Protecting Your Board: Know Your Risks – Law Firms Are Going To Want To Be In This Practice Area

This is a specific practice area that law firms are going to want to be in, and a few are starting – board and executive risk management, audit committees, compliance, and how they tie to other practice areas.

The attached link is to a NACD seminar on risk – I’m not saying you should attend the seminar, I’m just using it as an example that these issues are recognized and aren’t going away:

Dave Tate, Esq.

Updated Audit Committee Self-Evaluation Form

Updated audit committee self-evaluation form, click on the following link, use the form and enjoy,

Audit Committee Self-Evaluation Form David Tate Esq 10302014

Dave Tate, Esq. (San Francisco/California)

Consequences of Falling Behind Cyber Risk Management Standards; Federal Warning Beacons

The steady stream of high-profile data breach incidents we’ve seen over the last few years makes one thing clear—cyber risk is a serious concern for virtually any enterprise.

Click on the following for the article:

Cybersecurity.  All that can be said at this point is that companies, executives, boards, management, employees, and third-parties simply have to get in front of all aspects of cybersecurity.  And hacking doesn’t go home at night or on the weekend – this is a 24/7 need.  Dave Tate, CPA, Esq. (San Francisco / California)

5 tips for managing third-party risk | Government Health IT

Data sharing is an unavoidable aspect of business in healthcare. The tricky part is that we can’t completely control the security of our data once it’s in the hands of third-party vendors.

Click on the following link for the article:

A good article, not just for IT and data sharing.  Good for the entity itself and for third-party risk management in general.  Also consider for example fraud, FCPA, environmental, etc.  This article doesn’t contain specifics, but it provides a good overall approach and mindset for third party risk management.  Dave Tate, CPA, Esq.

Tensions rising in bank boardrooms as OSFI’s new rules blur boundaries

Directors are being asked to do more than can be or should be expected of them, insiders say, and that is causing friction with management

Click on the following for the article:

Talking about Canada, but true for the U.S. also.  Historically a director’s oversight responsibilities have been rather lacking in specifics.  But that has been changing, first with the audit committee, then in certain industries such as banking, and more recently in topic areas such as cybersecurity.  Don’t expect it to go back to the historical approach.  Instead, with starts and stops, expect that oversight responsibilities will become more specific as regulators and stakeholders push the perceived need to be – overall, within specific industries, and within specific topic areas.  The problem for directors and executive officers – what to do, how much to do, how often to do, and when is enough, particularly when actions are mostly viewed or criticized in hindsight after negative unexpected events occur.  And with the risk of risk management, COSO 2013 and other events it will be interesting to see how not only the regulators but also the outside and internal auditors adjust and react.

Dave Tate, CPA, Esq. (San Francisco / California)

Audit Committee Annual Self-Evaluation Form

My audit committee annual self-evaluation form, click here for the form. Please feel free to use the form.

Drop me a note if you have questions or comments, or if you want help with the self-evaluation.

Dave Tate, Esq. (San Francisco / California), Email:

If you want to move “qualitative” assurance and evaluation forward – disclose criteria – governance, ethics, risk management, etc.

Simple and short. Outside independent auditors, internal audit, and people who are interested in governance, ethics, risk management and other “qualitative” or “partially qualitative” issues – disclosure the criteria that you are using or expecting to audit or evaluate those areas, and by doing so you will move the subject matter forward with transparency. If you want people to satisfy a standard, don’t you need to tell them the criteria?  In these areas the primary objective is for people to satisfy the criteria, not catch them for failure to satisfy, isn’t it? No need to be secret in these areas.  Perhaps the problem is that there might not be generally accepted criteria.  If not, after all these years, why not?  It takes leadership, vision and strategy.

Dave Tate, Esq. (San Francisco / California),

Ex-Employees Say Home Depot Left Data Vulnerable – Cybersecurity, Boards, Risk Management & Internal Controls

Before a major data breach, Home Depot was slow to raise its defenses against hackers despite alarms from security experts as far back as 2008.

Source: click here for article in NY Times

A negative article about Home Depot’s data breach, to be sure.  But the article is obviously incomplete and does not provide Home Depot’s viewpoint or timeline about the cybersecurity actions that it had been taking.

Cybersecurity and new efforts and developments by hackers are rapidly changing areas.  The relevant time period for Home Depot is probably mid- to late-2013 to the present.  See my prior August 31, 2014 risk management and NIST Cybersecurity Framework blog post CLICK HERE, and my September 13, 2014 blog post CLICK HERE re COSO 2013 framework and risk management 20 step process.  Curious, how would the outside independent auditor handle these risks under the COSO 2013 framework?

The article does indicate that Home Depot hired a computer engineer to oversee security as early as 2012, brought in additional experts in January 2014, and started encryption in April 2014 which wasn’t complete until last week.

A few comments from current or past employees don’t establish anything.  Undoubtedly we will be getting additional information shortly.  Home Depot certainly faces liability exposure, but how much we cannot determine, and possible of loss of store sales, but again how much we cannot determine.

Should executive officers or board or audit or risk committee members be ousted?  Will proxy consultants recommend ouster?  As you know from my prior posts re Target and GM – certainly not as a jerk knee reaction.

Obviously the most pressing actions needed are remedial, making sure the right people with expertise, experience and authorization are in place to be sure other breaches, if any, and security inadequacies are identified and eliminated, and for Home Depot to be able to affirm to the buying public that it is safe to shop at Home Depot.

Presumably the board will have an independent investigation performed – although the full examination and recommends will take time, it shouldn’t be too difficult to have the initial interviews completed quickly (30 days?) to determine which if any immediate position changes and authorizations should be immediately made or enhanced in Home Depot’s cybersecurity processes.

More to follow.

Dave Tate, CPA, Esq. (San Francisco / California)

The NLRB sends a clear message to employers — think twice before striking back at employee social media comments

A recent decision by the NRLB provides important guidance as to when social media commentary is protected under the National Labor Relations Act and how far it must go before it can be deemed to lose the protection of the Act.

Source: click here for article

An important NRLB decision re employee use of social media.  All part of risk management.  Enjoy. Dave Tate (San Francisco / California)

Gearing-Up with COSO 2013 Internal Control Framework and Principles

As companies, directors (audit and risk committees), internal audit and independent auditors continue to gear-up for COSO 2013, I am posting the below bullet point outline without discussion primarily for future reference and application. You will note that the COSO 2013 framework remains broad, lacking detail and arguably vague. You can take any category and any principle and ask, “what does that mean” “what are our responsibilities” and “at what point have we satisfied our responsibilities”? For example, look at the Risk Assessment category. Methods or processes of risk assessment certainly have already become more involved. See for example my August 31, 2014 blog post discussion about the NIST Cybersecurity Framework click here and my paper outlining 20 risk management process steps

More to follow.  Dave Tate, CPA, Esq. (San Francisco / California)

COSO 2013 Internal Control Framework & Sarbanes-Oxley Act (SOX) Section 404

Three Categories of Objectives:

The Five Integrated Components of Internal Control and Their 17 Principles:

Control Environment
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibilities
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

Risk Assessment
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Control Activities
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & Communication
13. Uses relevant information
14. Communicates internally
15. Communicates externally

Monitoring Activities
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies

* * * * * * *