Internal auditors are one of the controls to identify and manage risk. But are they the first line?
“CFOs Rally Their Risk Busters,” The Wall Street Journal, June 23, 2015 B6. Tight market for internal auditors.
Agree that internal auditors are used to identify where corporate control systems might need fixes. But can they also identify where rules and processes are not being followed? Isn’t such a check a necessary (but not sufficient) step to achieving compliance with law and with company policy? Is this uniquely a CFO concern?
Filed under Board, Business Case, Compliance, Compliance, Compliance, Compliance Verification, Controls, Culture, Duty of Care, Governance, Internal controls, Management, Oversight, Oversight, Risk
What type of information access problems do you worry about, and what consequences do you imagine?
“Thousands Stranded as Visa Glitch Continues,” The Wall Street Journal, June 20, 2015 A3. A computer problem at the State Department has stopped the processing of US visas, stranding travelers and fruit pickers.
What happens to your processes if the computers go out? Can you get to your information?
Thank goodness it’s not your health information or your tax stuff. Those are safe. And your payroll data.
Filed under Access, Board, Business Case, Duty of Care, Governance, Interconnections, IT, Management, Oversight, Protect assets, Protect information assets, Risk, Use
Absolute words, such as never, none, always, all, and every, are common targets in business writing courses. Watch when you use them, as they admit no (not few) exceptions.
“‘Unlimited’ Plan Draws $100 Million Fine for AT&T,” The Wall Street Journal, June 18, 2015 A1. AT&T fined after it is disclosed that AT&T limited data rates of “unlimited” data plans above 5 gigs.
Do you consider “limits on content” as within the scope of information governance? Who in your organization is responsible for the words your corporation uses in its communications, both internal and external? Is content control on your agenda? Hint: it’s not IT or records managers.
Filed under Business Case, Communications, Compliance, Content, Controls, Definition, Duty of Care, Governance, Information, Internal controls, Legal, Management, Oversight, Policy, Risk, Use
Low-level employees of your organization hack into the computer of a competitor, using an old password or variation. Boys will be boys? Let he FBI sort it out.
“FBI Is Looking Into Foul Play,” The Wall Street Journal, June 17, 2015 A3. St. Louis Cardinals being investigated by the FBI for hacking of Houston Astros’ database, using a permutation of an old password. Ah, America’s pastime.
What does this say about the culture of the Cardinals management that either allowed this or didn’t catch it? What does it say about allowing users to set and manage their own passwords?
Filed under Access, Board, Business Case, Collect, Compliance, Compliance, Compliance, Compliance Verification, Controls, Culture, Culture, Duty of Care, Governance, Information, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk, Security, Value
HR departments generate a lot of tools to assess the workforce. Are these tools any good?
“Are Companies Any Good at Picking Stars?,” The Wall Street Journal, June 17, 2015 B7. Lots of data and analytic tools don’t do that well at locating high-potential employees.
So you have the data. And analytics. But is the analysis worth anything? Does that make the information worthless? Or just the analytics?
It’s always good to pay out billions of dollars without verifying that the numbers are right. I guess we can all figure it out later. It’s not like it was your money.
“U.S. Pay To Insurers Still Lacks Verification,” The Wall Street Journal, June 16, 2015 A4. Report says that the Government didn’t have a handle on the $2.8 billion it paid to insurers from January 2014 through April 2014, and things haven’t gotten much better since. The system doesn’t verify on a per-person basis how much is owed to whom.
Does your business verify that it owes the money before it pays the money?
Is this governance, or the absence thereof?
Filed under Board, Business Case, Controls, Duty of Care, Governance, Information, Internal controls, Oversight, Protect assets, Risk, Value
Governance requires determining what the applicable requirements are. So what rules apply to the Internet, and who decides disputes?
“Google Is Pressed On Right to ‘Forget,'” The Wall Street Journal, June 13, 2015 B10. France orders Google to delete links outside of France, taking the position that the right to be forgotten means France has the right to control Google’s activity world-wide.
What rules apply and who decides? Did Google agree to apply European law to Google’s international operations by registering domains in Europe? How do you govern if the governee doesn’t agree? To whom does one appeal?
Yes, what’s printed on the package is correct, but the package hasn’t changed. Can you increase the price by 25%?
“Same Package, Same Price, Less Product,” The Wall Street Journal, June 12, 2015 B1. Package doesn’t change, but effective huge price increase.
What a great way to cheat without really cheating. Is your package part of your information?
I can’t believe that fudging the accounts at a major law firm results in only five months in jail for an accountant.
“New Testimony Shows Dewey’s Financial Strains,” The Wall Street Journal, June 11, 2015 B2. Accountant admits to fudging figures by $25million. To serve five months in jail. More to follow. This was in 2009, years before Dewey’s collapse.
What happens when your gatekeepers are fudging the numbers? Wasn’t this what happened at Enron? What was the culture that allowed this to continue?
Filed under Board, Business Case, Collect, Compliance, Compliance, Compliance Verification, Controls, Culture, Culture, Duty of Care, Governance, Internal controls, Management, Oversight, Oversight, Protect, Protect assets, Risk, Use
It’s not the first time that the press release got out ahead of the facts. Target is a repeat offender.
“Target Puts A Release On Website By Mistake,” The Wall Street Journal, June 10, 2015 B3. Premature release of report on earnings. Similar to a release in the spring, which Target let go too soon.
At least it’s not the SEC.
How well do you manage and control the release of important information? If you make a mistake one time, do you improve your processes? Or do you just not care?
Filed under Access, Board, Business Case, Controls, Duty of Care, Governance, Inform market, Inform shareholders, Internal controls, Investor relations, Oversight, Oversight, Protect assets, Protect information assets, Risk