Posted on 1 Comment

Speaking and Training on Fraud, Compliance, Ethics, and More…

Welcome to my site. I have spoken and been the keynote speaker for many conferences, including the ABA, ACC, ACFE, IIA, and IMA to name a few. I have designed customized training for the board, senior leadership, legal, compliance, internal audit, and others for some of the world’s largest organizations.

“I have had the pleasure to hear Jonathan Marks speak on a number of occasions. …most recently at a Fraud conference sponsored by the Long Island Institute of Internal Audit. Jonathan gave a dynamic and engaging half day presentation on fraud in financial reporting. He engages his audience with his expertise and knowledge of risk management, fraud and internal audit. His ability to share his experiences in fraud investigations over the past thirty years coupled with his interactive approach with his audience made for a compelling and memorable presentation.” Chief Audit Executive 

If you are interested in booking me for your next event or need customized training, please email me with the date or dates, location and address of presentation, the audience make-up, the subjects you would like covered, and the duration of the talk or training.

I have provided you with some Selected Training Programs (See below) and please peruse my blog posts for some additional topics and ideas. Keep in mind I speak and provide training on most anything related to governance, risk, and compliance, with a focus on fraud and forensics.

I will do my best to get back to you quickly.

Thank you!


Jonathan Pic

Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE and NACD Board Fellow

Selected Training Programs

Management Override of Internal Controls

The risk of management override of internal controls to commit fraud exists in any organization. When the opportunity to override internal controls is combined with powerful incentives to meet accounting objectives, senior management might engage in fraudulent financial reporting. This session will examine management override, focusing on the differences between the override of existing controls versus other, more prevalent breakdowns. It will also explore actions to help mitigate the threat of management override, approaches to auditing for management override and the psychology behind management’s override of controls. You Will Learn How To:

  • Identify red flags of management overriding controls
  • Ascertain an approach to auditing for management override
  • Assess the latest trends and research regarding management override of controls
  • Develop a better fraud risk assessment that highlights areas and gatekeepers that might have a greater chance of overriding controls.

Operationalizing Compliance – Master Class with Tom Fox, Esquire

The Master Class developed by Tom Fox, provides a unique opportunity for any level of FCPA compliance practitioner, from the seasoned Chief Compliance Officer (CCO) and Chief Audit Executive (CAE), Chief Legal Counsel (CLO), to the practitioner who is new to the compliance profession.

If you are looking for a training class to turbocharge your knowledge on the nuts and bolts of a best practices compliance program going forward, this is the class for you to attend. Moreover, as I limit the class to 20 attendees, you will have an intensive focus group of like-minded compliance practitioners with which you can share best practices. It allows us to tailor the discussion to your needs. Mary Shirley, an attendee at the recent Boston Master Class said, “This is a great two-day course for getting new folks up to speed on what matters in Compliance programs.

Tom Fox is one of the leading commentators in the compliance space partners with Jonathan T. Marks to bring a unique insight of what many companies have done right and many have done not so well over the years. This professional experience has enabled him to put together a unique educational opportunity for any person interested in anti-corruption compliance. Simply stated, there is no other compliance training on the market quite like it. Armed with this information, at the conclusion of the Doing Compliance Master Class, you will be able to implement or enhance your compliance program, with many ideas at little or no cost.

The Doing Compliance Master Class will move from the theory of the FCPA into the doing of compliance and how you must document this work to create a best practices compliance program. Building from the Ten Hallmarks of an Effective Compliance, using the questions posed from the Evaluation of Corporate Compliance Programs and the FCPA Corporate Enforcement Policy as a guide, you will learn the intricacies of risk assessments; what should be included in your policies and procedures; the five-step life cycle of third-party risk evaluation and management; tone throughout your organization; training and using other corporate functions to facilitate cost-effective compliance programs.

Highlights of the training include:

  • Understanding the underlying legal basis for the law, what is required for a violation and how that information should be baked into your compliance program;
  • What are the best practices of an effective compliance program;
  • Why internal controls are the compliance practitioners best friend;
  • How you can use transaction monitoring to not only make your compliance program more robust but as a self-funding mechanism;
  • Your ethical requirements as a compliance practitioner;
  • How to document what you have accomplished;
  • Risk assessments – what they are and how you can perform one each year.

