Jose Tabuena
- Blog
Compliance monitoring and artificial intelligence
As compliance programs must deal with growing amounts of data, they need tools to help separate true risks from background noise. Jose Tabuena examines.
- Blog
Internet of Things’ role in internal audit & compliance
How can internal audit support disruptive opportunities while monitoring for emerging risks coming from the Internet of Things? Columnist Jose Tabuena discusses these challenges.
- Blog
To really improve corporate culture, it must be measurable
The days of viewing culture as a hazy intangible are over, given regulator interest in using the efficiency of cultural programs as benchmarks for everything from indictment decisions to penalties. Corporate culture, says Jose Tabuena, needs to be subject to performance benchmarks, like anything else.
- Blog
Auditing your data breach incident response plan
The time to discover when your data breach incident response plan actually works is not in the middle of data breach. Jose Tabuena offers some insights on how to make sure that the incident response plan in place is actually up to the task.
- Blog
Benchmarking your compliance program
The Department of Justice is poised to consider benchmarking as a criteria for determining how far certain companies have failed to enact adequate internal controls against wrongdoing. But what are the benchmarks for benchmarking itself? Jose Tabuena reports.
- Blog
Compliance metrics and dashboards: building your case
Jose Tabuena explores how companies and, specifically, chief compliance officers can demonstrate the effectiveness of their compliance programs and be seen as creditworthy in the eyes of the U.S. Sentencing Guidelines.
- Blog
Internal audit: an unlikely driver for corporate culture
As regulators such as FINRA increasingly view culture as a factor when determining wrongdoing and punishment, building a strong culture is taking center stage. Jose Tabuena reports.
- Blog
The auditor as behavioral scientist
Image: Inside, CW columnist Jose Tabuena examines the power of data analytics and predictive models to assess compliance effectiveness and encourage employees toward acting responsibly, thereby ensuring an ethical workplace. But, Tabuena advises, keep in mind that predictive models only yield benefits if used appropriately.
- Blog
The compliance program as an internal control
Do compliance programs make a difference? Post-mortem reviews of compliance failures typically raise the question as to whether the cause of the failure is due to a rogue bad actor or a failure in controls. It may be both; a lack of compliance controls allowed or even enabled the rogue ...
- Blog
What Does Good Compliance Look Like? Internal Audit Can Help
Board audit committees and compliance professionals should review new compliance guidance provided in a recent speech by assistant attorney general Leslie Caldwell, chief of the U.S. Department of Justice’s Criminal Division. Along with the DoJ’s appointment of a “compliance counsel” this guidance presented so-called “metrics” to apply when evaluating programs ...
- Blog
Monitoring Gifting Policies During the Holiday Season
The holiday season is always a good time to remind employees about gifts and hospitality rules. The general messages are clear: Follow the rules; use good judgment; seek help if you aren’t sure what to do; and never do something that doesn’t feel right. This week, columnist Jose Tabuena suggests ...
- Blog
Compliance Versus ERM
Compliance programs need to be part of comprehensive enterprise risk management, yes, but ERM does not displace the roles of internal audit and the compliance program. This week, columnist Jose Tabuena discusses risk management as a distinct discipline that auditors and compliance officers can work with. He describes the resources ...
- Blog
Countering the Effects of Unconscious Bias in Audits
Audits go wrong for many reasons, so let’s not deny one of them: because auditors sometimes unconsciously give the benefit of the doubt to a client when they should not. What unconscious biases put effective auditing at risk? How can an auditor train himself to find them, or construct practices ...
- Blog
Managing Outside Counsel: How Internal Audit Can Assist
Litigation and compliance risk brings something else beyond headaches: legal fees. The internal audit team can help there, even with tricky tasks such as monitoring the performance of outside counsel while they conduct an investigation. Inside, columnist Jose Tabuena offers recommendations on benchmarking what internal audit can do, analytics to ...
- Blog
Compliance Line of Sight: Evaluating Your Program’s Structure and Oversight
The chief compliance officer does not need to manage every compliance risk your company has—but he or she does need to know how every compliance risk is managed. This week, columnist Jose Tabuena explores how “line of sight” should work in a compliance program, and how internal audit can help ...
- Blog
Conducting a Practical Compliance Risk Assessment
Risk assessment is standard fare for a mature compliance program. The challenge for compliance officers is to ensure that their assessment works well, finding the right risks and generating information they can use to improve their program. This week, columnist Jose Tabuena identifies steps for conducting a meaningful compliance risk ...
- Blog
Cyber-Breaches and Other Threats Involving Conscious Opponents
Cyber-security is now a very real risk, with the potential for staggering costs and reputational harm. Cyber-security has another unusual feature as well: It falls into the realm of conscious harms, where companies must play a cat-and-mouse game to stay ahead of attackers. How do you build, maintain, and audit ...
- Blog
Monitoring and Auditing Performance-Enhancing Risks
Every executive knows that what gets measured gets done; the trick for compliance and audit executives is to assure that the metrics you use don’t lead employees to do something reckless. This week, columnist Jose Tabuena looks at the risks of incentives: where they can go wrong, how to help ...
- Blog
Applying the Three Lines to Cyber-Security
Managing cyber-security risks is one of the most pressing problems facing businesses today. Absent some technological magic bullet (which won’t be found any time soon), that leaves companies forced to protect cyber-security through better process. What does that mean? How can privacy, compliance, and internal audit band together to lead ...
- Blog
Setting Objectives for Risk Avoidance, Value Creation
One criticism of the Three Lines of Defense model is that it dwells too much on risk mitigation, and too little on risk opportunity. If you connect the Three Lines model to the COSO framework for internal control, however, a more elegant appreciation of risk management emerges. Inside, columnist Jose ...