First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Budgeting and Auditing

How often should you assess risk?

I recently listened to a new video by my friend, Alex Sidorenko. In How often [should] the risk assessments be performed, he makes some solid points, including:

 

, , ,

A board that would fail any test of its governance practices

I am planning a meeting with the CRO from a company during which I had planned to share some of the principles of effective risk management, based on what is considered world-class, and the governance of risk management by the board.

 

, , , , , , ,

Beyond due diligence: Ongoing third party risk management

There is something in a name. More people in the compliance industry, when referring to third-party due diligence, are labeling it “Third Party Risk Management.” I like it because it is more accurate.

 

, , , , , ,

Is internal audit being distracted by consultants bearing sparkling new toys?

In PwC 2019 State of the Internal Audit Profession Study, they are advising internal auditors to adopt approaches and practices with which I disagree.

 

, , , , ,

Are we taking risk, making a decision, or gambling?

We gamble all the time, but we don’t think of it that way. We think we are making decisions, not gambling – and often don’t see it as taking risk either.

 

, , ,

Federal Court of Appeal holds Canada Revenue Agency does not have the power to compel oral interviews during audit

The Canada Revenue Agency (CRA) has increasingly requested oral interviews during audits, particularly in transfer pricing audits. In Minister of National Revenue v. Cameco Corporation, the CRA sought an order compelling employees of the Cameco group to attend oral interviews. The decision of the Federal Court of Appeal (FCA) will be welcomed by taxpayers as it holds that an auditor does not have the power to compel such interviews.

 

, , , , ,

Assessing the effectiveness of your risk management program

The IIA has published a new Practice Guide, Assessing the Risk Management Process. In IIA-speak, this is recommended but not mandatory guidance for its members.

 

, , ,

The wonder and joy of internal auditing

More than 17 years ago, The IIA’s magazine published an article of mine, The new age of internal auditing. I made some provocative comments, including:

 

, ,

Talking about software for GRC

The Open Compliance and Ethics Group (OCEG) recently published the 2019 OCEG GRC Technology Strategy Report.

 

, , , , , , ,

Advice for audit committees and oversight of external auditor

While it is clear that the role of the external auditor is important and that the audit committee is charged with their oversight, it is unusual to see advice on how that oversight should be discharged.

 

, ,

Internal audit is your third line of defense

In a perfect world, internal controls would be 100% effective once implemented. In reality, organizations needs multiple lines of defense or barriers to guard against the risk that they will not achieve their objectives. The internal audit function is the last of three lines of defense recommended by the Institute of Internal Auditors (IIA) in […]

 

, , , , , , ,

The basics of risk management

I want to congratulate David Hillson (a.k.a. the Risk Doctor) for his video explaining his view of risk management basics. In Risk management basics: What exactly is it?, he takes less than five minutes to sum up risk management with six questions:

 

, , ,

Uniting risk management with strategic planning

Who can argue that the consideration of what might happen (what some refer to as risk) should be part of the strategic planning process? Objectives and strategies should be set only after thinking carefully about where you are, what is happening around you, and what may happen in the future.

 

, ,

Why are SOX compliance costs increasing so much?

From a recent survey by Protiviti, the information on how many organizations had to issue a cyber-security disclosure is interesting. Apparently, this generally resulted in an increase on SOX compliance hours – although the reason for a significant increase is not clear.

 

, , , , ,

Talking about inherent and residual risk

Are organizations unnecessarily risk averse? That can be crippling in many ways, including slowing agility and decision-making as well as failing to take advantage of opportunities.

 

, , ,

Previous Posts