First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

internal audit

How much cyber risk should an organization take?

I did a video with Joe McCafferty of MISTI last month. I am interested in whether you share my views. I also have some questions for you—after you watch the video.

 

, , , , , , , ,

Top 10 most read Inside Internal Controls posts 2016 & Season’s Greetings

We are signing off with a list of the top 10 most read Inside Internal Controls posts 2016. Privacy issues and director’s liability seem to have been hot topics this year with several blog posts on the topics making it on the list. The top 10 most read Inside Internal Controls posts 2016 Director’s liability […]

 

, , , , , , , , , , , , , , , ,

Deloitte predicts change for Internal Audit

A new report from Deloitte has some interesting conclusions—plus predictable ones. 2016 Global Chief Audit Executive Survey: Internal Audit at a crossroads has some provocative content. Deloitte says there is a choice to be made: “Evolution or irrelevance”.

 

, , , ,

The astonishing Wells Fargo fraud

The news about the Wells Fargo staff ‘scam’ (the word used in this article in SC magazine) is mind-boggling. What I found mind-boggling is that (according to CNN Money) Wells Fargo had to fire about 5,300 workers (out of a total staff estimated at 265,000, or 2% of all employees). When 2% of employees were fired, you have to assume that more people knew or should have known. The prevailing Wells Fargo culture in reality was to do what was right for the staff, not the customers!

 

, , , , , , , ,

Cyber risk and audit

Clearly, cyber risk and audit is the topic of the day, if not the year and decade. The leader of Protiviti’s IT audit practice, David Brand, has weighed in with “Ten Cybersecurity Action Items for CAEs and Internal Audit Departments”. He has some valuable ideas that merit consideration, not only by internal auditors, but by security professionals, boards, risk officers, and more broadly among the executive group. I will let you read his post and suggested action items.

 

, , , , , , , ,

How to assess internal audit effectiveness and value

How should this be done? Some would say that the IIA’s quality assurance standards, which require both ongoing and periodic quality reviews, are the answer. I am not one of those people.

 

, ,

Survey results: Risk-based internal audit planning

Clearly, the great majority base their audit plan on some combination of (macro) enterprise-level risks and (micro) risks at a lower level of the organization. Somewhat more have weighted their plan towards the micro level than the macro level. So what does this all mean?

 

, , , , , , , ,

Internal audit: Essential to minimizing risk

Managing risk in today’s business environment has become a far more complex process than it ever has been. This can be attributed to a number of factors, such as increased government regulation and cyber-based issues. Other factors include uncertain political and economic situations that can arise, sustainable development and environmental concerns. These issues can have a substantial impact on small, medium and large organizations.

 

, , , , ,

Should we take this risk?

Who takes risk? The correct answer is ‘everybody’; everybody who makes a decision and everybody who acts. Every decision and action creates or modifies risk and has the potential to influence the achievement of objectives. Whether it is deciding to go through with an acquisition or to hire this candidate instead of an alternative, risk is being taken.

 

, , , , , , , , , , ,

Misunderstanding risk and internal audit

There are many voices urging people to act when it comes to the topics of risk management and the role of internal audit. Unfortunately, most of these voices are like sirens, tempting you to go the wrong way.

 

, ,

Internal audit and cyber risk

Deloitte has published good work. One of my favorites is their risk-intelligent white paper series. Recently, they released Cybersecurity and the role of internal audit. It has both superior and inferior advice. Let me walk through it.

 

, , , , , , , , , ,

Common anti-fraud controls ineffective at preventing and detecting fraud

A “typical” business can lose five percent of its revenue to fraud according to a recent global fraud study. And organizations are lucky if they detect the fraud at all. Most businesses find out about fraud from a tip, not from strong internal controls.

 

, , , , , , , , , , , , , , , , , , , , , , ,

How does your organization assess the effectiveness of internal audits?

Typically, the stewardship responsibilities of a board of directors include the identification of an organization’s principal risks, the implementation of systems to manage them, and the integrity of internal control and management information systems. Typically, an internal audit function plays a key role in assessing and reporting on these areas.

 

, , , , , , , , , , , , ,