Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Keep me logged in Forgot your password?

Please wait...

Please wait...

Veteran Internal Auditing Expert Jose Tabuena

Jose Tabuena is compliance and regulatory counsel with Orion Health, a global provider of clinical workflow and health data integration technologies and solutions. His views are his own and do not necessarily reflect the views of Orion. He writes a column every other month on internal auditing and compliance program challenges offering a unique perspective on internal auditing issues bringing Big Four firm experience and having held a variety of audit-related roles, including compliance auditor, risk manager, corporate counsel, and chief compliance officer. Mr. Tabuena is certified as a fraud examiner, in healthcare compliance, and is an OCEG Fellow.

Leveraging the Power of Audit Sampling

March 11, 2014

Statistical sampling plays an important role in the audit process. Effective sampling can support the auditor in providing the reasonable assurance required during an audit engagement. But understanding the power, and perhaps more importantly the limitations, of statistical sampling is a vital part of improving audit quality. Inside, columnist Jose Tabuena provides some tips on improving the use of statistical sampling in audits.

Just What Is "Reasonable Assurance"?

January 22, 2014

"Reasonable assurance" is a term tossed around in the audit profession, but not well-understood. What does it actually mean when an audit report attests with reasonable assurance that the financial reporting or internal controls are reliable? Inside, columnist Jose Tabuena takes a close look at what it means when auditors say they have obtained reasonable assurance that the financial statements are free of material mis-statements, and he dispels some myths about what auditors can and cannot promise.

Managing the Exchange of Personal Data Across Borders

November 19, 2013

A manager at a desk in New York clicks on a client list that is housed on a server in Paris and views it over a virtual private network. Almost without thinking about it, the manager has transferred personally identifiable information out of the European Union, unleashing a host of compliance and regulatory concerns. Inside, columnist Jose Tabuena unpacks the compliance risks that come with transferring data across borders in a global company.

Protecting Your Data From the Unhappy Employee

September 17, 2013

Almost all organizations have faced the situation of a once-trusted employee whose tenure with the business has strained, and now threatens to cause havoc to the company's IT system or to take valuable data as he walks out the door. Protecting against such threats with a system of robust controls can neutralize such risks. Inside, columnist Jose Tabuena offers some tips for putting such controls in place.

Make Me a Disbeliever: Audit Regulators Want More Skepticism

July 16, 2013

Audit regulators and others are once again asking auditors to embrace their cynical side and more effectively challenge corporate executives before signing off on an audit. These calls for greater skepticism have reignited the debate over effective measures to ensure sufficient auditor objectivity and independence. Inside, Columnist Jose Tabuena considers the meaning of professional skepticism and the behaviors that can enhance and impede it.

Can You Audit Corporate Culture?

May 29, 2013

Every compliance officer agrees that culture is important and works to improve the culture and ethical aspects of the company. Yet for all of its implied significance, culture is often viewed as a soft issue that leaders aren't sure how to address. Inside, Columnist Jose Tabuena looks at how companies can audit corporate culture to evaluate whether explicit compliance messaging and processes are working.

Internal Audit's Role in Managing Third-Party Risks

March 12, 2013

As companies continue to get in trouble for the actions of their business partners, some may be wondering, "Am I my brother's keeper?" The answer, at least in the eyes of regulators, is yes. And yet most companies struggle with how to get a handle on third-part risk. Inside, Columnist Jose Tabuena explains how internal audit can play a vital role in developing and supporting a third-party risk-management program.

Where Internal Audit and Compliance Should Report

January 08, 2013

The view that chief audit executives and chief compliance officers need a high degree of independence and clout to accomplish their responsibilities has gained increasing momentum lately, but naysayers still believe they should remain where they have historically resided and reported—inside the finance and legal departments, respectively. Inside, Columnist Jose Tabuena examines the latest push for rethinking reporting lines for the CAE and CCO.

What Every Internal Auditor Should Know About Big Data

November 06, 2012

Forget the cloud; Big Data is the new new thing, and it could have major implications for internal audit. Although its development is in its infancy, internal auditors and compliance professionals are paying close attention to how Big Data is evolving and, more critically, how they can put it to work. Inside, Columnist José Tabuena explores the potential internal audit applications of Big Data.

