Identifying the root cause is not enough
Norman Marks on Governance, Risk Management, and Audit
by Norman Marks
2d ago
I think we would all agree that identifying the root cause of an issue is important. To quote the Management and Strategy Institute: Root Cause refers to the fundamental reason behind a problem or defect in a process. It is the underlying source that, when addressed, can prevent the recurrence of issues. Root cause analysis is ..read more
Visit website
Internal auditing is about more than internal audits
Norman Marks on Governance, Risk Management, and Audit
by Norman Marks
2d ago
Some years ago, I was at a roundtable with fellow Chief Audit Executives (CAEs). One of the topics that came up was the push by several executives and their external audit partners to outsource the entire internal audit function. One of the CAEs told us what happened at his company. The CEO had received a ..read more
Visit website
Interviewing is not always easy
Norman Marks on Governance, Risk Management, and Audit
by Norman Marks
1w ago
Whether you are an audit or risk practitioner (or fraud specialist), getting information from people is a critical part of your job. Some people are better at it than others, but everybody can improve their interviewing skills. I found a couple of useful articles that merit your attention: Conducting Successful Audit Interviews by Larry Whittington ..read more
Visit website
What are US companies disclosing about cyber risk?
Norman Marks on Governance, Risk Management, and Audit
by Norman Marks
1w ago
Corporate disclosures offer a tiny peek at what companies are doing about cyber risk. Most of the disclosures are voluntary, so a failure to disclose something doesn’t mean they are not doing it. Even so, a new report from EY, Cyber disclosures: what companies shared about cyber risks in 2024, has a little (not a ..read more
Visit website
Do risk reports communicate effectively?
Norman Marks on Governance, Risk Management, and Audit
by Norman Marks
2w ago
Imagine these are reactions to the CRO’s risk reports, at different times from different people: CEO: “OK, I see this risk matrix. What does it mean? Why are you showing it to me? What am I supposed to do with it?” Board member: “Didn’t we see and discuss this in our last meeting? Why do ..read more
Visit website
How do you audit risk management?
Norman Marks on Governance, Risk Management, and Audit
by Norman Marks
2w ago
Writing a novel was fun, especially as I have been told it is quite entertaining. But I am back to the more serious business of writing about internal auditing and risk management, this time it’s a book about how to audit risk management. It’s a challenge. Even with my many years of risk management and ..read more
Visit website
Building an enterprise risk-based audit plan
Norman Marks on Governance, Risk Management, and Audit
by Norman Marks
3w ago
We want to build an audit plan that focuses on what matters most to the achievement of enterprise objectives. Some call this objective-based auditing, but I prefer enterprise risk-based auditing, because (a) we are auditing {the controls over) the more significant risks to the achievement of enterprise objectives, and (b) we are not actually auditing ..read more
Visit website
Does “risk culture” make sense?
Norman Marks on Governance, Risk Management, and Audit
by Norman Marks
3w ago
“Risk culture” is a term that sounds good and is used by many. But my question is whether it is something that actually exists (or should exist), and whether the term has a useful meaning. First, what does it mean. Microsoft Copilot: Risk culture refers to the collective values, beliefs, knowledge, attitudes, and understanding about ..read more
Visit website
The Chief Risk Officer and Risk Reporting to the Board
Norman Marks on Governance, Risk Management, and Audit
by Norman Marks
1M ago
This post is (again) going to upset some people. My hope is that even if you disagree with me, it will make you think. Let’s start with a provocative statement: The only risk that matters (much) is one that will have a notable effect on achieving enterprise objectives. Do you worry about traffic congestion on ..read more
Visit website
When we are to blame for a business risk
Norman Marks on Governance, Risk Management, and Audit
by Norman Marks
1M ago
Sometimes, auditors are responsible for a serious risk continuing. At Business Objects, I attended an audit committee (I was the VP, Internal Audit) when the two EY partners reported that their testing of internal controls had identified a serious weakness. They believed it was a “significant deficiency”, less severe than a material weakness that would ..read more
Visit website

Follow Norman Marks on Governance, Risk Management, and Audit on FeedSpot

Continue with Google
Continue with Apple
OR