Archive for the ‘Daily News’ Category
Posted on August 23rd, 2010 by Katina »Permalink
You know we at Audit Trail love to have fun. But the latest from Gartner’s French Caldwell, who knows governance, risk and compliance as well as just about anyone, is no joke.
In a post on the five characteristics of good enterprise risk management, he (succinctly) makes several points worth remembering. We’ve said much the same thing ourselves – that single point-in-time snapshots of risk (or transactions or the general ledger or any critical business function, for that matter) cannot compare in value to ongoing risk monitoring across an operation.
Here are his five characteristics of a good risk management program, unabridged:
1. Risks are derived from business goals and objectives
2. A framework guides a common approach across the enterprise
3. Risks, including IT risks, are communicated in terms of their impact on the business
4. There is operational support for risk management and accountable ownership of risks
5. There is a business process approach to risk management technology
We couldn’t agree more. Regulations such as the new proxy disclosure rules that went into effect at the beginning of this year are forcing boards to not only take risk seriously but to publicly disclose what they are doing about it. Annual risk assessments are simply not enough and Caldwell’s advice to move to make risk management an ongoing, integrated part of day-to-day business processes makes a lot of sense. The sooner organizations come to understand risk as something impacting organizations across functions, rather than the sole purview of the risk specialists in the c-suite and the odd control freak, the better for all of us.
Posted on August 17th, 2010 by Katina »Permalink
So, CFO has a kind of alarming/kind of millennial nostalgia-inducing piece up today on a risk we pretty much guarantee that lots of businesses haven’t yet accounted for. It seems that the unique numbers on one kind of interweb protocol dealie (IPv4, for the detail people reading) are running out, so they need a new protocol deal (IPv6, and your guess is as good as ours on why nobody’s talking about IPv5). Only 4 doesn’t really talk to 6, and – you know what, you should probably read the piece for a coherent technical explanation.
The gist is that 2011 is likely to bring some real communications issues for Web sites, and that means companies need to start planning now for how to make sure all their systems are go for a transition, lest they risk outages or inconvenience for customers.
It’s another reminder of just how many risks confront the varied functions of a business every day – and why it’s so vital that the folks in charge of those functions, whom we fervently hope are tracking their little fiefdoms carefully – come together regularly to talk about their risks with other stakeholders in their operation. That way they can agree on controls to implement, and just what needs to be monitored, and how to respond if or when something goes haywire.
Speaking of widely varying risks, spending lots of money on basically nothing is a kind of nightmare scenario for any business. Probably even more so if you happen to be operating a city government whose mayor ordered you 7 months ago to get a tight grip on controls and prevent wasteful spending. So finding out that you’ve been spending an unnecessary $2 million in health premiums for deceased former employees has got to be quite a blow. Especially since that is exactly the sort of risk that automated controls help operations to account for.
Posted on August 10th, 2010 by Katina »Permalink
Whoo boy. CNBC has some pretty disheartening video up this week that illustrates the findings of a recent GAO report that found some 1500 instances of people collecting Social Security disability benefits while continuing work – and not just in any old job, but in the public sector. Not that the working while collecting disability benefits isn’t hugely problematic on its own, but doing so while working for, say, TSA? Wow, that takes some serious chutzpah. And it is NOT cool. The GAO report is being criticized by some for not recommending steps for fixing the problem, so we’re happy to help out. Without pretending to be the experts on government management, how about a good old fashioned audit that compares disability rolls to, we don’t know, something like tax returns. Wouldn’t that show pretty quickly who’s gaming the system? And, you know, stealing?
It’s such a shame, the two steps forward, one foot back-ness of it all. Seems like yesterday we were singing the praises of Uncle Sam’s super-cool devotion to continuous monitoring at various government institutions, and then we read about totally obvious, totally preventable, completely embarrassing fraud at another.
In an age where automation enables such efficient means of monitoring all kinds of information, there’s really no excuse for stories like these. And in an age of soaring deficits with no real end in sight, letting this kind of thing slip by is something none of us can afford.
Posted on August 5th, 2010 by Melanie »Permalink
As the thermometer keeps creeping up, we’re sure you, our dear readers, can only think of one thing – isn’t IIA GRC coming up soon? Well, you’re right, it is indeed, and without giving anything away, we have it on good authority that some pretty cool things are going to be happening there. For a preview take a look at some of the key themes from the IIA GAM conference that took place last spring.
But already folks are talking about all things internal audit, and Norman Marks, who is downright prolific on the subject, has got some interesting reading for folks psyching themselves up for Palm Beach. The bits about internal auditors becoming obsolete or irrelevant might be a little hyperbolic, but the importance he cites for embracing technologies that enable top-down risk assessments are spot-on. And he makes a great point, in our humble opinion, on the opportunity waiting for internal auditors to make themselves risk management heroes within their organizations, insisting on bringing varied functions together to identify organizational risks and acting as an advocate to boards and the C-suite for the technologies that can truly transform how a business approaches risk identification and mitigation.
Definitely some food for thought while we bide our time until we’re all together in Florida.