Auditing the Compliance Hotline

September 11, 2012

How do you know if your compliance hotline is actually working? New methods have emerged for auditing and benchmarking compliance hotlines that go well beyond comparing the call volume from year to year. Inside, Columnist José Tabuena walks through the necessary steps to conducting an effective compliance hotline audit, including how to benchmark against industry norms and what to look for in the data.

How to Promote Effective Use of the Company Compliance Hotline

July 03, 2012

When one large health benefits firm realized the IT department didn't make use of its compliance hotline, it targeted the function with increased communication and training. The result was a surge of calls that revealed two critical problems, both relatively easy to fix. Inside, Columnist José Tabuena looks at how to establish the credibility of the helpline as an effective resource to raise issues and report misconduct.

Aligning the Internal Audit Plan and Your Risks

May 01, 2012

Corporations know that managing risk is key to their survival today, and many even do a respectable job of assessing and ranking their risks. But what's the role for internal audit to ensure that the audit plan matches all those risks the company just spelled out? Inside, Columnist José Tabuena looks at how to prioritize internal audit's coverage of risk.

Conducting an Information Security Audit

March 13, 2012

Strong information security practices can reduce the risk of substantial regulatory fines and penalties (as well as the risk of reputational damage), and the best way to determine if a company is a leader or a laggard in the area is with an information security audit. Inside, Columnist José Tabuena covers the ins and outs of conducting one.

Internal Audit and Compliance: Getting It Together!

January 31, 2012

Can internal audit and compliance professionals better collaborate for the benefit of their organization? Why not? Audit and compliance—working together—are uniquely positioned to help the board and management understand the importance of an integrated approach to governance activities. Inside, Columnist José Tabuena dispels some of the myths of integrated governance, risk, and compliance.

The Reasonable Person: Internal Audit's Role in Internal Investigations

November 08, 2011

Yes, sometimes the best response to an allegation of misconduct is to commission an external investigation—but in many cases, an internal investigation will do just as well. How can you assure objectivity and independence in those cases? Inside, Compliance Week Columnist José Tabuena explores internal audit's role in serving as the "reasonable person" whose expectations are what counts in court.

Surveys as Internal Auditing Tool

September 07, 2011

The recent history of major business frauds and failures invariably points to the culture of the fraudulent organization as a root cause. Fair enough. But how can an internal audit department evaluate something as intangible as culture? Inside, Compliance Week Columnist José Tabuena considers the employee survey: how it can properly be used to measure integrity, the effectiveness of compliance departments, and more.

Auditing in the Clouds, Coming Down to Earth

July 12, 2011

The move to cloud services continues to accelerate, but the shift is more than just a change in technological platforms. It fundamentally alters the way business and IT systems function. Inside, Columnist José Tabuena looks at the many challenges the cloud creates for internal audit, including a lack of security standards, and finds that no way currently exists to audit the cloud in a consistent manner.

Continuous Auditing and Monitoring: From Theory Into Practice

May 10, 2011

Companies and consultants have long touted the benefits of continuous auditing and monitoring, but implementing such systems is much easier said than done. Inside, Columnist José Tabuena examines the challenges to rolling out a continuous auditing program and provides some strategies to overcome the difficulties.

Axioms and Proof of Compliance

March 01, 2011

Mathematical axioms and proofs can be powerful tools for applying discipline and unearthing bedrock truths in any number of fields. Inside, Columnist José Tabuena dusts off his high school geometry lessons to find some fundamental axioms in ethics and compliance, and to derive a few formulas for evaluating your program's effectiveness.

How to Tell if Your Compliance Programs Work

January 04, 2011

The internal audit function can be a valuable resource for assessing the effectiveness of compliance and ethics programs. But to do so, internal auditors must use multi-disciplinary techniques that differ from standard approaches. Inside, Compliance Week columnist José Tabuena gives some pointers on how to get started.

A Smart Approach to Compliance Program Assessment

November 02, 2010

Ethics and compliance officers, internal auditors, and the like have tried to conduct periodic reviews of their programs, but that has taken on new importance thanks to and updated definition of “effective” compliance programs under the U.S. Sentencing Guidelines.

