This week, my company, SAP, hosted a roundtable where three executives talked about the successful implementation of solutions for governance, risk, and compliance (GRC) at their companies and answered questions from media. The technology that these companies used was from SAP, but other vendors have products that would have produced similar results.

If you haven’t already read at least the executive summary of the bank examiner’s report regarding Lehman Brothers' demise, you should. A New York Times story covers some of the main points and contains links to the 2,200-page document.

Peter Millar (of ACL Services) is leading a small team (Brad Ames of HP and myself) in a project to update the Global Technology Audit Guide (GTAG) on Continuous Auditing. This is a routine update, such as we go through for all IIA guidance, but it provides the opportunity to upgrade the current guidance.

How about these as attributes of an ideal internal audit department?

I want to take two views in answering this question — the first is from day-to-day living, and the second is from The IIA's International Standards for the Professional Practice of Internal Auditing (Standards).

Last year, the Institute of Directors in South Africa published the King Code of Governance for South Africa 2009 (King III). It is effective July 1, 2010. In my opinion, it was one of the most important advances in corporate governance in years. I am pleased that one of the contributors was IIA–South Africa.

A reader asked me for a source of guidance on best governance practices, which she wanted for her U.S. company. Before I discuss how I answered, it is worth considering the plethora of frameworks and guidance.

A friend of mine, Richard Anderson, has released a new paper on the topic of risk appetite. Richard is an expert on risk management, especially compared to me. True, I have implemented risk management at one company, run it at another, and assessed risks for management for many years as chief audit executive. But Richard not only has greater experience and insight but has been involved in major risk thought leadership for a long time. For example, he quotes from the BS31100 standard, which he developed, as defining risk appetite as the “amount and type of risk that an organization is prepared to seek, accept, or tolerate.”

I appreciate the number of people who have taken the time to visit and read my comments on governance. Quite a few have gone to the next level and shared their insights and perspectives with the community, enriching the discussion.