First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Backup and Disaster Planning

Cybersecurity: CSA issues new guidance

Cybersecurity is top of mind for corporate boards and securities regulators alike. On September 27, 2016, the Canadian Securities Administrators (CSA) issued CSA Staff Notice 11-332 – Cyber Security (2016 Notice). The 2016 Notice updates the CSA’s previous notice on the same topic, CSA Staff Notice 11-326 Cyber Security for reporting issuers, registrants and regulated entities.

 

, , , , , ,

Cyber risk and audit

Clearly, cyber risk and audit is the topic of the day, if not the year and decade. The leader of Protiviti’s IT audit practice, David Brand, has weighed in with “Ten Cybersecurity Action Items for CAEs and Internal Audit Departments”. He has some valuable ideas that merit consideration, not only by internal auditors, but by security professionals, boards, risk officers, and more broadly among the executive group. I will let you read his post and suggested action items.

 

, , , , , , , ,

Survey results: Risk-based internal audit planning

Clearly, the great majority base their audit plan on some combination of (macro) enterprise-level risks and (micro) risks at a lower level of the organization. Somewhat more have weighted their plan towards the micro level than the macro level. So what does this all mean?

 

, , , , , , , ,

Data breaches: All’s not lost, even if your data is (and if you’ve taken precautions)

As anyone who’s ever left a USB key in a Kinko’s knows, it’s easy to lose a mobile device containing sensitive user information. As a recent statement from the Newfoundland and Labrador’s Office of the Information and Privacy Commissioner shows, taking preemptive steps to make the user information on a mobile device more secure could protect the information – and your organization – if the device ever falls into the wrong hands.

 

, , , , , , , , , ,

The board of directors’ role in crisis management

Sooner or later, every enterprise will face a crisis. When it hits, the ability to side-step disaster depends on the effectiveness of your company’s response. Preparedness and oversight of crisis management is a key responsibility of the board of directors.

 

, , , , , , ,

“Do Not Call” means Do Not Call: CRTC enters into MOU with FTC on Spam and Unsolicited Telecommunications

On March 24, 2016, the Canadian Radio-television and Telecommunications Commission (“CRTC”) signed a memorandum of understanding (“MOU”) with the United States Federal Trade Commission.[1] This MOU is an effort by Canada and the United States to work together on anti-spam enforcement measures, and expressly refers to unsolicited telecommunications, unsolicited commercial electronic messages (spam), and other unlawful electronic threats (e.g., malware and botnets).

 

, , , , , ,

Data breach protection services: Taxable in Canada?

A recent IRS announcement raises questions about how Canadian tax authorities will treat the free data protection services that organizations often provide in order to mitigate data breaches.

 

, , , , , , , , , , , ,

Managing risk means opening your eyes every day

On the surface, it is good news that the majority of Canadian CFOs are confident in their management of risk and believe that employees understand the risks to the organization. 72% feel that their strategy is aligned with their risk appetite. But, do the authors of the study understand what effective risk management entails?

 

, , , , , , ,

New PIPEDA data breach regulations proposed

On March 9, 2016 the Department of Innovation, Science and Economic Development Canada released a discussion paper on the new data breach regulations being proposed. The Ministry is accepting public submissions until May 31, 2016 on the proposed Data Breach Notification and Reporting Regulations.

 

, , , , , , , , ,

Ransomware threat to Canadian businesses broadens

Recent hacker attacks — including the first successful attack on an Apple computer, and several attacks on U.S. and Canadian hospitals — have reminded Canadian businesses of the need to be vigilant about the danger posed by ransomware.

 

, , , , , , , , , , , , , , ,

Insights from the I Spy conference on big data and privacy

On Friday February 5, 2016, we attended the I Spy: Opportunities and Challenges Surrounding Privacy and Big Data conference organized by the Osgoode JD/MBA Students’ Association. Speakers from industry, government and private practice explored the challenge organizations face in maximizing insights from big data while maintaining a respect for individual privacy.

 

, , , , , , , , ,

Storing data in Canada won’t necessarily shield it from US scrutiny

Two recent decisions emphasize that data seized in Canada by Canadian authorities is nevertheless subject to investigation by foreign, and in particular American authorities. Storage of data in Canada will not necessarily shield if from review by foreign authorities.

 

, , , , , , , , , ,

Test your knowledge of CASL

The current release of Finance and Accounting PolicyPro updates the policy on Canada’s anti-spam legislation (commonly known as “CASL”). Test your knowledge of CASL with the following questions, then review the answers below to see how well you did.

 

, , , , , , , , ,

Internal audit and cyber risk

Deloitte has published good work. One of my favorites is their risk-intelligent white paper series. Recently, they released Cybersecurity and the role of internal audit. It has both superior and inferior advice. Let me walk through it.

 

, , , , , , , , , ,

Hackable Barbies, malicious POODLEs: PIPEDA compliance and the Internet of Things

She stands just under a foot tall, has a résumé that includes such storied accomplishments as astronaut, registered nurse, and Presidential candidate. Whether cropped or worn shoulder-length, her iconic blonde hair has been inspiring popular culture since well before Madonna. She’s owned more dream homes than most real estate magnates, and earlier last month Barbie tried out a brand new accessory that has been turning heads ever since—an AzureWave AW-CU300E 802.11 b/g/n WiFi Microcontroller Module.

 

, , , , , , , , , , ,

Previous Posts Next posts