SAP Blogs

Norman Marks

Norman Marks SAP Employee  Active Contributor Gold: 1,500-2,499 points
Business Card
Company: SAP
RSS 1.0 Feed for SAP Weblogs by this person.

Norman Marks led internal audit and risk management functions at major U.S. and global corporations for more than 15 years prior to joining SAP in late 2008. He is a recognized global thought leader in internal auditing, risk management, and governance and was profiled by the magazines of the American Institute of Certified Public Accountants and the Institute of Internal Auditors for his innovative practices. Norman has been recognized for his contributions by the Open Compliance and Ethics Group (as a Fellow, for his work on GRC) and the Institute of Risk Management (for his work on risk management). Norman's blog posts are his personal views and not necessarily those of SAP.

The perfect internal auditor
What makes an internal auditor perfect? I share a piece from a decade or two again and ask how expectations have changed, especially given changes in technology. Feb. 7, 2012
Comments: 3   Rank: 21883   Page Views: 84 (Stats updated nightly)

Blog posts about internal audit and risk management
If you are interested in risk management and/or internal audit, you might be interested in these posts. They were the most popular of my posts on the Internal Auditor (IIA) Online web site last year. If you are interested only in discussions around GRC, have a look at #13 which includes commentary on what the term should mean to executives, practitioners, and others. Jan. 31, 2012
Comments: 0   Rank: 21997   Page Views: 67 (Stats updated nightly)

A more radical view of what the Audit Committee should worry about in 2012
What should be on the audit committee agenda in the new year? Do we stay with the traditional set of questions, or should we take a more strategic view - such as the adequacy of information, the maturity of risk management, the quality of the external auditor, the adequacy of enterprise systems, etc? Jan. 22, 2012
Comments: 0   Rank: 22057   Page Views: 58 (Stats updated nightly)

Integrating business planning, performance management, and risk management
An article about integrated business planning and performance management talks about surprises but fails to mention risk management. Don't you need to integrate risk management if you are to optimize performance? Jan. 16, 2012
Comments: 0   Rank: 21710   Page Views: 111 (Stats updated nightly)

How to assess the effectiveness of internal control
The new draft internal control framework from COSO includes guidance on how to assess whether the system of internal control is effective. In this post, I summarize what the document says. I then ask your views on whether you agree with this way of assessing the adequacy of internal control. Why is this important? The COSO framework is globally accepted and affects every risk, control, assurance, and governance professional. Jan. 10, 2012
Comments: 2   Rank: 22011   Page Views: 64 (Stats updated nightly)

Norman’s most popular 2011 posts on GRC, risk management, audit, and more
 Jan. 5, 2012
Comments: 5   Rank: 20952   Page Views: 266 (Stats updated nightly)

My governance, risk, and assurance wish list for 2012
 Jan. 2, 2012
Comments: 6   Rank: 21934   Page Views: 72 (Stats updated nightly)

Mobile will brings both risks and opportunities. Is your company’s strategy optimized?
 Nov. 26, 2011
Comments: 0   Rank: 21334   Page Views: 184 (Stats updated nightly)

What's the cost of a data breach? New study provides insights
 Nov. 10, 2011
Comments: 0   Rank: 21803   Page Views: 93 (Stats updated nightly)

PwC Global Information Security Study
 Oct. 21, 2011
Comments: 0   Rank: 21517   Page Views: 143 (Stats updated nightly)

Survey results: how people define GRC
 Oct. 8, 2011
Comments: 0   Rank: 21178   Page Views: 219 (Stats updated nightly)

Protiviti study on IT auditing raises more questions than it answers
 Oct. 7, 2011
Comments: 0   Rank: 21889   Page Views: 80 (Stats updated nightly)

Maybe it’s time to change your approach to information security
 Sep. 12, 2011
Comments: 0   Rank: 20295   Page Views: 372 (Stats updated nightly)

Shining the spotlight on mobile risks and opportunities
 Sep. 9, 2011
Comments: 1   Rank: 20369   Page Views: 360 (Stats updated nightly)

Study reports on the Benefits of Continuous Monitoring
 Aug. 26, 2011
Comments: 0   Rank: 20654   Page Views: 318 (Stats updated nightly)

Protiviti suggests Refocusing the Internal Audit Agenda
 Aug. 18, 2011
Comments: 0   Rank: 20576   Page Views: 328 (Stats updated nightly)

Risk management is not a quarterly exercise; it should be a way of life
 Aug. 10, 2011
Comments: 0   Rank: 20326   Page Views: 367 (Stats updated nightly)