Why Gray Swans Shouldn’t Go Unnoticed

October 05, 2010

Phil Angelides, former California state treasurer and now head of the Financial Crisis Inquiry Commission, says he just doesn’t understand how Wall Street executives can claim they never saw the meltdown coming. In his view, the evidence was sitting in plain view, especially in places like Florida and California where bad home loans were piling up. The big banks must have known full well what was going on because they were buying these loans. Yet, as Angelides stated, “We’ve heard for a year how folks on Wall Street and people in Washington didn’t see it coming.”

Why GRC Matters to the Internal Auditor

September 08, 2010

Plenty of management fads have come and gone, each touted as the Next Big Thing to take Corporate America to higher success. We’ve seen Total Quality Management, Six Sigma, strategic planning, change management, and more, each creating its own cottage industry.

Key Steps for Auditing the Legal Department

July 07, 2010

General counsels wield lots of power inside a corporation. They are the ones who translate legal mandates that influence how a corporation internalizes its compliance duties, and they have a huge range of daily tasks.

Auditing the HR Function

May 04, 2010

Workforce issues such as recruitment, retention, diversity, and business conduct are often the expression of a company’s commitment to good values. A company with poor values is probably going to have confused and disgruntled employees. So it should be no surprise that human resource (HR) issues have been at the forefront of major business frauds or reputational breakdowns for years.

Internal Audit’s Role in Preventing FCPA Violations

March 02, 2010

It seems like old news, but no matter how often Corporate America says it knows what to do, we just keep hearing about high-profile cases of violations of the U.S. Foreign Corrupt Practices Act.

The Increasing Risk of Procurement Fraud

January 05, 2010

Of all the forms of white-collar crime, procurement fraud is probably the least visible yet the most costly. That’s largely because it’s a hidden byproduct of seemingly legitimate transactions, often involving millions of dollars, between a business and supposedly legitimate vendors. What’s more, the organizations victimized by procurement fraud often don’t report it and choose to settle privately with the alleged culprits.

Auditing Executive Compensation Policies

November 03, 2009

Executive compensation has been a hot topic for years, but it has been getting a lot more political and public scrutiny lately.

Auditing Governance: It Can Be Done

September 09, 2009

A few columns ago, I posited the idea that you can develop an integrated approach to auditing corporate governance, risk, and compliance. First I explored auditing compliance, and the risk. Now I will conclude the series and explain (finally) how governance (the “G” in GRC) provides the foundation that binds these disciplines together in a coherent way.

Auditing GRC: Getting Down to Brass Tacks

July 07, 2009

In my last two columns I’ve been delving into the challenge of auditing governance, risk, and compliance in a unified fashion. I still have a final column to write on that subject (auditing GRC from a governance perspective) but I want to interrupt things this month to talk about the skills and knowledge an auditor needs—because auditing GRC is not for the faint of heart.

The Collective Audit of GRC: A True Discipline

March 03, 2009

Compliance Week describes itself as “an information service on corporate governance, risk, and compliance.” A whole industry has sprung up this decade presenting “GRC” as a single business function, with myriad products and services ostensibly to help companies manage it as such.

Making Sure Your ID Management System Works

January 06, 2009

Consider the passport security breach of three presidential candidates last year. Did the State Department have appropriate security controls that should have prevented the breach? Why did senior State Department staffers not learn of the improper access until more than two months after they first occurred?

Advice for Conflict-of-Interest Audits

November 04, 2008

Perhaps no other area of business conduct is as fraught with potential peril as are conflicts of interest. In my October 2008 column, I wrote on how abuse of travel and entertainment expenses can hint at bigger fraud problems. We’re in luck; similar irregular spending habits can also be red flags for potential conflicts of interests.
 Subscribe to the RSS for this page  [view all our RSS feeds here]

Compliance Week now has a companion group on LinkedIn, where members can network and discuss the compliance and governance news of the day. Open to all compliance professionals, free to join.

Top Global GRC Risks
Sponsored by NAVEX Global

Thought Leadership

Data: The Tail That Wags the Stress Test
Sponsored by Trillium Software

Conflict Minerals Webcast Series
Sponsored by 3e Co., iPoint, Schulte Roth & Zabel and Source Intelligence

Compliance Week Podcasts ...

Every week we chat with leading thinkers in compliance, auditing, risk management, public policy and more. These short (10-15 minutes) interviews are free to all. Follow Compliance Week podcasts on iTunes.