Recent Posts
News•Feb 26, 2026
Can We Use AI for ICFR and SOX?
AI can be leveraged to automate and enhance internal controls over financial reporting (ICFR) and SOX compliance, especially through agentic AI that creates documentation, scans evidence, and tests controls. However, compliance officers must ensure that AI testing validates control design, competent execution, and consistent operation, not merely data accuracy. Digital evidence is a prerequisite; without it, AI cannot assess whether a control was truly performed. When applied judiciously, AI can identify risks, streamline documentation, and verify personnel qualifications, augmenting but not replacing human judgment.
By Norman Marks on Governance, Risk Management, and Internal Audit
News•Feb 11, 2026
The Auditor as an Evangelist for AI
Internal auditors are expanding beyond traditional assurance to become AI evangelists, guiding organizations on responsible AI deployment. The article highlights how auditors historically added value by introducing tools and best practices, and now they can apply the same mindset to...
By Norman Marks on Governance, Risk Management, and Internal Audit
News•Feb 9, 2026
Let’s Review the IIA’s Guidance on Communicating Audit Results
The Institute of Internal Auditors (IIA) released a new Global Practice Guide on communicating audit results, updating the 2009 guide. The author praises the emphasis on stakeholder needs but criticizes the guide’s requirement to conclude on governance, risk management, and...
By Norman Marks on Governance, Risk Management, and Internal Audit
News•Feb 5, 2026
Risk and Decision-Making
The discussion sparked by Alex Sidorenko’s LinkedIn post, echoed by Norman Marks, urges risk professionals to shift from static top‑risk lists to decision‑focused questioning. By centering on the uncertainties that could alter a choice, risk assessment becomes a tool for...
By Norman Marks on Governance, Risk Management, and Internal Audit
News•Jan 26, 2026
Some Internal Audit Wisdom
The article highlights a growing call for internal audit to evolve from static, quarterly reviews to continuous, risk‑focused assurance. Leaders at Pinterest and consultancy SIA argue that agile audit roadmaps and real‑time data collection better support fast‑moving businesses. Conversely, the...
By Norman Marks on Governance, Risk Management, and Internal Audit
News•Jan 19, 2026
Important Risk Meetings
Norman Marks argues that the most critical risk meetings are the everyday decision‑making gatherings, not formal risk‑officer briefings. He cites procurement, hiring, and national‑security deliberations as examples where risk is implicitly evaluated. The piece urges organizations to embed risk expertise...
By Norman Marks on Governance, Risk Management, and Internal Audit
News•Jan 14, 2026
Let’s Use AI Effectively in Our Internal Audit Practice
The article argues that internal audit functions should adopt AI not because they risk obsolescence, but because AI can automate low‑value, high‑intensity tasks and free auditors for strategic work. It references AuditBoard and KPMG’s 12 AI use cases, ranging from...
By Norman Marks on Governance, Risk Management, and Internal Audit
News•Jan 12, 2026
Should We Audit Organizational Culture or Behavior?
The IIA’s new Topical Requirement outlines what an organizational‑behavior audit could include, but it does not make such audits mandatory. Norman Marks argues that a standalone audit of culture or behavior is rarely appropriate, recommending instead a risk‑based approach that...
By Norman Marks on Governance, Risk Management, and Internal Audit