Internet Security Standards Setting Bodies

Internet Engineering Task Force (IETF) for TCP/IP, HTML, POP, STMP, FTP, SSL, and more

International Telecommunications Union (ITU) X.273, Open Systems Network Layer Security, and X.509, Authetication Framework

International Standards Organization (ISO) ISO 17799

Institute of Electrical and Electronic Engineers (IEEE)

European Computer Manufacturers Association

Business Lunch Tips for Auditors

1. Always place you napkin in your lap and use it as needed.

2. Always say please and thank you.

3. Don't eat too fast or too slow, try to stay in step with your host.

4. Always take modest portions and not heaping helpings.

5. If you don't like something just leave it on your plate.

6. Be polite and respectful at all times

7. Never smoke at the table.

8. Never begin to eat until everyone at your table has been served.

9. Never slurp a drink or with a straw.

10. Never chew ice during a meal or at the table.

11. Never use toothpicks at the table.

12. Never get up and leave the table without first excusing yourself.

Cut Your Public Audit Bill

1. Bag food to work, to save on food during working sessions with auditors

2. Change procedures and processes only if you really have to; otherwise, don't change a thing.

3. Close books monthly on time.

4. How many sub-organizations do you really need? Limit organization units.

5. Anticipate what auditors will ask for.

6. USE INTERNAL AUDIT STAFF and get more audits done!!!!

Why Travel on Audits Light

#10: Nobody can steal your luggage

#9:  Be more independent

#8:  Extra time to get to the airport

#7: Volunteer to be bumped, as no worry about luggage coming on the same flight

#6: Catch public transportation, as no suitcases to roll around among lots of people

#5:  Don’t wait for getting luggage

#4:  Avoid tipping

#3:  Be environmental, as fewer luggage means less weight to lift

#2:  Avoid fees

#1: “Lost Luggage

Photo Evidence Audit

Check for:

• Document title
• Description
• Description writer
• Author
• Title
• Style
• Key Words

Useful tools include Paint Shop Pro, Adobe Bridge, Photoshop, or Lightroom, Exifer, or ExitToolGUI.

Lava Lamp for Auditors

Generate findings about the future. You cannot change yesterday.
If you wish to remember some facts, try intensely to forget them.
Auditing skills promote full employment for auditors.
If you laid all your sampling tests end to end, would they reach a conclusion?
Get your facts first, then you can properly arrange them.
An audit is just a flurry of activity without a program.
Audit opinions are plenty, implementations can be expensive.

Develop Your Own Voice as Auditor

Start with a clean slate. Determine your own moral conduct and practice sticking to it.

Stope over-analyzing what everyone else thinks! You cannot please everyone, and you cannot live in your head only all the time.

Search and Find Your Own Reasons to help others by auditing.

Audit your own goals, attitudes, resentments by asking yourself every question in the "book."

Write down your own reasons for passion to be an auditor. When you write things down you automatically reflect, and remember all those written "to do" lists that did get done.

Don't just file it, do something, act on your reasons to be great at auditing.

Don't worry about the dead ends. Just back up and move forward.

Achieve Happiness As Auditor - Yes You Can

1. We don't have enough annoying strangers in our lives. We block annoying people, and lose ability to handle annoyance. Find annoying people and refresh your coping skills.

2. Don't forget to keep around a few annoying friends. It will sharpen your skills in dealing with incompatible people, and help you function in the world with people not like you.

3. Texting is for thumb people. Studies show that over 40% of what you write in emails is misunderstood.

4. Online friends don't exits in 3D real world. Only 7% of inter-personal exchange takes place through words, the rest, a mere 93% is non-verbal. We know that we exist, and who we are by seeing ourselves in the mirrors of other people's eyes.

5. No real friends, no spontenous criticism, and we miss it. Non-direct forms of communication are a great way to avoid being honest, by having the time to choose and craft words. We need quirks, humiliations and vulnerabilities that only real friendships provide.

6. Media Negativity Does Affect Us. After constant negative spins on just about everything, we feel at odds with the rest of the world. Like Mark Twain said, turn off all the news, and be happy. Almost no news will really affect your life, and what does affect, you won't be able to change anyway.

7. We feel less because we have less (friends). All these on-line friends don't place demands on us. BUT, we were wired to help and take care of others. We are a product of social interactions, so we need to be connected in real life, not through flat-screen monitors. Find a way to do something simple, but physical to help someone else. It really works.

Scoring Risks

• The adequacy of internal controls
• The potential threats from transactions
• History of problems with system or application
• IT Architecture and Data Classification - is there a match
• The physical and logical security of information, equipment, and premises
• The adequacy of operating management oversight and monitoring
• Human resources, including the experience of management and staff, turnover, technical competence, management’s succession plan, and the degree of delegation
• Senior management oversight and appropriate governance

Great New Email Functions

• Undo sent message
• Snooze this message
• Reply to selected text
• Smart reply templates
• Attachment reminders
• Language-based filtering
• Usage trending
• Related message search

5 Key IT Skills Worth Having

1. Python
2. Java
3. Lisp
4. C/C++
5. Unix form O/S familiarity

Knowing syntax to be able to read would be helpful for some IT Auditors

Sign Your Should Charge More in Consulting Fees

Is that your daily or hourly rate?
They have new jobs after you finish this one.
You work and still get poverty assistance
Hey, any catch with your quote for the job?
Here you go, I have enough cash on me to pay you.
You have no friends among consultants.
You are hired without even telling them how much you charge
As you can't get all the work done, you live on cola and pizza
You get jobs from overseas outsourcers

Measuring Fraud Drivers - Yes, It Can Be Done

Greed Average income compared with number of people living below the poverty line.
Envy Total thefts (robbery, burglary, larceny, and grand theft auto) per capita.
Wrath Number of violent crimes (murder, assault, and rape) per capita.