The solutions I would buy for GRC
 Aug. 4, 2011
Comments: 0   Rank: 20620   Page Views: 322 (Stats updated nightly)

Is there a proven link between corporate governance, ratings, and corporate performance?
 Jul. 23, 2011
Comments: 0   Rank: 20475   Page Views: 345 (Stats updated nightly)

PwC has sound advice on Continuous Auditing
 Jul. 23, 2011
Comments: 0   Rank: 20044   Page Views: 409 (Stats updated nightly)

Facts, risks, and opportunities: The explosion of data about us and our companies
 Jul. 18, 2011
Comments: 0   Rank: 20425   Page Views: 353 (Stats updated nightly)

Accenture 2011 Global Risk Management Study: Important, startling, but deceiving results
 Jul. 9, 2011
Comments: 5   Rank: 20298   Page Views: 371 (Stats updated nightly)

RIMS’ report on ERM standards and guidelines: a recommended read
 Jun. 27, 2011
Comments: 0   Rank: 20212   Page Views: 385 (Stats updated nightly)

UK Bribery Act - free session in London
 Jun. 9, 2011
Comments: 1   Rank: 20403   Page Views: 355 (Stats updated nightly)

Are you worried about SOD and other user/IT access issues?
 May. 31, 2011
Comments: 0   Rank: 20129   Page Views: 399 (Stats updated nightly)

KPMG reports major problems in how risk management is understood and practiced
KPMG reports major problems in how risk management is understood and practiced May. 27, 2011
Comments: 2   Rank: 19564   Page Views: 475 (Stats updated nightly)

Continuous monitoring of controls is not the same as inspecting the integrity of transactions
 May. 11, 2011
Comments: 0   Rank: 20239   Page Views: 381 (Stats updated nightly)

Shedding New Light on Governance, Risk and Compliance (GRC)
 May. 5, 2011
Comments: 0   Rank: 20027   Page Views: 412 (Stats updated nightly)

Just what is risk appetite and how does it differ from risk tolerance?
 Apr. 27, 2011
Comments: 0   Rank: 20083   Page Views: 404 (Stats updated nightly)

The essential ingredient to effective risk management: the culture
 Apr. 27, 2011
Comments: 0   Rank: 20131   Page Views: 398 (Stats updated nightly)

There’s a ton of interesting content in Deloitte’s “Tech Trends 2011”
 Apr. 11, 2011
Comments: 5   Rank: 18694   Page Views: 582 (Stats updated nightly)

Protiviti’s Jim DeLoach provides insights into risk management
 Apr. 11, 2011
Comments: 1   Rank: 19886   Page Views: 435 (Stats updated nightly)

CFO.com discusses the growth of ERM adoption
Is the need for ERM recognized? Is it growing in practice? Apr. 8, 2011
Comments: 1   Rank: 20005   Page Views: 417 (Stats updated nightly)

Measuring the Maturity of Risk Management
Risk management maturity models Mar. 29, 2011
Comments: 2   Rank: 19689   Page Views: 460 (Stats updated nightly)

Making mistakes and poor decisions because of old risk information
 Mar. 22, 2011
Comments: 0   Rank: 19300   Page Views: 510 (Stats updated nightly)

What do they say about the latest release of SAP’s solutions for GRC?
SAP releases new version of its solutions for GRC processes, 10.0 Mar. 22, 2011
Comments: 0   Rank: 19160   Page Views: 526 (Stats updated nightly)

The risk of incompetent investigations
 Mar. 14, 2011
Comments: 1   Rank: 19507   Page Views: 483 (Stats updated nightly)

New Business Analytics Blog for Practitioners and Consultants (covering GRC, BI, and more)
 Mar. 4, 2011
Comments: 0   Rank: 19708   Page Views: 457 (Stats updated nightly)

Which came first, strategy or risk: which is the chicken and which is the egg?
 Mar. 2, 2011
Comments: 0   Rank: 19056   Page Views: 536 (Stats updated nightly)

Essential reading for all members of the board – and CEOs, CIOs, CAEs, and General Counsel
 Feb. 27, 2011
Comments: 0   Rank: 19633   Page Views: 468 (Stats updated nightly)

Board members use social media – so why not you?
 Feb. 25, 2011
Comments: 3   Rank: 18461   Page Views: 619 (Stats updated nightly)

10 reasons not to like the COSO ERM framework – a discussion with Grant Purdy
 Feb. 21, 2011
Comments: 0   Rank: 19347   Page Views: 503 (Stats updated nightly)

