Jose Tabuena

  • Blog

    Compliance monitoring and artificial intelligence


    As compliance programs must deal with growing amounts of data, they need tools to help separate true risks from background noise. Jose Tabuena examines.

  • Blog

    Internet of Things’ role in internal audit & compliance


    How can internal audit support disruptive opportunities while monitoring for emerging risks coming from the Internet of Things? Columnist Jose Tabuena discusses these challenges.

  • Blog

    To really improve corporate culture, it must be measurable


    The days of viewing culture as a hazy intangible are over, given regulator interest in using the efficiency of cultural programs as benchmarks for everything from indictment decisions to penalties. Corporate culture, says Jose Tabuena, needs to be subject to performance benchmarks, like anything else.

  • Blog

    Auditing your data breach incident response plan


    The time to discover when your data breach incident response plan actually works is not in the middle of data breach. Jose Tabuena offers some insights on how to make sure that the incident response plan in place is actually up to the task.

  • Blog

    Benchmarking your compliance program


    The Department of Justice is poised to consider benchmarking as a criteria for determining how far certain companies have failed to enact adequate internal controls against wrongdoing. But what are the benchmarks for benchmarking itself? Jose Tabuena reports.

  • Blog

    Compliance metrics and dashboards: building your case


    Jose Tabuena explores how companies and, specifically, chief compliance officers can demonstrate the effectiveness of their compliance programs and be seen as creditworthy in the eyes of the U.S. Sentencing Guidelines.

  • Blog

    Internal audit: an unlikely driver for corporate culture


    As regulators such as FINRA increasingly view culture as a factor when determining wrongdoing and punishment, building a strong culture is taking center stage. Jose Tabuena reports.

  • Blog

    The auditor as behavioral scientist


    Image: Inside, CW columnist Jose Tabuena examines the power of data analytics and predictive models to assess compliance effectiveness and encourage employees toward acting responsibly, thereby ensuring an ethical workplace. But, Tabuena advises, keep in mind that predictive models only yield benefits if used appropriately.

  • Blog

    The compliance program as an internal control


    Do compliance programs make a difference? Post-mortem reviews of compliance failures typically raise the question as to whether the cause of the failure is due to a rogue bad actor or a failure in controls. It may be both; a lack of compliance controls allowed or even enabled the rogue ...

  • Blog

    What Does Good Compliance Look Like? Internal Audit Can Help


    Board audit committees and compliance professionals should review new compliance guidance provided in a recent speech by assistant attorney general Leslie Caldwell, chief of the U.S. Department of Justice’s Criminal Division. Along with the DoJ’s appointment of a “compliance counsel” this guidance presented so-called “metrics” to apply when evaluating programs ...

  • Blog

    Monitoring Gifting Policies During the Holiday Season


    The holiday season is always a good time to remind employees about gifts and hospitality rules. The general messages are clear: Follow the rules; use good judgment; seek help if you aren’t sure what to do; and never do something that doesn’t feel right. This week, columnist Jose Tabuena suggests ...

  • Blog

    Compliance Versus ERM


    Compliance programs need to be part of comprehensive enterprise risk management, yes, but ERM does not displace the roles of internal audit and the compliance program. This week, columnist Jose Tabuena discusses risk management as a distinct discipline that auditors and compliance officers can work with. He describes the resources ...

  • Blog

    Countering the Effects of Unconscious Bias in Audits


    Audits go wrong for many reasons, so let’s not deny one of them: because auditors sometimes unconsciously give the benefit of the doubt to a client when they should not. What unconscious biases put effective auditing at risk? How can an auditor train himself to find them, or construct practices ...

  • Blog

    Managing Outside Counsel: How Internal Audit Can Assist


    Litigation and compliance risk brings something else beyond headaches: legal fees. The internal audit team can help there, even with tricky tasks such as monitoring the performance of outside counsel while they conduct an investigation. Inside, columnist Jose Tabuena offers recommendations on benchmarking what internal audit can do, analytics to ...

  • Blog

    Compliance Line of Sight: Evaluating Your Program’s Structure and Oversight


    The chief compliance officer does not need to manage every compliance risk your company has—but he or she does need to know how every compliance risk is managed. This week, columnist Jose Tabuena explores how “line of sight” should work in a compliance program, and how internal audit can help ...

  • Blog

    Conducting a Practical Compliance Risk Assessment


    Risk assessment is standard fare for a mature compliance program. The challenge for compliance officers is to ensure that their assessment works well, finding the right risks and generating information they can use to improve their program. This week, columnist Jose Tabuena identifies steps for conducting a meaningful compliance risk ...

  • Blog

    Cyber-Breaches and Other Threats Involving Conscious Opponents


    Cyber-security is now a very real risk, with the potential for staggering costs and reputational harm. Cyber-security has another unusual feature as well: It falls into the realm of conscious harms, where companies must play a cat-and-mouse game to stay ahead of attackers. How do you build, maintain, and audit ...

  • Blog

    Monitoring and Auditing Performance-Enhancing Risks


    Every executive knows that what gets measured gets done; the trick for compliance and audit executives is to assure that the metrics you use don’t lead employees to do something reckless. This week, columnist Jose Tabuena looks at the risks of incentives: where they can go wrong, how to help ...

  • Blog

    Applying the Three Lines to Cyber-Security


    Managing cyber-security risks is one of the most pressing problems facing businesses today. Absent some technological magic bullet (which won’t be found any time soon), that leaves companies forced to protect cyber-security through better process. What does that mean? How can privacy, compliance, and internal audit band together to lead ...

  • Blog

    Setting Objectives for Risk Avoidance, Value Creation


    One criticism of the Three Lines of Defense model is that it dwells too much on risk mitigation, and too little on risk opportunity. If you connect the Three Lines model to the COSO framework for internal control, however, a more elegant appreciation of risk management emerges. Inside, columnist Jose ...

More by Jose Tabuena