A fish can’t survive if the water it’s living in is dirty. The same goes for your control environment. Your controls can only thrive in the right environment.  Ten years ago, the approach to achieving that “right environment” shifted with the concept of Entity Level...

“Design” is the foundation of internal controls — from how you structure financial processes, controls, testing, and your program. But it is likely the most untapped and misunderstood aspect of your internal controls program too. Effective design is where your team’s...

Whether you call them policies, standards, or guidelines, rules are everywhere in our organizations. We have rules for how we hire, train, take time off, buy things, and do our work. We have rules for our employees, our vendors, our partners, and even our customers....

When technology works, it works fabulously well. At its best, technology can lead to true, measurable “transformation” of our processes and how we work. For example, at a recent presentation, I heard a project manager explain a system he implemented that changed the...

Is “Risk Avoidance” Really “Risk Management”? A quick google search gives you the definition of risk management as being about “mitigating” risk. This is how, in practice, risk management most often works in the corporate world. It is rare to see a Risk Manager say,...

In the world of Internal Controls or GRC (Governance, Risk, and Compliance), there is tons more value we can extract from documentation and processes, but too many people leave that value on the table. And that’s where the topic of minutes comes in. They are obviously...

In my many years on the ground (and in the trenches) running internal controls* programs, I can tell you that internal controls programs are a goldmine of opportunity. But only when you “get” what audit and control concepts are about (and not about).  Unfortunately,...

Risk Management is something I get asked about because of the name of our consulting firm, and of course it’s a subject that matters a lot to me and our clients. To give you a quick definition, Risk Management is a process for organizations to identify, rank, track,...