First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Backup and Disaster Planning

Selecting software to help manage user access risk

I believe software is essential in managing user access risk, not only for SOX but also for other business risks. In fact, the potential harm from inappropriate access is typically greater for other business risk (such as the possibility of disruption of activities such as revenue generation or manufacturing, reputation risk, and the protection of valuable intellectual property) than it is for SOX.

 

, , , ,

Views on the future of risk management

James Lam has an impressive resume: Chief Risk Officer for major financial institutions, author of a respected book on ERM, consultant, and board member. Recently, he wrote a white paper that is available through RIMS or Workiva, Next Frontier: Performance-Based Continuous ERM. I think it is fair to say that James and I agree on many points but disagree on others.

 

, , , , ,

Cybersecurity best practices for connected cars

Some of the most significant concerns with connected vehicles are cybersecurity and privacy protection. These concerns were the main impetus behind the creation in the US of the Auto Information Sharing and Analysis Centre (ISAC) by a group of US automakers in July of 2014. The group allows its members to share information about threats and vulnerabilities, conduct analysis and develop industry solutions. The Auto ISAC has now released its “Automotive Cybersecurity Best Practices”.

 

, , , , , , , , , , , , , , ,

Cybersecurity: CSA issues new guidance

Cybersecurity is top of mind for corporate boards and securities regulators alike. On September 27, 2016, the Canadian Securities Administrators (CSA) issued CSA Staff Notice 11-332 – Cyber Security (2016 Notice). The 2016 Notice updates the CSA’s previous notice on the same topic, CSA Staff Notice 11-326 Cyber Security for reporting issuers, registrants and regulated entities.

 

, , , , , ,

Cyber risk and audit

Clearly, cyber risk and audit is the topic of the day, if not the year and decade. The leader of Protiviti’s IT audit practice, David Brand, has weighed in with “Ten Cybersecurity Action Items for CAEs and Internal Audit Departments”. He has some valuable ideas that merit consideration, not only by internal auditors, but by security professionals, boards, risk officers, and more broadly among the executive group. I will let you read his post and suggested action items.

 

, , , , , , , ,

Survey results: Risk-based internal audit planning

Clearly, the great majority base their audit plan on some combination of (macro) enterprise-level risks and (micro) risks at a lower level of the organization. Somewhat more have weighted their plan towards the micro level than the macro level. So what does this all mean?

 

, , , , , , , ,

Data breaches: All’s not lost, even if your data is (and if you’ve taken precautions)

As anyone who’s ever left a USB key in a Kinko’s knows, it’s easy to lose a mobile device containing sensitive user information. As a recent statement from the Newfoundland and Labrador’s Office of the Information and Privacy Commissioner shows, taking preemptive steps to make the user information on a mobile device more secure could protect the information – and your organization – if the device ever falls into the wrong hands.

 

, , , , , , , , , ,

The board of directors’ role in crisis management

Sooner or later, every enterprise will face a crisis. When it hits, the ability to side-step disaster depends on the effectiveness of your company’s response. Preparedness and oversight of crisis management is a key responsibility of the board of directors.

 

, , , , , , ,

“Do Not Call” means Do Not Call: CRTC enters into MOU with FTC on Spam and Unsolicited Telecommunications

On March 24, 2016, the Canadian Radio-television and Telecommunications Commission (“CRTC”) signed a memorandum of understanding (“MOU”) with the United States Federal Trade Commission.[1] This MOU is an effort by Canada and the United States to work together on anti-spam enforcement measures, and expressly refers to unsolicited telecommunications, unsolicited commercial electronic messages (spam), and other unlawful electronic threats (e.g., malware and botnets).

 

, , , , , ,

Data breach protection services: Taxable in Canada?

A recent IRS announcement raises questions about how Canadian tax authorities will treat the free data protection services that organizations often provide in order to mitigate data breaches.

 

, , , , , , , , , , , ,

Managing risk means opening your eyes every day

On the surface, it is good news that the majority of Canadian CFOs are confident in their management of risk and believe that employees understand the risks to the organization. 72% feel that their strategy is aligned with their risk appetite. But, do the authors of the study understand what effective risk management entails?

 

, , , , , , ,

New PIPEDA data breach regulations proposed

On March 9, 2016 the Department of Innovation, Science and Economic Development Canada released a discussion paper on the new data breach regulations being proposed. The Ministry is accepting public submissions until May 31, 2016 on the proposed Data Breach Notification and Reporting Regulations.

 

, , , , , , , , ,

Ransomware threat to Canadian businesses broadens

Recent hacker attacks — including the first successful attack on an Apple computer, and several attacks on U.S. and Canadian hospitals — have reminded Canadian businesses of the need to be vigilant about the danger posed by ransomware.

 

, , , , , , , , , , , , , , ,

Insights from the I Spy conference on big data and privacy

On Friday February 5, 2016, we attended the I Spy: Opportunities and Challenges Surrounding Privacy and Big Data conference organized by the Osgoode JD/MBA Students’ Association. Speakers from industry, government and private practice explored the challenge organizations face in maximizing insights from big data while maintaining a respect for individual privacy.

 

, , , , , , , , ,

Storing data in Canada won’t necessarily shield it from US scrutiny

Two recent decisions emphasize that data seized in Canada by Canadian authorities is nevertheless subject to investigation by foreign, and in particular American authorities. Storage of data in Canada will not necessarily shield if from review by foreign authorities.

 

, , , , , , , , , ,

Previous Posts