You will be able to walk away from the class with a clear understanding of what anti-corruption compliance is and what it requires; an overview of international corruption initiatives and how they all relate to FCPA compliance; how to deal with third parties, from initial introduction through contracting and managing the relationship, what should be included in your gifts, travel, entertainment (GTE) and hospitality policies; the conundrum of facilitation payments; charitable donations and political contributions, and trends in compliance. You will also learn about the importance of internal controls and how to meet the strict liability burden present around this requirement of FCPA compliance.

Ethics and Governance Training

This session will cover how ethics is key to good governance and how governance fits into your anti-fraud program. Moreover, we will explore the components of a Sample Code of Ethics, the cost of ethical lapses, organizational situations that encourage bad behavior, the new ethics paradigm, and how to spot a moral meltdown.

Corporate Governance During a Crisis

We also discuss leading practices in crisis management and present several scenarios allow the participant(s) to work though mock crisis scenarios. For example, in your first week at your company, you just received information about an alleged massive fraud and you are now in a crisis. In this session, members of the audience will play different roles within the company (members of the board, legal department, managers, etc.) to have a discussion, including:

  • What type of crisis plan do you have, if any?
  • What to do and how to formulate a plan of action?
  • Who to call first, how to prioritize tasks, and where to prioritize resources?
  • Who (internal and external players) to get involved and when to get them involved
  • What data is needed when a crisis hits?
  • How to prepare for the media and when to reach out?
  • How to communicate with customers, vendors and suppliers, regulatory agencies, and other parties?

Fraud Risk Assessment Process and Guidance

Many professionals struggle with developing a fraud risk assessment that is meaningful. We discuss the objectives of a fraud risk assessment, the components of a fraud, and key considerations for developing an effective assessment. Then we explore the sources of risk, the fraud risk universe, and some of the key components of the assessment. Lastly, we walk through the key steps in the assessment process and walk through a sample fraud risk assessment that considers COSO’s Principle 8, which contains considerably more discussion on fraud and considers the potential of fraud as a principle of internal control.

FCPA (Bribery and Corruption): Building a Culture of Compliance

This session covers why compliance is important and the new guidance issues by the DOJ. We also explore current regulatory enforcement trends, whistleblowers Under Dodd-Frank, the U.S. Federal Sentencing Guidelines, risk-based third-party due diligence, way to thwart an investigation, differences and similarities between the FCPA and the U.K. Bribery Act, successor liability, and provides the participant with a proven 13-Step Action Plan.

Fraud Investigations

Knowing what to do when an allegation of fraud is presented is critical. Failing to understand the process could jeopardize the ability to prosecute wrongdoers. This session discusses why investigations are important, inherent risk and exposures, the types of investigations: internal and independent, board considerations, triaging an allegation, investigative challenges, and keys to running a successful investigation, and why root cause analysis should be considered after completing the investigation.

Third Party Risk Management and Oversight

Third party risk is the biggest nemesis when it comes to FCPA violations. This session discusses the key components of a compliance program and why it needs to be evolving to meet the business and compliance challenges, which are constantly occurring across the globe. We explore the latest DOJ guidance on the evaluation of corporate compliance programs. We build our discussion on the foundation of the key steps to be included in a third-party risk management program and cover some of the red flags of agents and consultants.

Putting the Freud in Fraud: The Mind Behind the White Collar Criminal

To properly fight corporate fraud we need to understand how a fraudster’s normal differs, so executives, managers and board members can develop more effective anti-fraud programs that take into account the behavioral and environmental factors that are common in cases of white-collar crime. By establishing an environment in which ethical behavior is expected — and by understanding how white-collar criminals look at the world differently — it is possible to begin closing the gaps in internal controls, develop a proactive fraud risk assessment and response program and significantly reduce the financial and reputational risks associated with fraud.

In this session, we take a closer look at the personality traits of individual perpetrators of massive fraud.

  • Discuss the basics of profiling and identifying elements of behavior common among white-collar criminals.
  • Discover what role company culture plays in the commission of fraud.
  • Hear cutting-edge ideas and methods to help detect and deter fraud.

