Where are we now? – Audit & Risk

Posted on by

Click on the following link for the article: auditandrisk.org.uk

Internal audit can offer considerable assistance to executive officers, the board and board committees such as audit and risk; however, that assistance is significantly dependent on the structure, charter, agenda and qualifications of the internal audit function, how executive officers and the board use the internal audit function, the manner in which internal audit reports to and communicates with executive officers and the board, and regulatory requirements relating to the internal audit function and how those regulatory requirements are enforced.  I do agree with the article that this is a time of tremendous opportunity for internal audit, but only time will tell.  Whether or not that opportunity is achieved significantly depends on efforts by internal audit professional organizations to get the word out.

Dave Tate, Esq. (San Francisco / California)

Directors Should Communicate with Shareholders

Posted on by

Editor’s Note: John Wilcox is chairman of Sodali and former Head of Corporate Governance at TIAA-CREF. This post is based on a Sodali publication by Mr. Wilcox.

To demonstrate their effectivenes…

Source: Click on the following link for the article: blogs.law.harvard.edu

This is a very difficult topic. If directors communicate with shareholders, which director or directors? Are the communications in violation of securities laws? Does the director know how to handle forward looking communications? Does the director know how to handle communications in general? What if the director says something wrong, or in a manner that was received in a manner that wasn’t intended? What topics should the director address or talk about? Why not just have the CEO discuss the topics? And the list goes on and on. It might be that director communications with shareholders become commonplace or expected, but there are many questions that need to be answered first.

Dave Tate, Esq.

How to Disagree with Auditors: An Auditor’s Guide at Truth to Power – Information Governance Research Community

Posted on by

Auditors are required to tell management when control failures are exposing them to risk. Still, many managers at some point disagree with their auditor’s assessment. Can companies make auditors revise their assessment? And if not, what’s the best way to find common ground in those disparate views?

Source: Click on the following link for the entire article www.t2pa.com

An interesting, brief discussion.

Dave Tate, Esq.

Director Responsibility #8 – Reliance on Other People

Posted on by

From my 2-page overview of director responsibilities:

8. Rely on other people including information provided by other people only if (1) you believe those people are reliable and competent in the areas that they are addressing, (2) your reliance is in good faith, after reasonable inquiry as warranted by the circumstances, and (3) you do not have knowledge that would cause reliance to be unwarranted.

This is a requirement of a director for the business judgment rule defense to be available. A director has to significantly reply on other people for the director to perform his or her function – reliance on outside auditors, on internal auditors, on other directors, on executive officers, etc. As a director goes about performing his or her function, the director will want to evaluate whether it is appropriate to rely on other people. That’s not a negative statement – if there is a question of or uncertainty about reliance, work to improve and justify the reliance.

Dave Tate, CPA, Esq.

Internal Audits of Culture

Posted on by

A very interesting discussion. Again involving the UK, which has moved much more than the US toward evaluation or audit, and board responsibility for oversight of culture, ethics and governance. Will the US follow? I believe so, but these topics have already been discussed and acknowledged as being important for so many years in the US, but without movement. My view, develop criteria to be evaluated, but disclose that criteria so that businesses can work to pass the test without hide-the-ball. After all, the intent is for the business to meet or improve and meet these qualitative standards, isn’t it? Source: Click here for the discussion – iaonline.theiia.org
Dave Tate, Esq. (San Francisco)

UK – Banking Executives and Directors – Embrace Rules or Quit

Posted on by

It’s not the US, but the push on executives and directors for accountability continues – in UK banking they are told to embrace the new rules or quit.  Click here for article.

Dave Tate, Esq. (San Francisco)

Consequences of Falling Behind Cyber Risk Management Standards; Federal Warning Beacons

Posted on by

The steady stream of high-profile data breach incidents we’ve seen over the last few years makes one thing clear—cyber risk is a serious concern for virtually any enterprise.

Click on the following for the article: www.corporatecomplianceinsights.com

Cybersecurity.  All that can be said at this point is that companies, executives, boards, management, employees, and third-parties simply have to get in front of all aspects of cybersecurity.  And hacking doesn’t go home at night or on the weekend – this is a 24/7 need.  Dave Tate, CPA, Esq. (San Francisco / California)

Institutional Shareholder Services (ISS) Publishes Results of Annual Global Voting Policy Survey | The National Law Review

Posted on by

On September 29, Institutional Shareholder Services (ISS), a leading proxy advisory firm, published the results of its 2014–2015 global voting policy survey. The survey, which, according to ISS, received more than 370 responses from a combination of institutional investors, corporate issuers and other corporate governance stakeholders, is an important component in ISS’ voting policy formulation process.

Click on the following link for the article: www.natlawreview.com

In part, the article states:

“Risk Oversight/Audit: While a majority of investor respondents indicated that, when evaluating the board’s role in risk oversight, the role of the relevant risk oversight committee, the board’s risk oversight policies and procedures, board oversight action prior to incidents and board oversight after an incident were all “very” or “somewhat” important, the highest percentage (85 percent of investors) indicated that action subsequent to an incident was “very” important.”

Interesting.  Post-incident action rated more important than pre-incident risk management?  I don’t think so.  Important?  Yes.  Very important?  Yes.  More important?  No.

Dave Tate, CPA, Esq. (San Francisco / California)

5 tips for managing third-party risk | Government Health IT

Posted on by

Data sharing is an unavoidable aspect of business in healthcare. The tricky part is that we can’t completely control the security of our data once it’s in the hands of third-party vendors.

Click on the following link for the article: www.govhealthit.com

A good article, not just for IT and data sharing.  Good for the entity itself and for third-party risk management in general.  Also consider for example fraud, FCPA, environmental, etc.  This article doesn’t contain specifics, but it provides a good overall approach and mindset for third party risk management.  Dave Tate, CPA, Esq.

Tensions rising in bank boardrooms as OSFI’s new rules blur boundaries

Posted on by

Directors are being asked to do more than can be or should be expected of them, insiders say, and that is causing friction with management

Click on the following for the article: business.financialpost.com

Talking about Canada, but true for the U.S. also.  Historically a director’s oversight responsibilities have been rather lacking in specifics.  But that has been changing, first with the audit committee, then in certain industries such as banking, and more recently in topic areas such as cybersecurity.  Don’t expect it to go back to the historical approach.  Instead, with starts and stops, expect that oversight responsibilities will become more specific as regulators and stakeholders push the perceived need to be – overall, within specific industries, and within specific topic areas.  The problem for directors and executive officers – what to do, how much to do, how often to do, and when is enough, particularly when actions are mostly viewed or criticized in hindsight after negative unexpected events occur.  And with the risk of risk management, COSO 2013 and other events it will be interesting to see how not only the regulators but also the outside and internal auditors adjust and react.

Dave Tate, CPA, Esq. (San Francisco / California)