The article is also relevant due to the recent guidance published by the Institute of Internal Auditors (IIA).  The IIA’s publication on “Internal Auditing and Fraud” provides a clear outline of organizational responsibilities and internal processes to implement that will help you prevent and detect fraud occurrences.

Do you have methods to prevent and detect fraud in your organization?  How would you handle a fraud if you suspected it was occurring?  Would you be interested in performing a Fraud Risk Assessment to determine your organization’s fraud risks and associated controls?

From an audit perspective, lack of accountability can lead to weak controls of critical systems and data.  Additionally, losing sight of the big picture can lead to projects that are not in line with business strategy and IT departments that do not effectively use resources, time, and money.

What experiences (IT or non IT) have you had in your organization?  What other audit concerns could come from this list?

USA Today wrote a detailed article on a few ways this has been occurring.  Here’s one method.
•             Cyber criminal sends an email to a business.  Email looks legitimate and often is made to look as if it is coming from the IRS, Better Business Bureau, or even the businesses internal IT department.
•             Business user clicks on link within email, which executes malicious program to download on user’s computer without their knowledge.
•             Business user logs into bank.  Cyber criminal’s program logs keystrokes and captures user ID and password.
•             With stolen user ID and password, the criminal logs into the bank as the business user.  Steals money.

The USA today article offers a “Guide to Safer Online Banking” for both account holders and banks.  These steps should tighten your security and decrease the risk of this crime happening to your company.  An additional step that is not mentioned in the “Guide to Safer Online Banking” is for businesses to hold periodic security awareness training on topics such as these.

Have you experienced this type of cyber crime?  Do you think there are more methods to protect account holders and banks?

A quote that stuck out to me was, “there is no shortage of guidance to explain what ERM is and how to implement it, though most of this information is written for risk and control specialists. To succeed, ERM efforts need to include people with other priorities.”

Getting buy-in from management is a top roadblock to successfully implementing an ERM program – or at least to implementing an ERM program that won’t fizzle out quickly. Fortunately, as noted above, there is a multitude of documentation on the concept and benefits of ERM…. and in a later post, I’ll identify the most relatable ways to talk about ERM with management.

After some quick web searching, I found this interesting article on the difference between ERM and GRC.

In it’s simplest form, the difference is simply in their names. ERM includes identifying risk appetite, assessing risk, integrating risk management in daily decisions, and monitoring risks. GRC is an umbrella philosophy that includes risk management, governance, and compliance. GRC may include ERM as the methodology of managing risk, but it may not. If an ERM program is linked to governance and risk, then it might transition into a true GRC program.

There is certainly more to ERM and GRC programs, but that is the nuts and bolts difference between the two.

Are you interested in implementing ERM or GRC programs successfully?  If you’ve already implemented these programs at your organization – what pitfalls have you faced?  What success stories do you have?”