Norman Marks on Audit and Cyber Risks

For obvious reasons, I am normally reluctant to recommend rival websites dedicated to the topic of assurance and risk. But in the case of Norman Marks, I am glad to make an exception… and not just one exception, because Marks writes two excellent blogs.

Marks was a Chief Audit Executive and Chief Risk Officer for a string of big businesses. More importantly, he talks a lot of straightforward sense when others prefer to spout nonsense. Despite being retired, Marks continues to be a thought leader, sharing his wisdom through a blog for the Institute of Internal Auditors, and also at his personal website about governance, risk management and audit. If you are not following them, you should follow both. To give you a taster, this is from a recent blog that Marks wrote for the IIA:

In a 2014 blog post, I commented that — again, according to surveys of board members and other stakeholders — there is a high level of dissatisfaction with the performance and delivery of value by internal audit.

I heard that again a couple of weeks ago, when at a board directors’ conference an individual asserted that internal audit does not have the competence to assess cyberrisk. Nobody disagreed.

Given the importance of cyber in today’s and tomorrow’s business environment, that is damning.

So, did the director say that internal audit needed to be upgraded, additional resources allocated, or similar? No. She just said they were of no value when it comes to cyber and board members should look elsewhere.

Sorry, but that is not acceptable.

If internal audit does not have the right leadership, competence, or resources, the board is to blame! They have the capacity and the responsibility for acting when management is reluctant to dedicate sufficient resources or they are not happy with the leadership of the CAE.

And over at his personal site, Marks recently wrote about how much cyber risk businesses should take. He lists 12 questions that the entire executive team (not just the CIO or CISO) should review as part of a dedicated session on cyber risk. So go read them! (But please remember to come back here afterwards.)

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.