T2P Audit & Auditor News

Does SAS 70 certification mean better data center security?

2009-11-05T22:15:44Z

People charged with data center physical security have the daunting responsibility of minimizing internal and external vulnerabilities and deciding which technologies and strategies should be deployed.

The importance of internal audits

2009-11-06T14:23:00Z

This week`s resource selections originate from a monthly internal audit column I write for Jim Kaplan, for going on more than three years now.

Each month in Jim’s internal audit newsletter (http://www.auditnet.org/) I highlight leading audit and security resources to assist auditors and security practitioners.

Have another great week.

Dan Swanson

Disaster Recovery (DR) and Business Continuity Planning (BCP) resources

This web page provides resources and articles on the subject of DR and BCP that you can use for reviews and planning for audits in this area. http://www.auditnet.org/drp.htm

Auditing IT Initiatives “Thought Leadership”- Particularly Useful When an IT Project Failure is NOT An Option!

Some key questions to consider:

- Does the proposed IT solution work & will it meet the needs of the organization?

- Does the security aspect of the IT solution work?

- Will the privacy of the organization’s information be maintained?

- Will the staff know how to perform “productively” and accurately?

- Have we done everything necessary to be prepared?

- Are we ready to implement and how do you know it'll work?

Some leading resources to assist your “readiness” assessment effort are available here.

http://www.auditnet.org/articles/DSIA200702.htm

Auditing for Fraud “Thought Leadership” - Because bad things are happening

Some companies have significantly lower levels of misappropriation of assets and are less susceptible to fraudulent financial reporting than others. Why? Because they aggressively take steps to prevent and detect fraud, end of story (it’s that simple). At these exemplary companies, management is responsible for designing and implementing systems and procedures for the prevention and detection of fraud—and, along with the board of directors, for ensuring a culture and environment that promotes honesty and ethical behavior.
http://www.auditnet.org/articles/DSIA200703.htm

Security Management resources

A variety of information security management resources have been gathered at this one web page
http://www.auditnet.org/SecurityMgmt.htm

Auditing Risk Management is strongly recommended

Some resources to assist your risk management efforts are available at this one web page.

http://www.auditnet.org/articles/DSIA200701.htm

Auditing security using the PCI standard and related guidance - (Because personal information must be protected)
We need to protect personal information much more than ever before and extensive help from the PCI Security Standards Council and numerous other organizations does exist.
http://www.auditnet.org/articles/DSIA200704.htm

New COSO Thought Paper Supports Integration of Strategy and ERM

2009-11-05T01:30:00Z

COSO highlights specific areas where management can work with its board to enhance the board’s risk oversight capabilities for strategic advantage ALTAMONTE SPRINGS, Fla. – The Committee of Sponsoring Organizations of the Treadway Commission (COSO) - an organization providing thought leadership and guidance on internal controls, enterprise risk management and fraud deterrence – has released a new thought paper, Strengthening Enterprise Risk Management for Strategic Advantage, that highlights specific areas where senior management can work with its board of directors to enhance the board’s risk oversight capabilities and the organization’s strategic value. This document builds upon four specific board risk oversight responsibilities outlined in a recently released COSO thought paper, Effective Enterprise Risk Oversight: The Role of the Board of Directors, to provide more detail on ways senior management can work with the board and others in the organization to strengthen risk management in all types of organizations. “Management is often being asked to provide their boards with more information regarding key risk exposures,” said COSO Chairman David Landsittel. “The challenge facing management is designing and implementing an enterprise wide approach to risk management that is both strategic and value-adding so that the board and senior management have a rich understanding of the organization’s top risk exposures. This thought paper highlights four specific areas where management can work with their board to provide appropriate risk oversight related to strategies and objectives.” This thought paper calls attention to COSO’s Enterprise Risk Management – Integrated Framework (2004), COSO’s definition of ERM, and the key elements of effective board risk oversight. The paper builds upon four critical areas, which are also highlighted in COSO’s Effective Enterprise Risk Oversight: The Role of the Board of Directors, to provide a basis for introspection about current approaches to risk management and to be a catalyst for management to strengthen its overall approach to enterprise wide risk management to help boards fulfill their risk oversight responsibilities. “Through our hands-on work with boards and senior executives of organizations of all sizes and industries, we observe a desire for stronger integration of strategy execution and risk oversight,” said Mark Beasley, Deloitte Professor of Enterprise Risk Management and Director of NC State’s ERM Initiative. “This COSO thought paper provides a rich discussion of the many ways management and boards can work to capture the strategic advantage of an enterprise-wide approach to risk management.” COSO has developed these two thought papers on enterprise risk management to provide more in-depth discussion on how senior management can strengthen risk management processes for strategic advantage. Both thought papers can be downloaded for free at www.coso.org, in addition to the executive summary of COSO’s Enterprise Risk Management – Integrated Framework (2004). ### About COSO Originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO comprises the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and The Institute of Internal Auditors (IIA). About NC State’s ERM Initiative The ERM Initiative in the College of Management at North Carolina State University is pioneering thought-leadership about the emergent discipline of enterprise risk management, with a particular focus on the integration of ERM in strategy planning and governance. The ERM Initiative conducts outreach to business professionals through executive education and hands-on advising, its internet portal (www.erm.ncsu.edu); research, advancing knowledge and understanding of ERM issues; and undergraduate and graduate business education for the next generation of business executives.