Fraud Overview

This session is a “nuts and bolts” discussion about fraud and responding to fraud in an effort to reduce the incidence of fraud and white-collar crime. We go into the characteristics of fraud, who commits fraud, the fraud triangle and Pentagon™, the components of fraud, the regulatory environment & the focus on increased personal responsibility, internal controls to deter and detect fraud, and anti-fraud programs.

Triaging a Whistleblower Allegation

As corporations continue to adopt whistleblower programs, many find themselves struggling to manage burgeoning caseloads. As a result, serious internal fraud investigations can be delayed (with mounting losses) while less consequential complaints are being investigated. The lack of a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips, which can also expose an organization to increased regulatory risk. While there is no single, “right” method for following up on whistleblower complaints, this session discusses Why Investigating allegations or tips are important, why timeliness matters, investigation challenges, and provides the participant with a sample approach.

Skepticism: A Primary Weapon in the Fight Against Fraud

What happens when we don’t ask why? Professional skepticism occurs when those responsible for fighting fraud take nothing for granted, continuously question what they hear and see and critically assess all evidence and statements. This session we discuss the role of independent reviewer or inspector, particularly of your own assumptions, whether you are placing undue weight on prior risk assessments or discounting evidence inconsistent with your expectations, and pressures placed on you to truncate procedures or make unwarranted assumptions to beat time constraints.

Root Cause Analysis 

The regulators are expecting more today and want to know that your remediation efforts are not treating the symptoms), but rather the root cause(s).

Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. This analysis is a key element of a fraud risk management program and is now a best practice or hallmark of an organizations compliance program. When able to determine why an event or failure occurred, it is then possible to recommend workable corrective measures that deter future fraud events of the type observed. It is important that those conducting the root cause analysis are thinking critically by asking the right questions (sometimes probing), applying the proper level of skepticism, and when appropriate examining the information (evidence) from multiple perspectives.

This program is designed to introduce the common methods used for conducting root cause analysis and to develop an understanding of how to identify root causes (not just causal factors) using proven techniques. In addition, we will demonstrate how to initiate a root cause analysis incident exercise and work with senior management, legal, compliance, and internal audit on an appropriate resolution. We also introduce the “spheres” acting around the “meta model of fraud” and how to use those “spheres” in the root cause process. Finally, this program will present the “three lines of defense”, which provides the audit committee and senior management with a better understanding where the break downs occurred.

Posted on

PHorensically Speaking: Cost of Data Breach and New COSO Guidance On Cyber, Risk Appetite Statements, Compliance, and Boards Management of Strategic Risks

The Cost of Data Breach Report (“Report) found that the average total cost of a data breach, the average cost for each lost or stolen record (per capita cost), and the average size of data breaches have all increased beyond the 2017 report averages:

The average total cost rose from $3.62 to $3.86 million, an increase of 6.4 percent

The average cost for each lost record rose from $141 to $148, an increase of 4.8 percent

The average size of the data breaches in this research increased by 2.2 percent

The Report also highlights the relationship between how quickly an organization can identify and contain data breach incidents and the financial consequences.

The mean time to identify (MTTI) was 197 days

The mean time to contain (MTTC) was 69 days

Companies that contained a breach in less than 30 days saved over $1 million vs. those that took more than 30 days to resolve

USD 3.92 million – Average total cost of a data breach

United States – Most expensive country: USD 8.19 million

Healthcare – Most expensive industry: USD 6.45 million

25,575 records – Average size of a data breach

Data breaches can cause devastating financial losses and affect an organization’s reputation for years. From lost business to regulatory fines and remediation costs, data breaches have far reaching consequences.

The annual Cost of a Data Breach Report, conducted by the Ponemon Institute and sponsored by IBM Security, analyzes data breach costs reported by 507 organizations across 16 geographies and 17 industries.

You should read the report to discover all the factors that influence the cost of a data breach and which security measures can help organizations reduce the financial impact.

Risk Management

In the works, The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) is in the process of developing guidance for companies on how to manage cybersecurity and other risks.

The COSO guidance is intended to help companies provide more detailed instructions on how to apply the 5 interrelated components, which are broken down to 20 principles of COSO’s risk-management framework—which include board-level oversight of risk management—to information security. Specifically, how companies can apply the principles of enterprise risk management, or ERM, to protect against cyberattacks.

