Who’s responsible for ensuring that corrective actions to remedy issues identified by internal audit are completed?
Management is responsible for the system of internal control as well as for managing risk.Management is responsible for correcting deficiencies either in controls or in the management of risk, whoever identified them.
So why does internal audit, more often than not, monitor completion of these actions? Why should they be the ones that report progress to the audit committee and executive management?
Internal audit certainly has an interest in seeing these actions taken. Not only does it mean that their recommendations for change …
In my last blog of this series, I discussed the value of data analytics to help organizations provide greater assurance over data integrity. I used the example of an insurance company, which was able to use data analytics to more accurately identify potential fraud prior to claim payment.
But just consider the data sources here. For this analysis to be accurate, it will involve more than just financial records. The age, location, gender, income level, and socio-economic background are just some of the additional factors that, together, can allow more accurate identification of potential fraud in insurance claims.
Over the last month, I’ve been looking at the results of surveys conducted by the Big Four accounting firms regarding internal audit. The messages are pretty consistent—audit departments need to pick up their game. They need to provide more proactive advice to stakeholders. The move from policeman to trusted advisor is requiring broader operational skills within the audit department.
But most importantly, auditors need to leverage technology more effectively. As I discussed in the first blog of this series, mobile-enabled audit management products provide an important opportunity to make the process of managing an audit more efficient. …
For many people, risk management helps companies make sure that their compliance risks are monitored and that they have controls in place to take care of them.
Personally, I strongly believe that risk management is much more than that – it helps companies really steer their business, avoid roadblocks, seize opportunities, and react appropriately.
Key Risk Indicators (KRIs) are indicators of the possibility of a future adverse impact on the organization. They serve as an early warning system to the stakeholders and enable preventive action to be taken directly on the risks and opportunities flagged.
In that sense, they …
It seems that almost every day I read blogs or articles in professional journals lamenting the fact that business executives aren’t supporting risk management initiatives in their business or not consuming the reports and conclusions of their risk management professionals.
In addition, we see evidence regularly in the press that risk management is failing and that catastrophic and harmful losses persist. There’s a reason for this. Risk management practices embrace beliefs and methodologies that create apparently” profound reports—but instead it’s ponderous and essentially useless information. It results in inert, albeit attention grabbing, charts and graphs.
I call them dead …
Please select the best answer:
1. A flight attendant in a commercial airliner notices smoke coming from the stove in the rear galley. He is trained to:
a. Immediately contact the pilot and report a “material weakness” in the smoke detection system.
b. Immediately contact the pilot and report smoke coming from the stove in the galley.
2. You are awoken in your home in the middle of the night by the sound of intruders. You should:
a. Immediately call the police and report a “key risk indicator.”
b. Immediately …
A Better Way to Classify Risks
There’s nothing new about classifying risks by category – strategic risk, operational risk, and so on. But I’m suggesting the strategy for managing risks is dramatically different for each section of the quadrant. And we make mistakes when we use a response strategy that doesn’t match the risk type.
In my previous blogs, I illustrated the GRC Strategy Quadrant, which classifies risks based on the risk “appetite” of the business and the perceived risk level, and I explained Type A, Type B and Type C …
Time and again I hear that risk management is seen as something that is required by the regulators, perhaps by the board or top management, but is not seen as something that helps individual managers succeed.
Time and again I hear that boards are not receiving the information they need to know whether the risks to the organization’s strategies are managed appropriately.
Time and again I hear of organizations that are satisfied (i.e., complacent) with the periodic management of a list of significant risks — as if risks are somehow less dynamic than the business environment.
Time and again I …
A Better Way to Classify Risks
There’s nothing new about classifying risks by category – strategic risk, operational risk, and so on. But I’m suggesting the strategy for managing risks is dramatically different for each quadrant. And we make mistakes when we use a response strategy that doesn’t match the risk type.
In my previous blogs, I illustrated the GRC Strategy Quadrant, which classifies risks based on the risk “appetite” of the business and the perceived risk level, and I explained Type A and Type B Risks in detail.
Today, I’m covering Type C …