Misunderstanding Risk and Controls

Posted on Feb 1, 2014

Time and again I hear that risk management is seen as something that is required by the regulators, perhaps by the board or top management, but is not seen as something that helps individual managers succeed. 

continue reading...

The Academy for Creative Auditing

Posted on Jan 25, 2014

Some years ago, while I was CAE at Tosco, I started an "Academy for Creative Auditing." It never got off the ground because the company was acquired and I left for new pastures. But the idea still holds true: that if we, as leaders or users of internal audit services, are to get the best out of internal audit managers and staff we need them to use their imagination and creativity, not just their technical skills.

continue reading...

A Danger to Every SOX Program

Posted on Jan 18, 2014

I am starting to hear that people are adding a fair number of key controls to the existing scope of their Sarbanes-Oxley program. This should sound the alarm, as most of us had spent a fair amount of time over the last few years streamlining the program.

continue reading...

Verizon Report Shares Insights After Analyzing 47,000 Data Breaches

Posted on Dec 14, 2013

Verizon’s 2013 Data Breach Investigations Report analyzes thousands of 2012 incidents, using data supplied from a variety of partners (including police and other agencies in Holland, Malaysia, Australia, Denmark, Spain, Ireland, and the United States). They were limited to data breaches reported to third parties. The 47,000 incidents led to 621 actual data breaches. 

continue reading...

How to Build an IT Audit Plan

Posted on Dec 7, 2013

This post is primarily for IT auditors, but its philosophy applies equally to those charged with assessing so-called IT risk.

continue reading...

Does Your Internal Audit Department Understand All the Tools It Has?

Posted on Dec 2, 2013

Earlier this year, I appeared on an IIA AuditChannel.tv video “Rethink Your Approach to Technology.” I spoke to the need to look first at what your organization already owns and is using before acquiring solutions specifically for internal audit. Too few internal audit departments understand how they can use technology for analytics and business intelligence for their own data mining, continuous auditing, and monitoring. I am interested in your views on the advice I provided in the video. 

continue reading...

Reflections on IT Risk and Audit

Posted on Nov 22, 2013

All the studies show an increasing pace of change in and around technology. It’s not only that we run the back office with enterprise software, but it is invading both the front office and the products and services offered by organizations around the world.

continue reading...

UK Issues Proposed Guidance on Risk Management, Internal Control, and Going Concern

Posted on Nov 16, 2013

The U.K.’s Financial Reporting Council (FRC) is responsible for the nation’s corporate governance code as well as its standards for accounting and auditing. When they speak, we should all listen.

continue reading...

Using COSO Updated Internal Controls Framework in a Top-Down, Risk-Based Sarbanes-Oxley Program

Posted on Nov 7, 2013

Over the years, organizations and their auditors have moved to a top-down and risk-based program for Sarbanes-Oxley. Not only is this the most efficient and effective way, but it must be used by the external auditors (PCAOB’s Auditing Standard Number 5) and management is advised to use it by the SEC (their Interpretive Guidance). 

continue reading...

Board Members Who Should Be Fired

Posted on Nov 4, 2013

Over the years, I have worked with and for a great many board members. Most of the directors were diligent, committed to their responsibilities, and a pleasure to work with. Others fell short. 

continue reading...