Archive for the ‘Daily News’ Category
Posted on August 31st, 2010 by Katina »Permalink
Happy End of Summer, everybody! We thought we’d kick things off today with a little data privacy discussion. There have been several high-profile data privacy breaches in recent years – both the large-scale oops-we-accidentally-shared-your-Social-Security-numbers kind and smaller-scale episodes that happen when a laptop is lost or stolen or a rogue employee gets nosy. (By the way, if you are data privacy freaks like we are, eat your heart out at PrivacyRights.org’s chronological listing of data privacy breaches).
We aren’t keeping nearly so official a tally ourselves, but between cellphone records, passport files and now student loan records, President Obama’s privacy is getting breached all over the place.
Here’s the thing. The breaches are all coming from companies who have a duty to protect the personal information they collect. And the consequences for failing to do so can be very steep. Yet another reason why considering risks related to data privacy is a crucial part of assessing a business’s overall risk exposure. Got that?
Speaking of risks, fraud is a biggie. One of the biggest, actually. We just happen to have some new information on how big, courtesy of a survey we conducted in our recent webcast on How To Detect and Prevent Fraud Using CCM (handily archived online, should you wish to check it out).
Nearly 80% of those on the webcast reported that their organization has experienced fraud or conducted a fraud investigation in the past two years and just over 70% reported that they have updated controls or their controls testing approach in the past 12 months to better address fraud.
What are you doing in your organization to protect against fraud? Weigh in in the comments with suggestions, tips and lessons learned, why don’t you?
Posted on August 27th, 2010 by Katina »Permalink
We’ve talked a bit before about what the Foreign Corrupt Practices Act (FCPA) means for businesses in terms of compliance demands and reporting requirements (and we’ve linked before to InfoSecIsland, which has been following this closely). Their latest, a piece by Michael Voklov, is well worth the read – a look at why reactive plans around FCPA aren’t going to satisfy the DOJ, should it come digging around with FCPA concerns on its mind. A far better plan, Voklov points out, would be a continuous controls monitoring system that can demonstrate a company’s commitment from the outset to FCPA compliance.
As he explains:
“Continuous controls monitoring programs are a powerful tool to assist companies in their ongoing FCPA compliance program.
More specifically,
- Continuous controls can lower audit costs by eliminating manual sampling.
- Continuous controls monitoring can improve financial governance by increasing the reliability of transactional controls and the effectiveness of anti-corruption controls.
- Continuous controls monitoring can improve actual operational performance by monitoring key financial processes.
- Continuous controls monitoring can be used to verify the pre-employment background check performed on an employee; the quality of the FCPA compliance training an employee receives after hire and then to review and record an employee’s annual acknowledgement of FCPA compliance.
There is no question that proactive compliance strategies are a must but now more and more companies are employing continuous monitoring techniques as they seek to avoid the attention of enforcement agencies and any FCPA issues.”
Well said. Seriously.
In other CCM news, we came across an interesting blog post from Corporate Compliance Insights that does a great job of talking about the power of CCM to drive business performance beyond compliance and governance concerns – to increase efficiency and help the bottom line. How about you check it out, and then weigh in in the comments on your own CCM experiences?
Posted on August 26th, 2010 by Katina »Permalink
We’ve talked a good bit lately about risk. Okay, more than a good bit. But we stand behind that focus, because seriously, risk is tremendously important for businesses to assess, account for and mitigate.
But the big news today has to do with how companies assess risks related to the audit process – and then account for it for their shareholders. Tammy Whitehouse at Compliance Week has the must-read on the PCAOB’s proposed standards, which still need SEC approval before becoming the law of the land.
As she explains,
“The eight standards (Auditing Standards No. 8 through 15) try to take a comprehensive view of “audit risk”—the chance that auditors might miss some weakness in the client’s financial statements. They address everything from defining audit risk to outlining an auditor’s responsibility to consider it to considering materiality while performing an audit to evaluating audit evidence with risk in mind and much more.”
The biggest changes coming?
“Clarence Ebersole, a partner with Crowe Horwath, says the standards contain some other changes worth noting: a new emphasis on assessing the risk of fraud; a greater focus on how auditors should perform “walkthroughs” as part of the audit process, where auditors walk through a process or a transaction to better understand how internal controls are operating; and a greater focus on testing controls in a current year rather than testing controls on a rotational basis.”
The good news is that several industry followers are saying that many companies are already accounting for most of the risks being laid out here – meaning that the proposed guidance will mean much more in terms of risk documentation than the way audits are being conducted. Since documenting processes is generally a good bit less expensive than having to overhaul them, this is probably a good thing. Still, perhaps now might be a good time to remind everyone how much help automated controls can lend documenting things like this?
In not-really-related but we-couldn’t-really-help-ourselves news, you know all the previous The Other Guys? Totally buying the lede! As far as we know, not one has yet highlighted what is by FAR the most outstanding part of that movie (sorry, Samuel Jackson, The Rock, Will Ferrell and Mark Wahlberg). Will Ferrell’s character? A forensic accountant! Who breaks his case wide open not by cracking skulls, but by going over financial records and SEC filings. You can practically smell the 10-Ks. Our people!
Posted on August 23rd, 2010 by Katina »Permalink
You know we at Audit Trail love to have fun. But the latest from Gartner’s French Caldwell, who knows governance, risk and compliance as well as just about anyone, is no joke.
In a post on the five characteristics of good enterprise risk management, he (succinctly) makes several points worth remembering. We’ve said much the same thing ourselves – that single point-in-time snapshots of risk (or transactions or the general ledger or any critical business function, for that matter) cannot compare in value to ongoing risk monitoring across an operation.
Here are his five characteristics of a good risk management program, unabridged:
1. Risks are derived from business goals and objectives
2. A framework guides a common approach across the enterprise
3. Risks, including IT risks, are communicated in terms of their impact on the business
4. There is operational support for risk management and accountable ownership of risks
5. There is a business process approach to risk management technology
We couldn’t agree more. Regulations such as the new proxy disclosure rules that went into effect at the beginning of this year are forcing boards to not only take risk seriously but to publicly disclose what they are doing about it. Annual risk assessments are simply not enough and Caldwell’s advice to move to make risk management an ongoing, integrated part of day-to-day business processes makes a lot of sense. The sooner organizations come to understand risk as something impacting organizations across functions, rather than the sole purview of the risk specialists in the c-suite and the odd control freak, the better for all of us.
