Excellent Insights From a New Risk Survey
Gartner’s Quarterly Emerging Risk Report surveyed 337 ERM leaders and senior executives, revealing a shift toward technology‑driven threats. The top five emerging risks for Q1 2026 include information‑integrity risk, US‑policy‑induced investment uncertainty, heightened financial exposure from disasters, agentic AI, and an AI workforce preparedness gap. Gartner highlights that AI‑related risks now dominate the risk agenda, reflecting growing concerns about data quality, autonomous systems, and skill shortages. The findings suggest CROs must broaden their risk frameworks beyond traditional hazards to address rapid AI adoption and volatile policy environments.
New COSO ERM Guidance
COSO released its 2026 paper “From Guidance to Action: Exploring Practical Enterprise Risk Management,” urging firms to shift ERM from a static list of risks to a decision‑focused capability. The guidance stresses embedding risk signals into planning, investment and delivery...
Quantifying Cyber Risk
The article argues that cyber risk must be quantified to answer concrete business questions, not merely to produce abstract loss figures like $420 million. It stresses that quantification should start with the adverse impact on enterprise objectives and use scenario‑based ranges...
Considering Fraud Risk and Appetite
The article argues that fraud risk appetite is rarely expressed in pure monetary terms; instead, firms rely on percentages, trends, and cost‑benefit analysis. It cites three real‑world cases—a head‑of‑sales whose fraud was tolerated for revenue reasons, a convenience‑store chain that...
Should We Quantify Every Risk?
Norman Marks argues that not every risk needs a precise numerical value, but quantification becomes essential when risk acceptability is unclear. He emphasizes that risk is a distribution of outcomes and that both upside and downside should be measured to...
If I Was Appointed CRO Today
Norman Marks outlines a pragmatic onboarding plan for a first‑time chief risk officer. He emphasizes a listening tour to grasp the organization’s culture, decision‑making processes, regulatory mandates, and existing risk infrastructure. The approach prioritizes swift regulatory compliance using minimal resources,...
We Need Fair and Balanced Audit Reports
Norman Marks argues that audit reports must be more than accurate; they need to be fair and balanced to preserve credibility with management and boards. He recounts an IT audit at a large financial institution where the report highlighted security...
Can We Use AI for ICFR and SOX?
AI can be leveraged to automate and enhance internal controls over financial reporting (ICFR) and SOX compliance, especially through agentic AI that creates documentation, scans evidence, and tests controls. However, compliance officers must ensure that AI testing validates control design,...
The Auditor as an Evangelist for AI
Internal auditors are expanding beyond traditional assurance to become AI evangelists, guiding organizations on responsible AI deployment. The article highlights how auditors historically added value by introducing tools and best practices, and now they can apply the same mindset to...
Let’s Review the IIA’s Guidance on Communicating Audit Results
The Institute of Internal Auditors (IIA) released a new Global Practice Guide on communicating audit results, updating the 2009 guide. The author praises the emphasis on stakeholder needs but criticizes the guide’s requirement to conclude on governance, risk management, and...
Risk and Decision-Making
The discussion sparked by Alex Sidorenko’s LinkedIn post, echoed by Norman Marks, urges risk professionals to shift from static top‑risk lists to decision‑focused questioning. By centering on the uncertainties that could alter a choice, risk assessment becomes a tool for...
Some Internal Audit Wisdom
The article highlights a growing call for internal audit to evolve from static, quarterly reviews to continuous, risk‑focused assurance. Leaders at Pinterest and consultancy SIA argue that agile audit roadmaps and real‑time data collection better support fast‑moving businesses. Conversely, the...
Important Risk Meetings
Norman Marks argues that the most critical risk meetings are the everyday decision‑making gatherings, not formal risk‑officer briefings. He cites procurement, hiring, and national‑security deliberations as examples where risk is implicitly evaluated. The piece urges organizations to embed risk expertise...
Let’s Use AI Effectively in Our Internal Audit Practice
The article argues that internal audit functions should adopt AI not because they risk obsolescence, but because AI can automate low‑value, high‑intensity tasks and free auditors for strategic work. It references AuditBoard and KPMG’s 12 AI use cases, ranging from...
Should We Audit Organizational Culture or Behavior?
The IIA’s new Topical Requirement outlines what an organizational‑behavior audit could include, but it does not make such audits mandatory. Norman Marks argues that a standalone audit of culture or behavior is rarely appropriate, recommending instead a risk‑based approach that...