In this article, Norman Marks explores the evolving role of the chief audit executive, moving beyond traditional assurance to actively helping boards and audit committees operate more effectively. With new opportunities emerging through AI and technology, Marks argues that internal audit functions can deliver greater value by enhancing board governance, insight, and performance.
In this article, Norman Marks looks into why so many organizations continue to operate with ineffective risk management programs, even while acknowledging the consequences. Drawing on industry survey data and decades of experience, he explores how boards and CEOs often settle for compliance-driven approaches that fail to support decision-making, and why meaningful change must start at the top.
In a recent article, Norman Marks asks a pointed question that’s becoming increasingly urgent across boardrooms, risk teams, and C-suites alike—are organizations truly leveraging the potential of AI, or are they still circling the runway while competitors take off? Drawing on new insights from Google AI and McKinsey’s latest 2025 survey, Marks explores whether companies are moving fast enough, cautiously enough, or strategically enough to turn AI from hype into real enterprise value, and what it means for practitioners who risk being left behind.
In this article, Norman Marks dives into the evolving concept of continuous assurance, challenging traditional notions of continuous auditing and urging internal auditors to focus less on reviewing the past and more on providing real-time confidence in the future. Drawing on his own experiences as a former Chief Audit Executive and early adopter of continuous auditing techniques, Marks explores how true assurance comes from understanding risk as it changes, engaging with management regularly, and providing insight that helps organizations anticipate, not just detect, issues.
In his latest piece, Norman Marks breaks down a critical gap he continues to see across GRC and ERM programs: the absence of a true top-down, objective-focused approach. While many organizations and software platforms emphasize identifying risks first and then mapping them to objectives, Marks argues that this bottoms-up structure misses what matters most. To understand risk and opportunity in a meaningful way, he explains, organizations must start with their enterprise objectives, strategies, and goals, and then determine what could hinder or enable their achievement.
If you are driving down the highway at 65mph (104.6kph), a broken-down truck in the middle of the road ahead is a serious source of risk. You might consider it the #1 entry in your list of top risks (if you were to put such a list together as you were driving). But what if you can’t see it?
In this candid and thought-provoking piece, Norman Marks challenges conventional definitions of risk and risk management, arguing that most frameworks fail to resonate with how real-world decisions are made. Drawing from his decades of executive experience and referencing the ideas of Grant Purdy and Roger Estall, Marks reframes “risk” as simply “what might happen”, a practical, plain-English approach that bridges the gap between theory and management reality.