Thoughts on ESG Controls & Reporting


I spent several days last week attending the annual user conference for Workiva, maker of audit and risk management software. ESG was all over the agenda, with numerous speakers talking about how to integrate ESG concerns into your annual audit and reporting. I took detailed notes, and my recap is below. First, I was struck…

Read More

Fresh Approaches to Cybersecurity Risk


Every regulator and their uncle is climbing aboard the cybersecurity bandwagon these days. Before that bandwagon starts rolling away with itself, however, we might want to ask whether corporate audit and compliance teams, and even the regulators themselves, are going about all this in the wisest way possible. Two recent posts on Radical Compliance capture…

Read More

On Wisconsin and Cyber Risks


IT audit professionals looking for a fresh example of cybersecurity risk to study should turn their gaze to Wisconsin. A voter fraud conspiracy theorist there uncovered what is indeed a legitimate risk to election integrity, and his discovery speaks volumes about taking a risk-based approach to design of internal controls. The gadfly in question is…

Read More

Pointers on Preventing Ransomware 


Among the many interesting discussions I heard at the Institute of Internal Auditors’ global conference this week, one particularly compelling session was about ransomware: how attackers try to foist it upon companies, and the internal controls you could implement to keep such attacks at bay. Since ransomware risk is going nowhere but up these days,…

Read More

Dispatches From IIA Conference


The Institute of Internal Auditors held its global annual conference this week in Chicago, drawing together more than 1,700 audit professionals for its first in-person conference since 2019 to talk about internal controls, audit reports, working with boards, and lots more. Yours truly was on the scene, and I’ve pulled together some dispatches from social…

Read More

Some Thoughts on IT Workforce Risks

Looking for another reason to worry about the long-term success of your compliance, audit, or risk management efforts? Fear not! A recent report on workforce development in cybersecurity paints a stark picture of just how challenging it is these days to build and maintain a good team.  The report comes from ISACA, the professional association…

Read More

Citigroup Internal Audit Hiring Spree


Citigroup announced today that it plans to hire at least 100 additional internal auditors  next year, one of the largest single hiring sprees we’ve seen in the field in years. If any audit professionals out there like the banking sector and want a change of pace, here’s your big chance.  Citi already has more than…

Read More

Grappling With Artificial Intelligence


Later this week I’ll have the privilege to moderate a panel discussion on artificial intelligence at the Society of Corporate Compliance & Ethics’ 2021 conference — and as fate would have it, COSO published guidance last week on the risk management challenges around AI. So let’s dig into the subject, since clearly the universe is…

Read More

Portrait of Internal Audit Teams, Squeezed


We have two new reports this week on the predicament of internal audit functions, trapped between the need to provide better risk analysis during the pandemic and corporate overlords a bit less than willing to fund your need for better technologies. The first report came from research firm Gartner on Wednesday, and found that for…

Read More

A Tale: Audit vs. Compliance

My phone rang the other day; it was the U.S. compliance officer at a large global business whom I know quite well. “Hey,” he said, “you know the statistic that more than half of internal audit people have felt pressure to cover up awkward findings in their work? I have a complaint about that.” I…

Read More