About Norman


I have been a practitioner and thought leader in internal audit, risk management, and governance for a long time.

I have led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

I retired in early 2013. However, I still blog, write, train, and speak – and mentor individuals and organizations when I can. You can reach me at nmarks2@yahoo.com.

My books are discussed in a separate tab.

I continue to lead workshops designed for experienced practitioners on the topics of Sarbanes-Oxley, effective risk management, and building a world-class internal audit function.

I am also working with individuals and companies, including software vendors, where my knowledge and experience is seen of value.

I do occasional consulting, but only on projects of a short duration. For example, I have helped organizations upgrade their risk management, internal audit, and SOX programs. But I have turned down opportunities to review risk management at national banks.

I am fortunate to have been recognized and made a Fellow by OCEG for my commentary on GRC, and an Honorary Fellow of the Institute of Risk Management for my contribution to the risk management field. I am also pleased to contribute to the profession through my activities in support of the IIA, articles in various publications, and membership of periodical review boards (including the Internal Auditor, ISACA Journal, and EDPACS).


Please consider following me on Twitter, where I share daily news and opinion on topics that I hope will be interesting to governance, risk, audit, and other professionals



Please let me know if you are looking for speakers, whether for a conference, chapter meeting, or for your department’s training week. I have spoken recently about:

  • Risk management in plain English
  • Building a risk-based audit plan
  • Fundamentals of risk management and how to audit it
  • Internal audit 2020
  • Audit leadership
  • World-class internal auditing
  • World-class risk management
  • The role of Audit as the last line of defense in managing risk to the organization
  • IT audit and how it needs to change
  • How disruptive technology should change IT risk management
  • Continuous auditing/monitoring
  • What is GRC and what does it mean for you?
  • The future of information
  • Managing risk at the speed of business
  • Building a risk culture
  • Using technology in your internal audit department
  • The GAIT methodology for business and IT risk scoping
  • and more



I am passionate about internal audit, risk management, governance, and the topic of GRC. If you are interested in conversation and discussion, please feel free to contact me.

I am also somewhat of a mentor, giving back to the profession, so if you have a tough situation and want to talk – contact me.

Finally, I am open to opportunities such as serving on a board, if there is a need for an experienced practitioner and thought leader around internal audit, risk management, etc.

%d bloggers like this: