About Norman


I have been a practitioner and thought leader in internal audit, risk management, and governance for a long time.

I have led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

I retired in early 2013. However, I still blog, write, train, and speak – and mentor individuals and organizations when I can. You can reach me at nmarks2@yahoo.com.

My books include:

I continue to lead workshops designed for experienced practitioners on the topics of Sarbanes-Oxley, effective risk management, and building a world-class internal audit function.

I am also working with individuals and companies, including software vendors, where my knowledge and experience is seen of value.

I do occasional consulting, but only on projects of a short duration. For example, I have helped organizations upgrade their risk management, internal audit, and SOX programs. But I have turned down opportunities to review risk management at national banks.

I am fortunate to have been recognized and made a Fellow by OCEG for my commentary on GRC, and an Honorary Fellow of the Institute of Risk Management for my contribution to the risk management field. In 2018, I was inducted into the IIA’s American Hall of Distinguished Practitioners. I am also pleased to contribute to the profession through my activities in support of the IIA, articles in various publications, and more.


Please consider following me on Twitter, where I share daily news and opinion on topics that I hope will be interesting to governance, risk, audit, and other professionals



Please let me know if you are looking for speakers, whether for a conference, chapter meeting, or for your department’s training week. I have spoken recently about:

  • Risk management in plain English
  • Making business sense of technology risk
  • Fundamentals of risk management and how to audit it
  • World-class internal auditing
  • World-class risk management
  • IT audit and how it needs to change
  • How disruptive technology should change IT risk management
  • Continuous auditing/monitoring
  • What is GRC and what does it mean for you?
  • Managing risk at the speed of business
  • The GAIT methodology for business and IT risk scoping
  • and more



I am passionate about internal audit, risk management, governance, and the topic of success. If you are interested in conversation and discussion, please feel free to contact me.

I am also somewhat of a mentor, giving back to the profession, so if you have a tough situation and want to talk – contact me.

Finally, I am open to opportunities such as serving on a board, if there is a need for an experienced practitioner and thought leader around internal audit, risk management, etc.

%d bloggers like this: