First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

risk assessment

The next generation of internal auditing

I want to congratulate Workiva and Jose Tabuena for Internal Audit’s Guide to Planning, Managing and Addressing Risks. I want to focus on the first piece in that publication, Planning to Do the Right Audits: An Effective Internal Audit Risk Assessment. Here are some excerpts, with comments by me:

 

, , , , ,

Elevating internal audit’s role

For many years, PwC has shared with us their view of the State of the Internal Audit Profession. They have some useful words, but it is mixed in with an agenda with which I don’t totally agree. I will come to that later. But first, the good stuff:

 

, , , ,

How often should you assess risk?

I recently listened to a new video by my friend, Alex Sidorenko. In How often [should] the risk assessments be performed, he makes some solid points, including:

 

, , ,

The accountants’ role in risk management

The International Federation of Accountants (IFAC) has published an interesting and useful piece, Enabling the Accountant’s Role in Effective Enterprise Risk Management.

 

, , , , , ,

The effective practitioner in action

Competition law

A risk practitioner can assist in a number of ways, including helping management use comparable methods and tools to assess both upside and downside potential consequences in a way that they can be compared.

 

, , , , ,

Are we taking risk, making a decision, or gambling?

We gamble all the time, but we don’t think of it that way. We think we are making decisions, not gambling – and often don’t see it as taking risk either.

 

, , ,

The cyber heat map

Vince Dasta of Protiviti makes a good point (pun intended – as will be explained shortly) in Cyber Risk Assessment: Moving Past the “Heat Map Trap”.

 

, , ,

Emerging risks: who is watching?

Who should be alert and watching for emerging risks: things that might happen (a better expression than the ‘R’ word, ‘risk’, because of its negative impression) that might affect the achievement of enterprise objectives?

 

, ,

The most important question is WHY

Too often, people do things without asking themselves why they are doing them. It may be because that is what they have always done, what somebody told them to do, or because they read about it in a book or standard.

 

, , , ,

It’s not about risk management – it’s about the achievement of objectives

I have said many times that it’s not about managing risks: it’s about managing the achievement of objectives. It’s about being successful. Success is measured through the achievement of specified objectives. We improve the likelihood and extent of success if we understand what might happen, both good and bad, as we strive to achieve our […]

 

, , ,

What a CEO needs to hear to invest more in compliance – strategy

Investment decisions are strategic. They are based on a business case and cost/benefit analysis. Expense decisions are more tactical, and are often associated with things an organization must do to keep running – like meet a regulatory requirement so they can check the box.

 

, , , , , ,

Trusted advisors and world-class internal auditors

I was recently privileged to receive a signed copy of Richard Chambers’ latest book, Trusted Advisors: Key Attributes of Outstanding Internal Auditors. Richard is the President and CEO of The Institute of Internal Auditors, a veteran of internal audit at the highest level, a friend, and an individual with whom I love to debate the practices of internal auditing and risk management. (I hope I am influencing his views on the imminent update of the COSO ERM Framework.)

 

, , , , ,

The astonishing Wells Fargo fraud

The news about the Wells Fargo staff ‘scam’ (the word used in this article in SC magazine) is mind-boggling. What I found mind-boggling is that (according to CNN Money) Wells Fargo had to fire about 5,300 workers (out of a total staff estimated at 265,000, or 2% of all employees). When 2% of employees were fired, you have to assume that more people knew or should have known. The prevailing Wells Fargo culture in reality was to do what was right for the staff, not the customers!

 

, , , , , , , ,

Survey results: Risk-based internal audit planning

Clearly, the great majority base their audit plan on some combination of (macro) enterprise-level risks and (micro) risks at a lower level of the organization. Somewhat more have weighted their plan towards the micro level than the macro level. So what does this all mean?

 

, , , , , , , ,

Anti-money laundering updates

Final amendments to Regulations to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act released.

 

, , , , , , , , ,

Previous Posts