A radical thought about governance
 Feb. 17, 2011
Comments: 4   Rank: 18936   Page Views: 550 (Stats updated nightly)

Protiviti provides sound insights into risk management failures
 Feb. 15, 2011
Comments: 0   Rank: 19353   Page Views: 502 (Stats updated nightly)

Report from Davos includes fascinating discussion of governance and risk issues
 Feb. 15, 2011
Comments: 1   Rank: 19197   Page Views: 521 (Stats updated nightly)

The most-viewed posts on Norman Marks IIA Blog
 Feb. 11, 2011
Comments: 9   Rank: 17910   Page Views: 702 (Stats updated nightly)

The GRC Survey: The results are in
 Feb. 1, 2011
Comments: 0   Rank: 18501   Page Views: 613 (Stats updated nightly)

Continuous auditing: putting theory into practice
Continuous auditing presents an opportunity for internal audit to move to the next level of service and value to its stakeholders: providing assurance when they need it. Jan. 28, 2011
Comments: 0   Rank: 16615   Page Views: 900 (Stats updated nightly)

A new study on “Effective GRC Management: Positioning your company for growth”
The Aberdeen Group has released a new report on GRC and its value. I discuss the results in this post. Jan. 25, 2011
Comments: 0   Rank: 16773   Page Views: 874 (Stats updated nightly)

COSO releases two new guides on risk management
COSO has issued to new 'thought leadership papers'. How valuable are they? Jan. 17, 2011
Comments: 0   Rank: 18343   Page Views: 637 (Stats updated nightly)

Top risks to watch in 2011
What are the top risks to watch in 2011? I share my list and a report from the World Economic Forum Jan. 17, 2011
Comments: 1   Rank: 17055   Page Views: 831 (Stats updated nightly)

Reflections on GRC in 2010
This year has been one of both progress and frustration when it comes to GRC. While there is a lot to cheer about, and hope for 2011, irritants and obstacles continue. I share my thoughts here. Dec. 14, 2010
Comments: 0   Rank: 17536   Page Views: 761 (Stats updated nightly)

Major challenges for risk management
I was recently interviewed to promote an ERM conference. I was asked a number of questions about risk management and share my answers. Do you agree? Dec. 14, 2010
Comments: 0   Rank: 17947   Page Views: 695 (Stats updated nightly)

One size fits all for ERM?
Does every organization need a risk management function to the same extent? Does the auditor of ERM use the same standard? Nov. 25, 2010
Comments: 0   Rank: 17811   Page Views: 718 (Stats updated nightly)

Do you need help assessing the value of software for GRC?
Are you considering acquiring software to help with your GRC processes? SAP has developed some tools to help, reflecting customer experience with a variety of the products. Nov. 22, 2010
Comments: 0   Rank: 15730   Page Views: 1056 (Stats updated nightly)

Is there value in the concept of GRC?
 Nov. 19, 2010
Comments: 0   Rank: 17660   Page Views: 741 (Stats updated nightly)

Building the case for ERM
Exdecutives haven't bought into the value of risk management. This blog suggests the source of the problem and a solution. Oct. 28, 2010
Comments: 0   Rank: 17556   Page Views: 758 (Stats updated nightly)

Is the term “GRC” just hype? Join an active debate
Is the term "GRC" hype, used by consultants and software vendors to sell services and products?  Sep. 22, 2010
Comments: 7   Rank: 14858   Page Views: 1230 (Stats updated nightly)

The heart of GRC - so misunderstood!
The term "GRC" is broadly misunderstood. Its not about the former Versa product (SAP BusinessObjects Access Control). Its also not just about risk and compliance. Learn more here. Jun. 17, 2010
Comments: 0   Rank: 15176   Page Views: 1168 (Stats updated nightly)

How does SAP enable world-class GRC processes?
What is GRC, what are GRC processes, and how does SAP help customers build world-class GRC processes? Jun. 1, 2010
Comments: 0   Rank: 15168   Page Views: 1169 (Stats updated nightly)

Two new reports question the effectiveness of risk management practices
Two new reports provide different perspectives on the effectiveness of risk management - leading to major questions. Join the discussion Apr. 17, 2010
Comments: 1   Rank: 15618   Page Views: 1079 (Stats updated nightly)

Where is the value when you integrated solutions for GRC?
Do you integrate GRC solutions with each other, or with the ERP, or with both? Apr. 17, 2010
Comments: 2   Rank: 15568   Page Views: 1087 (Stats updated nightly)