Cloud computing: Winners and losers - GCN.com

2009-10-27T15:07:25Z

Cloud computing: Winners and losers
GCN.com
'We will also need auditors who can learn that it's no longer about auditing a server, but a service,” he added. Soderstrom echoed concerns that a key ...

and more »

Fraud Risk Management Takes Center Stage - The Metropolitan Coporate Counsel

2009-11-02T14:28:14Z

Fraud Risk Management Takes Center Stage
The Metropolitan Coporate Counsel
Over the past several years, internal auditors have focused more on continuous auditing, a technology-driven process that automatically performs control and ...

Pfizer's Corporate Integrity Agreement & Compliance Officer Positioning Survey

2009-11-02T04:20:00Z

From the SCCE: In the recent Corporate Integrity Agreement between Pfizer and the Office of the Inspector General of the Department of Health and Human Services, Pfizer agreed that its Chief Compliance Officer will report directly to the CEO; will neither be nor be subordinate to the General Counsel or CFO; and will make periodic reports to the Audit Committee of the Board. Does it negatively

The Role of the Internal Audit in the Workplace

2009-10-31T22:23:01Z

Since the Sarbanes Oxley Act of 2002 , the role of internal audit in the workplace has increased significantly.

All about the IIA - ITWorld Canada

2009-10-30T16:06:42Z

ITWorld Canada

All about the IIA
ITWorld Canada
This week`s resource selections highlight iia's long-term effort to provide leading guidance to internal auditors and risk management professionals. ...

Software License Audits Come in Multiple Flavors

2009-09-18T04:00:00Z

There are several types of software license audits, each with their own risks and variables, experts say.

Deloitte Anjin Penalized for Auditing Miscues - Korea Times

2009-10-22T10:50:36Z

Korea Times

Deloitte Anjin Penalized for Auditing Miscues
Korea Times
At its latest meeting, the Securities & Futures Commission (SFC) penalized a total of eight companies including Leenos, the Seoul-based wireless technology ...

Certified Internal Auditor certification for internal auditors - Sunday Times.lk

2009-10-17T21:07:11Z

Certified Internal Auditor certification for internal auditors
Sunday Times.lk
Hence, The IIA offers Professional Recognition Credit for Part 4 (PRC-4) for qualified professional certifications. Established in 1941, The Institute of ...

IT governance emphasised by SA's accounting, auditing institutions - ITWeb

2009-10-22T07:13:36Z

IT governance emphasised by SA's accounting, auditing institutions
ITWeb
The South African Institute of Charted Accountants and ISACA SA signed a memorandum of understanding. The importance of IT governance was emphasised by ...

and more »

CFOs Credit Experience, Technology Systems with Trimming Sarbanes-Oxley Costs

2007-05-16T04:00:00Z

A new survey of CFOs says that companies are using experience and IT systems to cut Sarbanes-Oxley compliance costs, but that auditing services are still expensive.

License Audits: Preparing Now Can Ease the Pain

2009-09-18T04:00:00Z

Oracle licensing consultant Eliot Arlo Colon still remembers the enormous global publishing company that was "so darn confident" it would breeze through an upcoming software license audit unscathed.

Living with a Scarlet Audit Letter

2009-10-22T03:05:00Z

Given a going-concern qualification, companies struggle to defy their auditors' prediction that they won't survive the year.

Who Is In Charge Of Your Data? - Forbes

2009-10-20T10:00:28Z

Who Is In Charge Of Your Data?
Forbes
Fisher suggests that fraud would be detected much faster in most companies if data governance were better. The larger questions go to the heart of the ...

Unified Security Monitoring: The Business Benefits - Ron Gula, CEO, Tenable Network Security

2009-10-20T17:45:08Z

Unified Security Monitoring - it's all about transparency and efficiencies.

IFRS Returns to the Front Burner

2009-10-08T17:00:00Z

Leading the charge to convert the world to International Financial Reporting Standards, David Tweedie says many of the problems opponents cite are being addressed and resolved. Is he right?

Inside the EDPACS newsletter

2009-10-13T19:10:00Z

This week I’m highlighting EDPACS, a long time monthly IT audit and control newsletter, now into its 37th year of publication. A variety of freely available articles from their web site are presented below. The annual subscription cost is very reasonable and includes online access to more than ten years of articles.

