In the past, auditors were famous for finding problems. They audited a process, business unit, or location and found “weaknesses” in internal control. These were then prioritized based on the auditors’ assessment of the risk they represented.
These days, leading internal audit teams are moving from this idea of auditing controls, sometimes called controls assurance, to auditing whether management’s processes, systems, and organization (which include controls) provide reasonable assurance that risks are at acceptable levels.
They are moving from controls assurance to risk assurance.
They are also moving from auditing the past (hindsight) to providing insight on current activities and …
I was sitting in my backyard yesterday, which overlooks a golf course in Anthem, Arizona, and my mind was wandering as I thought about the topic for my next blog. Just for the fun of it, I thought about some key aspects of golf that might be applicable to governance, risk, and compliance. If you are a golfer, you’ve probably heard some of this before—but I’m guessing you’ve never heard this applied to GRC.
Perhaps the US Golf Association (USGA) says it best in an excerpt from The Human Element:
“Golf is …
During a recent breakfast event, I was having a coffee with two security managers who were in charge of business continuity for their organizations: one was from the IT department and the other one was a business operations manager.
The questions of our debate revolved around were: Who should be the most significant contributor to business continuity activities and should continuity management be a separate activity?
Interestingly, we all agreed that we saw more and more business continuity management reaching outside IT domain where it historically focused on IT disaster recovery planning and information security to a more business-process …
My Fictional Day Begins…. By Carla
After I drag myself out of bed and finish my morning ablutions, I sit down with coffee and cereal to read the latest Federal Register followed by Compliance Today and a few industry publications. I make notes as I go of any regulation changes relevant to my job. You see, the company is extremely interested in avoiding compliance risk—and to be honest, it makes my work life miserable.
Oh, pardon me, I should introduce myself. I am Carla Franco, a working manager of a purchasing team within a large global enterprise. I can’t …
A number of years ago, while living near Houston, Texas and working for a major oil company as an audit director, I joined the local volunteer fire department in my community.
As a new member, I was assigned the task of carrying out a fire inspection at our local middle school. I was part of a team that included more highly-trained fellow volunteers.
Auditing Fire Risks
Being an experienced auditor, I was certain I was up to the task. I knew all about controls and I thought that knowledge would come in handy. My plans were to meet up …
Who’s responsible for ensuring that corrective actions to remedy issues identified by internal audit are completed?
Management is responsible for the system of internal control as well as for managing risk.Management is responsible for correcting deficiencies either in controls or in the management of risk, whoever identified them.
So why does internal audit, more often than not, monitor completion of these actions? Why should they be the ones that report progress to the audit committee and executive management?
Internal audit certainly has an interest in seeing these actions taken. Not only does it mean that their recommendations for change …
Often, when looking at historical events and time periods, I try and imagine what it would have been like to live then and to have my perspectives influenced by the opportunities and challenges of the day. What would have been my reactions, for example, to experiencing the Prohibition of the 1920s, to having the Bible made available to the masses, to living under fascism, or to seeing the end of slavery?
Not having lived during those times, it can be easy to make allusions (or casual references) to the difficult and challenging periods as if they simply live in …
Internal auditors have been using analytics (historically called ‘data mining’ or ‘computer-assisted audit techniques’ (CAATS)) to find potential issues for decades.
When I was with Coopers & Lybrand, we used analytics for a variety of audit purposes, including reperforming calculations, sampling transactions for manual auditing, and identifying unusual transactions for further inspection.
When I ran internal audit at Tosco and Solectron, we used analytics to detect millions of dollars of potential duplicate payments; at Solectron, we used analytics and a Benford’s Law routine to identify potential fraud in Suzhou, China; and at Business Objects analytics helped us search out …
What IS an automotor horse, you may ask, and what does it have to do with governance, risk, and compliance (GRC)? First, let me share a little background.
The automotor horse was an invention credited to M. Emile Langrenne, as described in British Invention. The newly developed automobile, described as “a vehicle in search of a horse,” apparently had caused some sense of loss and discomfort among those who would prefer to keep their existing carriages. Today, we might label these people as change-averse.
Enter the automotor horse, for which a patent was filed. The automotor horse was designed …