Considering Fraud Risk and Appetite
The article argues that fraud risk appetite is rarely expressed in pure monetary terms; instead, firms rely on percentages, trends, and cost‑benefit analysis. It cites three real‑world cases—a head‑of‑sales whose fraud was tolerated for revenue reasons, a convenience‑store chain that set a 1‑1.5% shrink target, and a software VP involved in side‑letter discounts—to illustrate the gap between policy and practice. The author suggests that zero‑tolerance statements often crumble under business realities, and that a nuanced, metric‑driven appetite is more actionable. Ultimately, the piece invites discussion on redefining fraud risk appetite.
Should We Quantify Every Risk?
Norman Marks argues that not every risk needs a precise numerical value, but quantification becomes essential when risk acceptability is unclear. He emphasizes that risk is a distribution of outcomes and that both upside and downside should be measured to...
If I Was Appointed CRO Today
Norman Marks outlines a pragmatic onboarding plan for a first‑time chief risk officer. He emphasizes a listening tour to grasp the organization’s culture, decision‑making processes, regulatory mandates, and existing risk infrastructure. The approach prioritizes swift regulatory compliance using minimal resources,...
We Need Fair and Balanced Audit Reports
Norman Marks argues that audit reports must be more than accurate; they need to be fair and balanced to preserve credibility with management and boards. He recounts an IT audit at a large financial institution where the report highlighted security...
Can We Use AI for ICFR and SOX?
AI can be leveraged to automate and enhance internal controls over financial reporting (ICFR) and SOX compliance, especially through agentic AI that creates documentation, scans evidence, and tests controls. However, compliance officers must ensure that AI testing validates control design,...
The Auditor as an Evangelist for AI
Internal auditors are expanding beyond traditional assurance to become AI evangelists, guiding organizations on responsible AI deployment. The article highlights how auditors historically added value by introducing tools and best practices, and now they can apply the same mindset to...
Let’s Review the IIA’s Guidance on Communicating Audit Results
The Institute of Internal Auditors (IIA) released a new Global Practice Guide on communicating audit results, updating the 2009 guide. The author praises the emphasis on stakeholder needs but criticizes the guide’s requirement to conclude on governance, risk management, and...
Risk and Decision-Making
The discussion sparked by Alex Sidorenko’s LinkedIn post, echoed by Norman Marks, urges risk professionals to shift from static top‑risk lists to decision‑focused questioning. By centering on the uncertainties that could alter a choice, risk assessment becomes a tool for...
Some Internal Audit Wisdom
The article highlights a growing call for internal audit to evolve from static, quarterly reviews to continuous, risk‑focused assurance. Leaders at Pinterest and consultancy SIA argue that agile audit roadmaps and real‑time data collection better support fast‑moving businesses. Conversely, the...
Important Risk Meetings
Norman Marks argues that the most critical risk meetings are the everyday decision‑making gatherings, not formal risk‑officer briefings. He cites procurement, hiring, and national‑security deliberations as examples where risk is implicitly evaluated. The piece urges organizations to embed risk expertise...
Let’s Use AI Effectively in Our Internal Audit Practice
The article argues that internal audit functions should adopt AI not because they risk obsolescence, but because AI can automate low‑value, high‑intensity tasks and free auditors for strategic work. It references AuditBoard and KPMG’s 12 AI use cases, ranging from...
Should We Audit Organizational Culture or Behavior?
The IIA’s new Topical Requirement outlines what an organizational‑behavior audit could include, but it does not make such audits mandatory. Norman Marks argues that a standalone audit of culture or behavior is rarely appropriate, recommending instead a risk‑based approach that...