Have another great week.

Dan Swanson

Note – in the interest of full disclosure I am the managing editor for EDPACS.

EDPACS (The EDP Audit, Control, and Security Newsletter)

For over 37 years, this monthly newsletter has supported the audit and control community with highly regarded guidance in the fields of audit, control, and security. In addition, EDPACS regularly explores current and emerging issues around IT governance.
http://www.informaworld.com/smpp/title~db=all~content=t768221793~tab=summary

Call for articles (EDPACS)
http://www.tandf.co.uk/journals/cfp/uedpcfp.pdf

The State of IT Auditing in 2007
Summing-up the state of such a broad professional field in just a few short pages is not easy so, in place of a thousand words, here is a picture. This article examines the state of IT auditing today, looking at issues such as pressures on the profession, characteristics of modern IT auditors plus the tools and techniques available to them, and ends by gazing into the crystal ball to see what might be coming next.
http://www.informaworld.com/smpp/section?content=a781163986&fulltext=713240928

Why is Security a Software Issue?
Software is everywhere. It runs your car. It controls your cell phone. It's how you access your bank's financial services, receive electricity and natural gas, and fly from coast to coast (McGraw, 2006). Many products, services, and capabilities within both the public and private sectors are highly dependent on software to handle the sensitive and high-value data on which people's privacy, livelihoods, health, and very lives depend. National security—and by extension citizens' personal safety—relies on complex, interconnected, software-intensive information systems—systems that in many cases use the uncontrolled Internet or Internet-exposed private networks as their means for communicating and transporting information. http://www.informaworld.com/smpp/title~content=g781166228~db=

Social Engineering Techniques, Risks, and Controls
This article describes typical social engineering threat sources and techniques, analyzes the associated information security risks, and outlines a range of preventive, detective, and corrective controls to minimize social engineering risks.
http://www.informaworld.com/smpp/title~db=all~content=g792909257~tab=toc

Database Access, Security, and Auditing for PCI Compliance
Now eight years into the aught decade, we ought to be proficient with the controls, monitoring, risk management, and governance needed to prevent and detect the debacles that ushered in the Sarbanes Oxley act of 2002. And we should have a pretty good idea how to protect against Internet attacks and identity theft. But while you are considering that, remember the “Billion Dollar Bubble” or Equity Funding scandal (the first major so-called computer fraud) was started in 1964 and brought the company down in 1973. And the first major electronic privacy legislation was the Privacy Act of 1974 following revelations of privacy abuse during the Nixon administration.
http://www.informaworld.com/smpp/title~db=all~content=g792909257~tab=toc

EDPACS Editorial Board
http://www.informaworld.com/smpp/title~db=all~content=t768221793~tab=editorialboard

A fistful of risk management resources

2009-10-05T19:23:00Z

This week I’m highlighting three leading risk management books as well as my three year summary of monthly columns for AuditNet and Jim’s internal audit newsletter, now into its 15 year!Finally, KARL is a very unique resource which will require hours and hours of study. Have another great week.

- Dan Swanson

AuditNet® Dan Swanson's Columns
Each month Dan Swanson, a senior security and internal audit professional provides his list of recommended resources for AuditNet readers. This link provides a 36 month summary of those columns. http://www.auditnet.org/dsarticles.htm

The AuditNet Internal Audit Newsletter
http://www.auditnet.org/auditnet-l.htm

AuditNet® Resource List

Widely recognized as the most comprehensive list of electronic resources for auditors and accountants available on the Internet via email, newsgroups, listserv, and the World Wide Web. KARL is available from many sites including the Argus Clearinghouse formerly known as the Clearinghouse for Subject-Oriented Internet Resource Guides. The Argus Clearinghouse provides a central access point for value-added topical guides which identify, describe, and evaluate Internet-based information resources.
http://www.auditnet.org/karlpage.htm

Some Summer Reading
Summer is a time of recharging, of planning for the future, of preparing for the next challenge.Summer is also a time to unwind and relax and spend time with the family.
http://www.auditnet.org/articles/DSIA200908.htm

International Business Continuity Program Management Summary Report
BC Management recently published the International Business Continuity Program Management Summary Report.This is a complimentary report that the entire BCM profession can benefit from.
http://www.bcmanagement.com/research/files/BCMIntlProgramMgmtBenchmarkingReportSummary.pdf

Auditing for Managers: The Ultimate Risk Management Tool
http://ca.wiley.com/WileyCDA/WileyTitle/productCd-0470090987.html

Enterprise Risk Management: A Manager's Journey
http://ca.wiley.com/WileyCDA/WileyTitle/productCd-0471745294.html

Auditing the Risk Management Process
http://ca.wiley.com/WileyCDA/WileyTitle/productCd-0471690538.html