For obvious reasons, I am normally reluctant to recommend rival websites dedicated to the topic of assurance and risk. But in the case of Norman Marks, I am glad to make an exception… and not just one exception, because Marks writes two excellent blogs.
Marks was a Chief Audit Executive and Chief Risk Officer for a string of big businesses. More importantly, he talks a lot of straightforward sense when others prefer to spout nonsense. Despite being retired, Marks continues to be a thought leader, sharing his wisdom through a blog for the Institute of Internal Auditors, and also at his personal website about governance, risk management and audit. If you are not following them, you should follow both. To give you a taster, this is from a recent blog that Marks wrote for the IIA:
In a 2014 blog post, I commented that — again, according to surveys of board members and other stakeholders — there is a high level of dissatisfaction with the performance and delivery of value by internal audit.
I heard that again a couple of weeks ago, when at a board directors’ conference an individual asserted that internal audit does not have the competence to assess cyberrisk. Nobody disagreed.
Given the importance of cyber in today’s and tomorrow’s business environment, that is damning.
So, did the director say that internal audit needed to be upgraded, additional resources allocated, or similar? No. She just said they were of no value when it comes to cyber and board members should look elsewhere.
Sorry, but that is not acceptable.
If internal audit does not have the right leadership, competence, or resources, the board is to blame! They have the capacity and the responsibility for acting when management is reluctant to dedicate sufficient resources or they are not happy with the leadership of the CAE.
And over at his personal site, Marks recently wrote about how much cyber risk businesses should take. He lists 12 questions that the entire executive team (not just the CIO or CISO) should review as part of a dedicated session on cyber risk. So go read them! (But please remember to come back here afterwards.)