Posts Tagged ‘ audit ’

The winding rivers of risk management

July 11, 2012
The winding rivers of risk management

In the novel Time and Again by Jack Finney, he writes about Einstein’s theory of time travel this way: “we’re mistaken in our conception of what the past, present, and future really are. We think the past is gone, the future hasn’t happened, and that only the present exists. Because the present is all we can see. It’s only natural. (Einstein) said we’re like people in a boat without oars drifting along a winding river. Around us we see only the present. We can’t see the past, back in the bends and curves behind us. But, it’s there.” Since risk…

Read more »

The Night’s Watch and the Wall of risk management

January 20, 2012

  In the series A Song of Ice and Fire which begins with the book A Game of Thrones, by George RR Martin, we are introduced to the Wall and the Night’s Watch. The Wall is an immense fortification on the northern border of the Seven Kingdoms that defends the realm from “what lies North of the wall”. It was created over 8000 years ago and measures 300 miles in length and 700 feet in height. The protectors of the Wall are a military order clad in black known as the Night’s Watch and they are as old as the…

Read more »

The iPhone 4S of enterprise risk management

January 18, 2012

  Last year Apple released the iPhone 4S and critics pointed out it was pretty much the iPhone 4 with a big-s glued on. Although there were some minor improvements from the iPhone 4, overall it was pretty much the same phone. After reading the ERM white paper “Black Swans Turn Grey” from PwC, it made me think that all the authors have done was glue a big-s to existing ERM frameworks. While they try to make it sound like they are proposing a new risk management approach, in fact this paper reads more like an indictment of the people…

Read more »

When treating a risk creates another risk and so on and so on

June 21, 2011

Sometimes in an effort to treat an issue, we generate a different risk or increase an existing one in the process. Many of us can relate to when the internal auditors come in, look at existing processes and weak controls and “strongly suggest” that management fix the problem. Quickly. Management’s solution is often a series of manual processes and spreadsheet generated reports plus workarounds that mitigate the initial risk (but more importantly closes the outstanding audit point!) while creating countless more process waste and operational risks. Here’s a real example from history from the book At Home by Bill Bryson…

Read more »

Leech shares his thoughts on the Board oversight of risk

December 18, 2009

Please have a read at what Tim Leech has to say about the SEC’s new enhanced proxy disclosure requirements and new rules around the Board oversight of risk, in his IIA blog found here: http://www.theiia.org/blogs/leech/index.cfm/post/New%20U.S.%20Disclosures%20-%20Board%20Oversight%20of%20Risk He notes that while you will benefit by reading this document, it is not recommend for fireplace reading during the holidays.

Read more »

Internal audit is not risk management even in New Zealand

November 19, 2009

Keeping with today’s theme “internal auditors are not risk managers”, here’s something I quite enjoyed courtesy of a report from Marsh in New Zealand called The 2008 State Sector Risk Management Practices Report. Page 17 it reads: Internal Auditors play an important role in evaluating the risk management processes of an organisation and advocating their continued improvement. However, to preserve its organisational independence and objective judgement, Internal Audit professional standards indicate the function should not take any direct responsibility for making risk management decisions for the enterprise or managing the risk management function. Internal auditors typically perform an annual risk…

Read more »

Internal auditors get my goat

November 19, 2009

Here’s one of those articles that would get my goat if I owned a goat. It’s the typical rah-rah article about how wonderful ERM is and everyone should be doing it. (I am always  a proponent of those.) But the fact that it was published at a site called WebCPA should have tipped me off that I was going to be short one goat by the time I was finished. After the author quotes the requisite parts from the COSO ERM framework – thus illustrating that she can copy and paste from the COSO ERM framework -  she recites a…

Read more »

Spreadsheet risks (a comedy of errors)

September 8, 2009

Here is a pretty good read by Forrester called “Controls to Mitigate Spreadsheet Risk” about the risks inherent in using spreadsheets; it includes a list of common spreadsheet risks including these: Lack of audit trail Poor security and access controls History of errors and fraud Many of these are root causes of downstream outcomes like financial loss, legal issues, loss of reputation, loss of stock price, fines and penalties and of course, job losses. To the auditors in the room, there is a list recommended controls to mitigate the risk which might tickle your fancy. But are spreadsheets only to…

Read more »

Risk Management is not Internal Audit

August 25, 2009

  Risk management is looking forward Risk management is when you are driving your car on a foggy night and you cannot see more than 10 feet in front of you – there may be something out there: perhaps a deer, another vehicle or a zombie hitchhiking. But you don’t know when or if you will collide with any or all of them. By simply identifying that an animal, truck or undead creature may be there, you alter your behavior and proactively treat the risk (e.g., slow down, turn off the radio or ask kids to be quiet). You are…

Read more »