First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Leadership and Management

Is it a management or board failure when no action is taken on audit findings?

How effective are your organization’s internal audit reports? An effective internal audit report and proper communication on the part if IAs can promote appropriate action on the part of management and the board.

 

, , , ,

Deferred no more: Deferred prosecution agreements finally on their way to Canada

The announcement of the proposed Remediation Agreement Regime is a long awaited step towards a more flexible and responsive criminal justice regime for organizations accused of criminal misconduct, and puts Canada on an equal playing field with jurisdictions around the world.

 

, , ,

Are you managing risk or are you managing the organization?

Stop managing risk – manage the business. Stop talking about accepting or managing risk and start talking about taking the right risks through informed and intelligent decisions.

 

, , , , ,

European Union proposes whistleblower protections

A recent EU proposal is only the latest in a string of legislative developments in jurisdictions around the world aimed at strengthening whistleblower protections and encouraging whistleblowers to come forward and report wrongdoing.

 

, , , , ,

The essential competencies of an effective risk officer

I recently sparred gently with a good friend, a respected and influential risk practitioner and thought leader, about the key competencies necessary for a risk officer to be effective. He listed several competencies for effectiveness, saying that “without these competencies risk managers are useless to the business”.

 

, , , , , ,

The board and enterprise culture

This article looks at the Board’s involvement in managing enterprise culture. In the corporate context, culture is a system of values, beliefs and behaviors that shape how things get done within the organization.

 

, , , , , , ,

Cultural shifts on sexual harassment redefine “the line” for acceptable behavior

The recent media attention on sexual harassment in the workplace, arising from #MeToo and the publicity surrounding allegations of wrongdoing by powerful celebrities and executives, has resulted in a quantum boost for awareness of the issues.

 

, , , , , , , , , ,

Jim Comey and the practitioner’s dilemma

It is often difficult to make the right decision when facing challenges in an organization. Maintaining integrity, standing your ground and doing what you believe to be right and part of your responsibilities can be difficult and can make you question the decisions you make.

 

, , , ,

My cyber confession

Should we give up auditing information security and the management of cyber risk? Not at all. But we should do so with eyes wide open. We should recognize the limitations of our knowledge, tools and techniques and the likelihood that hackers have new techniques that are unknown both to auditors and management.

 

, , , , , , , , , ,

Learning the basics on GDPR’s right to be forgotten

To manage the Europe Union’s new GDPR properly, ethics and compliance officers need to consider many parts within their organization, from IT capabilities, exception clauses, and customer service demands. And these parts must be managed and organized in such a way that they work together so that they do not fall apart.

 

, , , , , , , , , , ,

New GRC guidance from OCEG might be missing a crucial point

GRC is “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity”. A new Guide from OCEG, A Practical Guide About GRC Metrics and Measurement, says, a major part of GRC is about “break[ing] down silos between governance, strategy, performance management, risk management, compliance management, internal audit and other departments”.

 

, , , , ,

Ethics & compliance leaders could use a good dose of marketing 101

Just as a brand isn’t what the company says about itself, but what other people say about the company, employee behavior is the final expression of your E&C marketing program’s success.

 

, , , , , , ,

Reporting on risk to the board

Those charged with reporting on risk to the board and to the executive team should understand what they are trying to achieve, what information they need to be successful and how they can help.

 

, , , , , , ,

Talking sense about technology risk and cyber

You have to have sponsorship from the CEO and throughout the company to really understand and diagnose IT risks, data security risks and business risks, and then prioritize them.

 

, , , ,

Don’t forget to audit controls!

It’s best to have management detect issues and for audit to assess whether those detective controls are adequate.

 

, , , , , , ,

Previous Posts