOX but also for other business risks. In fact, the potential harm from inappropriate access is typically greater for other business risk (such as the possibility of disruption of activities such as revenue generation or manufacturing, reputation risk, and the protection of valuable intellectual property) than it is for SOX.

 

, , , ,

Anti-money laundering update: Politically exposed persons

On December 20, 2016, the Financial Transactions and Reports Analysis Centre of Canada released new guidelines in respect of politically exposed persons and heads of international organizations. A separate guideline was released for each of financial entities, securities dealers, life insurance companies, agents and brokers and money services businesses. The Guidelines will be effective June 17, 2017.

 

, , , , , ,

Fraud: Why do people commit it?

An interesting interview with Eugene Soltes, the Jakurski Family Associate Professor of Business Administration at Harvard Business School, appeared in the Harvard Business School’s Working Knowledge publication. According to the school, “his research focuses on how individuals and organizations confront and overcome challenging situations”. “Why White-Collar Criminals Commit Their Crimes” is an ‘author interview’, Soltes having written Why they do it: Inside the mind of the white-collar criminal. I have not read the book, but suggest that those with continuing responsibility for detecting and/or investigating fraud might want to do so.

 

, , , , ,

The astonishing Wells Fargo fraud

The news about the Wells Fargo staff ‘scam’ (the word used in this article in SC magazine) is mind-boggling. What I found mind-boggling is that (according to CNN Money) Wells Fargo had to fire about 5,300 workers (out of a total staff estimated at 265,000, or 2% of all employees). When 2% of employees were fired, you have to assume that more people knew or should have known. The prevailing Wells Fargo culture in reality was to do what was right for the staff, not the customers!

 

, , , , , , , ,

BC Privacy Office says free legal advice doesn’t trigger client ID requirements

A recent Mediation Settlement from the BC Privacy Commissioner has raised an issue of particular interest to law firms, and other organizations which must meet “Know Your Client” requirements. The item is brief, but seems to suggest that free legal advice doesn’t trigger the “Know Your Client” provisions imposed by various Law Societies for compliance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. According to this Mediation Settlement, only paid legal advice triggers that obligation.

 

, , , , , , , , ,

Have your provided comments on the COSO ERM draft?

Have your provided comments on the COSO ERM draft? Please share your views on this important document. I submitted my comments some time ago. I realize that some of you prefer the ISO 31000:2009 global standard on risk management. But let’s recognize that nearly half of the risk management functions around the world are
influenced by if not using the COSO framework.

 

, , , , , , , ,

Pension and benefit plan provider breaches privacy law causing employee to lose life insurance coverage

Many of us have called service providers to change basic information, such as a mailing address. You pick up the phone, speak to a representative, and the change is made; no big deal, right? This seamless scenario may not always be the case. Any little misstep on an organization’s part can cause grief not only for the customer, but also for the organization itself. This proved to be true when an employee complained, to the Office of the Privacy Commissioner of Canada, that her employment pension and benefit provider disclosed her personal information to a third party without her consent.

 

, , , , , , , , , , ,

U.S. online payment processor Dwolla fined $100,000 for misrepresenting data security practices: Lessons for Canadian companies

In March, 2016 the U.S. Consumer Financial Protection Bureau (“CFPB”) issued a Consent Order against Dwolla Inc., an online payment platform, for deceiving consumers about its information security practices. The CFPB levied a $100,000 civil monetary penalty against the company, a first for the CFPB. While Canada has different privacy and consumer protection regimes, the lessons from the Dwolla case point to a new direction in enforcement approaches.

 

, , , , , , , , , , , , , ,

Data breaches: All’s not lost, even if your data is (and if you’ve taken precautions)

As anyone who’s ever left a USB key in a Kinko’s knows, it’s easy to lose a mobile device containing sensitive user information. As a recent statement from the Newfoundland and Labrador’s Office of the Information and Privacy Commissioner shows, taking preemptive steps to make the user information on a mobile device more secure could protect the information – and your organization – if the device ever falls into the wrong hands.

 

, , , , , , , , , ,

The art of restraint

A restrictive covenant is a class of legal “promise” imposing a restriction on one party for the benefit of another. When drafted correctly, restrictive covenants are an invaluable tool to protect your business.

 

, , , , , , ,

Previous Posts