Risk-based Continuous Monitoring/Auditing – Developments
New developments in the area of continuous auditing/monitoring, or CCM are discussed Apr. 5, 2010
Comments: 0   Rank: 15512   Page Views: 1099 (Stats updated nightly)

Protiviti tools enhance ROI for Access Control and Process Control
New Protiviti tools enhance ROI for Access Control and Process Control Mar. 19, 2010
Comments: 0   Rank: 15645   Page Views: 1072 (Stats updated nightly)

Success Stories as Customers Implement Solutions for GRC
Three customers talk about their successful use of SAP BusinessObjects solutions for GRC Mar. 19, 2010
Comments: 0   Rank: 15266   Page Views: 1152 (Stats updated nightly)

Can you believe all claims by software vendors?
Can you believe all the claims by vendors of GRC software? Mar. 11, 2010
Comments: 4   Rank: 14829   Page Views: 1238 (Stats updated nightly)

Continuous controls monitoring – grossly misunderstood!
A new acronym is creeping into the GRC vocabulary: CCM/T. Does it make sense? Mar. 3, 2010
Comments: 1   Rank: 14992   Page Views: 1203 (Stats updated nightly)

Selecting the right GRC solution for your organization
 Feb. 9, 2010
Comments: 1   Rank: 14581   Page Views: 1293 (Stats updated nightly)

Food for Thought on Risk Appetite
An interesting discussion on risk appetite Feb. 9, 2010
Comments: 1   Rank: 15031   Page Views: 1197 (Stats updated nightly)

Is GRC just about Risk, or is it more?
Does the fact that there is no shared definition of GRC cause confusion in the marketplace? A conversation between Eric Krell of Business Finance, and Norman Marks of SAP. Jan. 26, 2010
Comments: 0   Rank: 14853   Page Views: 1231 (Stats updated nightly)

New GRC discussions
New discussions on What is GRC, Continuous Monitoring/Auditing, and linking Risk and Strategy Jan. 16, 2010
Comments: 0   Rank: 14393   Page Views: 1331 (Stats updated nightly)

We all have lessons to learn from the Heartland data breach – whether board member, executive, or professional
IT professionals, board members, executives, and auditors: the major data breach at Heartland is an opportunity to learn. Reliance on compliance audits may be misplaced. Sep. 2, 2009
Comments: 0   Rank: 13232   Page Views: 1564 (Stats updated nightly)

Seminar on continuous monitoring and auditing
A seminar on continuous auditing and monitoring will be help in Singapore on October 9th Aug. 26, 2009
Comments: 0   Rank: 14070   Page Views: 1398 (Stats updated nightly)

S&P Publishes Status Report on ERM and Credit Ratings Project
Standard and Poor's, a major credit rating agency, is assessing listed companies' risk management processes. They have published an interim report. Aug. 10, 2009
Comments: 0   Rank: 14285   Page Views: 1355 (Stats updated nightly)

Integrating risk management and automated controls
The value of a top-down and risk-based approach to testing controls. Jul. 10, 2009
Comments: 1   Rank: 13763   Page Views: 1461 (Stats updated nightly)

The Current State of Internal Auditing
EDPACS, a journal for IT audit and security professionals, has published an opinion piece by Norman Marks, SAP BusinessObjects, and Jay Taylor, GM on the state of the profession of internal auditing. Jul. 2, 2009
Comments: 6   Rank: 13021   Page Views: 1613 (Stats updated nightly)

The value of SAP BusinessObjects Process Control – a personal view
 Jun. 15, 2009
Comments: 0   Rank: 13748   Page Views: 1461 (Stats updated nightly)

The next evolution of internal auditing, beyond continuous auditing
SAP BusinessObjects releases new paper on taking internal audit beyond continuous auditing May. 6, 2009
Comments: 4   Rank: 12977   Page Views: 1622 (Stats updated nightly)

GRC application fragmentation
Why so much talk about GRC process and department convergence, but so little about the problem of GRC application fragmentation? May. 1, 2009
Comments: 6   Rank: 10158   Page Views: 2471 (Stats updated nightly)

Internal auditing software
Internal auditing software Apr. 9, 2009
Comments: 2   Rank: 11988   Page Views: 1879 (Stats updated nightly)

Isn't it time for risk management?
The OECD has concluded that one of the main causes of the financial crisis was a failure of risk management at many companies. Isn't now the time to put a process and system in place? Apr. 1, 2009
Comments: 1   Rank: 11430   Page Views: 2037 (Stats updated nightly)