First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Mobile Device Management

Selecting software to help manage user access risk

I believe software is essential in managing user access risk, not only for SOX but also for other business risks. In fact, the potential harm from inappropriate access is typically greater for other business risk (such as the possibility of disruption of activities such as revenue generation or manufacturing, reputation risk, and the protection of valuable intellectual property) than it is for SOX.

 

, , , ,

Views on the future of risk management

James Lam has an impressive resume: Chief Risk Officer for major financial institutions, author of a respected book on ERM, consultant, and board member. Recently, he wrote a white paper that is available through RIMS or Workiva, Next Frontier: Performance-Based Continuous ERM. I think it is fair to say that James and I agree on many points but disagree on others.

 

, , , , ,

Adequacy of Canadian privacy law

Potential amendments could mean Canadian businesses receiving personal information from Europe will have more exposure to the differences in the data protection laws and enforcement regimes in the EU member states.

 

, , , , , ,

CASL and private right of action

Canada has the most onerous anti–spam/anti–malware law (CASL) in the world. In less than a year, July 1, 2017, it is going to become even worse. That’s when the private right of action comes into force.

 

, , , , , , , , , , ,

Cybersecurity best practices for connected cars

Some of the most significant concerns with connected vehicles are cybersecurity and privacy protection. These concerns were the main impetus behind the creation in the US of the Auto Information Sharing and Analysis Centre (ISAC) by a group of US automakers in July of 2014. The group allows its members to share information about threats and vulnerabilities, conduct analysis and develop industry solutions. The Auto ISAC has now released its “Automotive Cybersecurity Best Practices”.

 

, , , , , , , , , , , , , , ,

Proposed Manitoba accessible employment standards

The Accessibility Advisory Council’s (AAC) is inviting interested stakeholders to provide their views to its initial proposal for accessible employment standards. Therefore, employment is the second of five accessibility standards being developed under the Accessibility for Manitobans Act (AMA).

 

, , , , , , , , , , , , , , , ,

Proposed Nova Scotia accessibility legislation

On November 2, 2016, the government proposed Nova Scotia accessibility legislation to promote equality of opportunity and increase the inclusion and participation of Nova Scotians who have disabilities or functional limitations in all areas of everyday life by promoting and encouraging the prevention, reduction and removal of barriers.

 

, , , , , , ,

Cybersecurity: CSA issues new guidance

Cybersecurity is top of mind for corporate boards and securities regulators alike. On September 27, 2016, the Canadian Securities Administrators (CSA) issued CSA Staff Notice 11-332 – Cyber Security (2016 Notice). The 2016 Notice updates the CSA’s previous notice on the same topic, CSA Staff Notice 11-326 Cyber Security for reporting issuers, registrants and regulated entities.

 

, , , , , ,

Privacy injunctions in the age of the internet and social media

Canadian common law courts are still far behind the English courts which have developed a much more flexible tort of misuse of private information, as well as remedies for breach that include damages to compensate for the loss or diminution of a right to control private information, and now following the PJS case, perhaps also exemplary or punitive damages and an accounting of profits. Surprisingly, Canadian courts have not had to canvass recently whether the English common law tort of misuse of private information should be adopted in Canada.

 

, , , , , , , ,

IP address as personal information: Canadian and EU positions

The Office of the Privacy Commissioner’s findings do not mean that consent to the collection of an IP address is always required. There may be a number of legitimate reasons for collecting this information, including those relating to security of the site. These reasons would not necessarily extend, however, to collection and use of IP addresses for advertising purposes without some form of consent.

 

, , , , , , , , ,

How much should big brother monitor (and other BYOD considerations)

Given the popularity and prevalence of mobile devices such as smart phones and tablets in today’s world, it is no surprise that Bring Your Own Device (“BYOD”) programs have become an increasingly common arrangement for organizations. BYOD programs allow employees to use their own mobile devices for both personal and business purposes, blurring the traditional line between work and play. A recent report indicates that more than 75% of Canadian businesses support employee–purchased smartphones and tablets in the workplace.

 

, , , , , , , ,

Survey results: Risk-based internal audit planning

Clearly, the great majority base their audit plan on some combination of (macro) enterprise-level risks and (micro) risks at a lower level of the organization. Somewhat more have weighted their plan towards the micro level than the macro level. So what does this all mean?

 

, , , , , , , ,

Reasonable expectation of privacy and text messaging

The task of picking up the phone, dialing and anticipating a “hello” on the other end can be daunting for many people. Text messaging, compared to phone calls, has dominated the way we communicate with one another over the years. With the abundance of text messages exchanged between people, there stems an important question with respect to privacy. That is, is there a reasonable expectation of privacy in a text message once it has been sent and received by the intended recipient? The Ontario Court of Appeal recently concluded that there is not. Thereby ruling that text messages seized from a recipient’s phone can be used against the sender in court.

 

, , , , ,

Risk and how we run our business

I am going to use a metaphor involving the board game of Monopoly to illustrate how I feel about risk management. The players compete to win by either having more money when the game ends (if there is a time limit) or by being the only one left standing after all the others have gone bankrupt. Let’s imagine our executive team is playing a game against its main competitors.

 

, , , , , ,

The art of restraint

A restrictive covenant is a class of legal “promise” imposing a restriction on one party for the benefit of another. When drafted correctly, restrictive covenants are an invaluable tool to protect your business.

 

, , , , , , ,

Previous Posts