Veteran Internal Auditing Expert Jose Tabuena

Corporations know that managing risk is key to their survival today, and many even do a respectable job of assessing and ranking their risks. But what's the role for internal audit to ensure that the audit plan matches all those risks the company just spelled out? Inside, Columnist José Tabuena looks at how to prioritize internal audit's coverage of risk.

Strong information security practices can reduce the risk of substantial regulatory fines and penalties (as well as the risk of reputational damage), and the best way to determine if a company is a leader or a laggard in the area is with an information security audit. Inside, Columnist José Tabuena covers the ins and outs of conducting one.

Can internal audit and compliance professionals better collaborate for the benefit of their organization? Why not? Audit and compliance—working together—are uniquely positioned to help the board and management understand the importance of an integrated approach to governance activities. Inside, Columnist José Tabuena dispels some of the myths of integrated governance, risk, and compliance.

Yes, sometimes the best response to an allegation of misconduct is to commission an external investigation—but in many cases, an internal investigation will do just as well. How can you assure objectivity and independence in those cases? Inside, Compliance Week Columnist José Tabuena explores internal audit's role in serving as the "reasonable person" whose expectations are what counts in court.

The recent history of major business frauds and failures invariably points to the culture of the fraudulent organization as a root cause. Fair enough. But how can an internal audit department evaluate something as intangible as culture? Inside, Compliance Week Columnist José Tabuena considers the employee survey: how it can properly be used to measure integrity, the effectiveness of compliance departments, and more.

The move to cloud services continues to accelerate, but the shift is more than just a change in technological platforms. It fundamentally alters the way business and IT systems function. Inside, Columnist José Tabuena looks at the many challenges the cloud creates for internal audit, including a lack of security standards, and finds that no way currently exists to audit the cloud in a consistent manner.

Companies and consultants have long touted the benefits of continuous auditing and monitoring, but implementing such systems is much easier said than done. Inside, Columnist José Tabuena examines the challenges to rolling out a continuous auditing program and provides some strategies to overcome the difficulties.

Mathematical axioms and proofs can be powerful tools for applying discipline and unearthing bedrock truths in any number of fields. Inside, Columnist José Tabuena dusts off his high school geometry lessons to find some fundamental axioms in ethics and compliance, and to derive a few formulas for evaluating your program's effectiveness.

The internal audit function can be a valuable resource for assessing the effectiveness of compliance and ethics programs. But to do so, internal auditors must use multi-disciplinary techniques that differ from standard approaches. Inside, Compliance Week columnist José Tabuena gives some pointers on how to get started.

Ethics and compliance officers, internal auditors, and the like have tried to conduct periodic reviews of their programs, but that has taken on new importance thanks to and updated definition of “effective” compliance programs under the U.S. Sentencing Guidelines.

Phil Angelides, former California state treasurer and now head of the Financial Crisis Inquiry Commission, says he just doesn’t understand how Wall Street executives can claim they never saw the meltdown coming. In his view, the evidence was sitting in plain view, especially in places like Florida and California where bad home loans were piling up. The big banks must have known full well what was going on because they were buying these loans. Yet, as Angelides stated, “We’ve heard for a year how folks on Wall Street and people in Washington didn’t see it coming.”

Plenty of management fads have come and gone, each touted as the Next Big Thing to take Corporate America to higher success. We’ve seen Total Quality Management, Six Sigma, strategic planning, change management, and more, each creating its own cottage industry.

General counsels wield lots of power inside a corporation. They are the ones who translate legal mandates that influence how a corporation internalizes its compliance duties, and they have a huge range of daily tasks.

Workforce issues such as recruitment, retention, diversity, and business conduct are often the expression of a company’s commitment to good values. A company with poor values is probably going to have confused and disgruntled employees. So it should be no surprise that human resource (HR) issues have been at the forefront of major business frauds or reputational breakdowns for years.

It seems like old news, but no matter how often Corporate America says it knows what to do, we just keep hearing about high-profile cases of violations of the U.S. Foreign Corrupt Practices Act.

Of all the forms of white-collar crime, procurement fraud is probably the least visible yet the most costly. That’s largely because it’s a hidden byproduct of seemingly legitimate transactions, often involving millions of dollars, between a business and supposedly legitimate vendors. What’s more, the organizations victimized by procurement fraud often don’t report it and choose to settle privately with the alleged culprits.

Executive compensation has been a hot topic for years, but it has been getting a lot more political and public scrutiny lately.

A few columns ago, I posited the idea that you can develop an integrated approach to auditing corporate governance, risk, and compliance. First I explored auditing compliance, and the risk. Now I will conclude the series and explain (finally) how governance (the “G” in GRC) provides the foundation that binds these disciplines together in a coherent way.

In my last two columns I’ve been delving into the challenge of auditing governance, risk, and compliance in a unified fashion. I still have a final column to write on that subject (auditing GRC from a governance perspective) but I want to interrupt things this month to talk about the skills and knowledge an auditor needs—because auditing GRC is not for the faint of heart.

improve

Compliance Week describes itself as “an information service on corporate governance, risk, and compliance.” A whole industry has sprung up this decade presenting “GRC” as a single business function, with myriad products and services ostensibly to help companies manage it as such.

Consider the passport security breach of three presidential candidates last year. Did the State Department have appropriate security controls that should have prevented the breach? Why did senior State Department staffers not learn of the improper access until more than two months after they first occurred?

Perhaps no other area of business conduct is as fraught with potential peril as are conflicts of interest. In my October 2008 column, I wrote on how abuse of travel and entertainment expenses can hint at bigger fraud problems. We’re in luck; similar irregular spending habits can also be red flags for potential conflicts of interests.