Recent Stories


Understanding Governance Risks

How many boards, let alone risk officers, think about the risks to their organization if the governance by the board and top management is ineffective? Certainly, people talk about the potential for…

Guidance For Directors On Disruptive Change

Every organization needs to be able to not only anticipate and address the inevitability of change that might disrupt its business, but be prepared to take advantage of the opportunities that will…
Cyber space

Board Oversight Of Cyber-Risks

Over the last few years, “cyber” has moved from science fiction to business reality. I am not sure why we changed from talking about information security to cyber, but I am told (yet not convinced) that there is a…
Risk Management Challenge – The Answer

Risk Management Challenge – The Answer

In a recent blog, I said I had asked one of the leaders of a CPA firms’ ERM consulting practice this question: “Maybe you can help me understand how you
Monitoring Risk And Control Deficiencies – Who’s Responsible?

Monitoring Risk And Control Deficiencies – Who’s Responsible?

Who’s responsible for ensuring that corrective actions to remedy issues identified by internal audit are completed? Management is responsible for the system of internal control as well as for…
risk management

A Risk Management Challenge For You

I hope I have been consistent in my message: that risk appetite and other top-level guidance only enables an after-the-fact answer to the question of “did we take the right…
compliance officer

The SOX State Of The Nation

Each of the last few years, Protiviti has conducted a survey to understand and then report on the state of SOX compliance programs. They recently published their 2014…
My Tolerance For Risk Appetite Is Fading

My Tolerance For Risk Appetite Is Fading

It is amazing to me that one of my most popular blog posts every month is Just what is risk appetite and how does it differ from risk tolerance?, which I wrote over four years ago, in…
analyzing internal audit report data with magnifying glass

Analytics And The Internal Audit Report

Internal auditors have been using analytics (historically called ‘data mining’ or ‘computer-assisted audit techniques’ (CAATS)) to find potential issues for decades. When I was…
auditors provides report

A Satisfactory Audit Report Is Unsatisfactory

If you met with your manager and he gave you a “satisfactory” rating on your performance appraisal, how would you feel? If your child came home with a “satisfactory”…