Other COSO Guidance expected soon should include how to better craft risk-appetite statements; how to better manage risk and compliance across an enterprise; and guid­ance for board di­rec­tors on man­ag­ing strate­gic risks—the kind that arise when com­pa­nies ex­pand, launch new prod­ucts or change pric­ing mod­els.


COSO’s guidance On compliance is being drafted in partnership with the Society of Corporate Compliance and Ethics (“SCCE”). More to come…

I welcome your thoughts and comments!


Jonathan T. Marks


IBM, Ponemon, WSJ, COSO

Posted on

Cyber Actors Exploit ‘Secure’ Websites In Phishing Campaigns

Websites with addresses that start with “https” are supposed to provide privacy and security to visitors. After all, the “s” stands for “secure” in HTTPS: Hypertext Transfer Protocol Secure. In fact, cyber security training has focused on encouraging people to look for the lock icon that appears in the web browser address bar on these secure sites. The presence of “https” and the lock icon are supposed to indicate the web traffic is encrypted and that visitors can share data safely.

Unfortunately, cyber criminals are banking on the public’s trust of “https” and the lock icon. They are more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts.

These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure.


The following steps can help reduce the likelihood of falling victim to HTTPS phishing:

Do not simply trust the name on an email: question the intent of the email content.

If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.

Do not trust a website just because it has a lock icon or “https” in the browser address bar.

Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).

I welcome your thoughts and comments!


Jonathan T. Marks. CPA, CFE



Posted on

Baker Tilly Forensic Partner will be Speaking Today at the IIA in Washington D.C. on the Future of Fraud Risk Management

Risk Management ConceptJonathan T. Marks will lead today’s discussion that will focus on the key components of a fraud risk management program and discuss what the board and senior management expect today and might expect in the near future. The discussion will then provide practical insights on what skills might be required and then delve into how internal audit can enhance its value to the organization through experience and training. Lastly, the discussion will highlight the trends in the ever expanding digital era and how internal audit can stay ahead of internal and external changes through the on-going evaluation of risks.


Jonathan T. Marks CPA, CGMA, CFF, CITP, CFE
Jonathan is a forensic accountant and a partner at Baker Tilly and has more than 30 years of experience working closely with clients, their board, senior management, internal audit, compliance, legal & outside law firms on global/domestic fraud, misconduct, cyber incidents, bribery & whistleblower matters and when appropriate conducting a forensic investigation, then when possible performing root cause analysis in order to develop remedial procedures, and design or enhance governance, global risk management, and compliance systems along with internal controls and policies & procedures to mitigate future potential issues. Jonathan has educated and advised some of the world’s largest companies in these and other areas.

Posted on

Baker Tilly and NACD Provide Corporate Directors with Insights on 2019 Strategic Risks in New Report

My firm Baker Tilly Virchow Krause, LLP (Baker Tilly) and the National Association of Corporate Directors (NACD), the authority on boardroom practices representing more than 20,000 board members, today released the 2019 Governance Outlook: Projections on Emerging Board Matters, featuring Baker Tilly’s 2019 Strategic Risks for Boards.

The report serves as an annual road map to guide corporate directors and senior executives as they tackle business and governance risks and issues throughout the coming year.

Baker Tilly focuses on critical disruptive forces and risks affecting boards and organizations in the report, including international trade and tariffs, tax reform, cybersecurity and privacy.

“As boards face mounting pressure from investors and other stakeholders to demonstrate proper oversight of these risks, directors should ensure that their organizations are prepared for regulatory compliance, understand the impact of these risks and have in place a comprehensive monitoring program,” Christine Anderson, Baker Tilly managing partner for growth and specialization, said. “Baker Tilly is proud to partner with NACD in offering boards actionable insights into disruptive forces and risks that organizations will be wrestling with now and in the future.”

The report also highlights NACD survey findings on the top board priorities for 2019. In NACD’s annual survey of public company directors, 62 percent of respondents said that they view disruptive risks as much more important to the business environment today as compared to five years ago, yet less than a fifth (19 percent) report that they are extremely or very confident in management’s preparedness to address these risks.

