Internal auditors are one of the controls to identify and manage risk. But are they the first line?
“CFOs Rally Their Risk Busters,” The Wall Street Journal, June 23, 2015 B6. Tight market for internal auditors.
Agree that internal auditors are used to identify where corporate control systems might need fixes. But can they also identify where rules and processes are not being followed? Isn’t such a check a necessary (but not sufficient) step to achieving compliance with law and with company policy? Is this uniquely a CFO concern?
Filed under Board, Business Case, Compliance, Compliance, Compliance, Compliance Verification, Controls, Culture, Duty of Care, Governance, Internal controls, Management, Oversight, Oversight, Risk
What type of information access problems do you worry about, and what consequences do you imagine?
“Thousands Stranded as Visa Glitch Continues,” The Wall Street Journal, June 20, 2015 A3. A computer problem at the State Department has stopped the processing of US visas, stranding travelers and fruit pickers.
What happens to your processes if the computers go out? Can you get to your information?
Thank goodness it’s not your health information or your tax stuff. Those are safe. And your payroll data.
Filed under Access, Board, Business Case, Duty of Care, Governance, Interconnections, IT, Management, Oversight, Protect assets, Protect information assets, Risk, Use
Absolute words, such as never, none, always, all, and every, are common targets in business writing courses. Watch when you use them, as they admit no (not few) exceptions.
“‘Unlimited’ Plan Draws $100 Million Fine for AT&T,” The Wall Street Journal, June 18, 2015 A1. AT&T fined after it is disclosed that AT&T limited data rates of “unlimited” data plans above 5 gigs.
Do you consider “limits on content” as within the scope of information governance? Who in your organization is responsible for the words your corporation uses in its communications, both internal and external? Is content control on your agenda? Hint: it’s not IT or records managers.
Filed under Business Case, Communications, Compliance, Content, Controls, Definition, Duty of Care, Governance, Information, Internal controls, Legal, Management, Oversight, Policy, Risk, Use
Low-level employees of your organization hack into the computer of a competitor, using an old password or variation. Boys will be boys? Let he FBI sort it out.
“FBI Is Looking Into Foul Play,” The Wall Street Journal, June 17, 2015 A3. St. Louis Cardinals being investigated by the FBI for hacking of Houston Astros’ database, using a permutation of an old password. Ah, America’s pastime.
What does this say about the culture of the Cardinals management that either allowed this or didn’t catch it? What does it say about allowing users to set and manage their own passwords?
Filed under Access, Board, Business Case, Collect, Compliance, Compliance, Compliance, Compliance Verification, Controls, Culture, Culture, Duty of Care, Governance, Information, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk, Security, Value
HR departments generate a lot of tools to assess the workforce. Are these tools any good?
“Are Companies Any Good at Picking Stars?,” The Wall Street Journal, June 17, 2015 B7. Lots of data and analytic tools don’t do that well at locating high-potential employees.
So you have the data. And analytics. But is the analysis worth anything? Does that make the information worthless? Or just the analytics?
It’s always good to pay out billions of dollars without verifying that the numbers are right. I guess we can all figure it out later. It’s not like it was your money.
“U.S. Pay To Insurers Still Lacks Verification,” The Wall Street Journal, June 16, 2015 A4. Report says that the Government didn’t have a handle on the $2.8 billion it paid to insurers from January 2014 through April 2014, and things haven’t gotten much better since. The system doesn’t verify on a per-person basis how much is owed to whom.
Does your business verify that it owes the money before it pays the money?
Is this governance, or the absence thereof?
Filed under Board, Business Case, Controls, Duty of Care, Governance, Information, Internal controls, Oversight, Protect assets, Risk, Value
Governance requires determining what the applicable requirements are. So what rules apply to the Internet, and who decides disputes?
“Google Is Pressed On Right to ‘Forget,'” The Wall Street Journal, June 13, 2015 B10. France orders Google to delete links outside of France, taking the position that the right to be forgotten means France has the right to control Google’s activity world-wide.
What rules apply and who decides? Did Google agree to apply European law to Google’s international operations by registering domains in Europe? How do you govern if the governee doesn’t agree? To whom does one appeal?