“This report taps into NACD’s unrivaled network of partners, including Baker Tilly, to provide critical guidance for CEOs, board directors and other business leaders as they chart a course for 2019,” Peter Gleason, president and CEO of NACD, said. “The insights offered in this document shine a bright light on emerging issues and provide a road map for the year ahead.”

Visit to download the report.

I hope you find it useful…and please don’t hesitate to reach out to me with any comment or question you might have.

Jonathan T. Marks, CPA


About Baker Tilly Virchow Krause, LLP (

Baker Tilly Virchow Krause, LLP (Baker Tilly) is a leading advisory, tax and assurance firm whose specialized professionals guide clients through an ever-changing business world, helping them win now and anticipate tomorrow. Headquartered in Chicago, Baker Tilly, and its affiliated entities, have operations in North America, South America, Europe, Asia and Australia. Baker Tilly is an independent member of Baker Tilly International, a worldwide network of independent accounting and business advisory firms in 147 territories, with 33,600 professionals. The combined worldwide revenue of independent member firms is $3.4 billion. Visit or join the conversation on LinkedInFacebook and Twitter.

Posted on

SEC Publishes New Requirements for Cybersecurity Disclosures


There is no doubt that cybersecurity risks pose in some cases grave threats to companies and their stakeholders.

According to the January 2018 Cybersecurity Report, cyber crime damage costs will hit $6 trillion annually by 2021.  So its easy to understand why the regulators are concerned about disclosure and transparency when it comes to a cybersecurity risks and incidents.

Cyber Security System

In April 2016,  H.R.5069 – Cybersecurity Systems and Risks Reporting Act was introduced and thus many professionals prognosticated new and updated interpretive guidance was forthcoming. What I found useful in the proposed legislation, and maybe to you as well when addressing cyber risk and disclosure, was the definition of  aCybersecurity System, which follows –

“A set of activities or state, involving people, processes, data or technology, whereby the protection of an information system of the issuer is secured from, or defended against, damage, unauthorized use or modification, misdirection, disruption or exploitation.”

SEC’s New Interpretive Guidance

On February 21, 2018, public companies received new interpretative guidance from the SEC on the disclosures they should make related to cybersecurity.

The previous interpretive guidance, issued in October 2011, stated that companies may be obligated to disclose cybersecurity risks and incidents, but it did not provide specific disclosure requirements. The increasing number and severity of cybersecurity incidents has led the SEC to conclude that more specific disclosure requirements are necessary.

In an interpretation and statement, the SEC stated that it expects companies to disclose cybersecurity risks and incidents that are material to investors, including financial, legal, or reputational consequences.

Companies should consider any obligations that may be imposed by exchange listing requirements.  For example, the NYSE requires list companies to “release quickly to the public any news or information which might reasonably be expected to materially affect the market for its securities.”

The SEC guidance states, companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.

The guidance further states, When designing and evaluating disclosure controls and procedures, companies should consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings. Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.

Securities Act of 1933 and Exchange Act of 1934

Companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registration statements under the Securities Act of 1933 (“Securities Act”) and the Securities Exchange Act of 1934 (“Exchange Act”), and periodic and current reports under the Exchange Act.

Disclosure Controls and Procedures

Exchange Act Rules under Section 13(a)-14 and 15(d)-14 require a company’s principal executive officer and principal financial officer to make certifications regarding the design and effectiveness of disclosure controls and procedures and Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F require companies to disclose conclusions on the effectiveness of disclosure controls and procedures.

These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.  In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.

The Board and Audit Committee

Source: COSO

The board and audit committee need to understand the control environment and monitor the company’s obligations under existing laws and regulations with respect to matters involving cybersecurity risk and incidents.

They should also understand the company’s cybersecurity risk assessment process, the risks identified, the controls in place, and policies and procedures.

Lastly, as a result of the SEC’s new interpretive guidance, understanding the application of disclosure controls and procedures, insider trading prohibitions, Regulation FD and the disclosure of material information, and selective disclosure prohibitions in the cybersecurity context is a must.

Remember that as technology advances, so do the threats; it is harder than ever to protect business processes and information, so ensure the company’s cyber strategy is alive and well.

I look forward to your comments, thoughts, and suggestions.



  • SEC
  • Journal of Accountancy