Sloth Expenditures on art, entertainment, and recreation compared with employment.
Gluttony Number of fast-food restaurants per capita.
Lust Number of STD cases reported per capita.

Pride Aggregate of the other six offenses—because pride is the root of all sin.

Feel free to put add these measures into a dashboard.

Web site Content Hell

You know that you are IN HELL when you see:

• hit counters
• guestbooks
• stale links
• pages forever under construction
• pointless vanity pages
• advertisements from hell
• no email address for feedback
• unstable extensions
• broken HTML
• blinking text
• gratuitous animation
• marquees
• garish backgrounds
• unreadable text/background combinations
• "Best viewed with..."
• pop-up windows
• menus made entirely from image maps
• background MIDI, Flash, Shockwave

Becoming a Hacker

1. Love to solve difficult problems
2. Don't bother trying to solve a previously solved problem: no glory
3. Hate boredom and repetitive work?
4. Love freedom without borders?
5. Forget attitude, impress with competence.
6. Get a really cool shirt at the next Def Con in Las Vegas (usually in August)

Compliance Program Key Elements

1. Corporate Compliance Officer & Compliance Committee

2. Written updated policies and procedures

3. Training and education programs

4. Effective lines of communication

5. Published standards and disciplinary guidelines

6. Auditing and monitoring processes

7. Documented response to offenses

8. Development of corrective action plans

Involving Right Deparments in Compliance Issues

Employee Mistreatment HR, Compliance/Ethics
Accounting Irregularities Audit Committee, External/Internal Auditors, Compliance
Fraud Internal Audit, Loss Prevention, Risk Management, Compliance/Ethics
Workplace Violence Security, Operations, Legal, HR
Employee Theft (other than by head-hunters) Loss Prevention, HR

ETHICS The Federal Sentencing Guidelines for Organizations

Written standards of ethical workplace conduct
Means for an employee to anonymously report violations of ethics standards
Orientation or training on ethical workplace conduct
A specific office, phone line, e-mail, or Web site so that emps can get ethics advice
Evaluation of ethical conduct as part of regular performance appraisals
Discipline for employees who commit ethics violations

Compliance Committee Key Issues

1. Communicate with outside auditors
2. Review reports on internal controls
3. Examine all external reporting
4. Read internal audit reports
5. Evaluate internal audit activities, budget, staffing, and responsibilities
6. Consider all inquiries from external sources (including governmental)
7. Deal with all related party transactions and conflict of interests
8. Update conduct and ethics statements
9. Assess compliance program, including corporate communications.
10. Obtain input from Legal, Compliance, Board, and Internal Audit on compliance issues.

On Blogging by "mother of the blog revolution"

Deal with Human Component As Security Threat

Implement the principle of least privilege
Control the use of portable devices on the network
Trust employees, but not too much
Monitor network activity and audit who is doing what
Watch out for curious pokers into network and data security configurations
Determine your single point of failure
Physical security--no compensating controls here.

Audit Vulnerability

• Get raw info from people in crucial information flow areas.
• Get beyond surface concerns, and get to the real worries.
• Analyze information for gaps and inconsistencies,
• Determine where weakest links are
• Develop potential threats and their impacts list
• Communicate findings with change recommendations
• Focus on most likely threats and risks

Frequent QAR Findings In Internal Audit Departments

• Internal Audit Charter does not exist, is out of date, or not appropriate for the organization
• No on-going formal, consistent, self-assessments
• Limited input to the corporate governance and IT governance process and compliance assurance
• Hazy or improper reporting lines
• Too technically oriented IT audits, missing overall control framework contexts
• No effective continuing education opportunities and skills development
• Poor time tracking and remediation follow ups
• Lack of adequate formal audit planning and soliciting management's input on key risks
• Poor audit planning and approval documentation

Social Audit of Public Companies

1. Align the nature of the audit to match the social criteria to be audited (simple, but here problems occur)
2. Determine your culture's social and human focus initiatives and priorities
3. Link social obligations to corporate mission, culture, and responsibilities
4. Assess what problems you may be facing on a social audit-what you control, what don't
5. Determine the framework and methodology to use for audit
6. Determine the framework and methodology to use for comparison to actual practices.
7. Conclude on "integrated audit" Integrated here means key issues and peripheral concerns.

Total Risk Management Program

Define the Risk Management Framework
Specify boundary conditions and data input needed for predictive analysis
Select time scope for evaluation, and conditions to be measured
Establish an acceptable results range, and what is outside of it
List relevant predictors for the condition tested
Determine the cause for the risk condition
Measure conditions identify, and attempt to determine any value associated with it
Decide on the risk response to identified risk condition
Evaluate your "risk margin" and what risk to transfer
Choose between lowering threats (risks) and potential opportunities foregone.

Don't forget to have fun, while doing this.

Security When Facing Reduction In Force

• Check access and system logs often
• Secure weak spots, like "back door" facilities
• Inspect physical access controls, wake them up if you have to
• Examine existing change controls
• Timely remove asset access
• Inventory IT assets and track equipment returns
• Activate available audit trail recording features

Internal Risk Management

IRM = Management of the “Insider Threat”

“Insider Threat” = Risk of actions of an Insider

Malicious Insider = Current or former employees or contractors who:

–intentionally exceeded or misused an authorized level of access to networks, systems or data,

and;

–affected the security of the organizations’ data, systems, or daily business operations

FMS Financial Management System

Well, it is an information system, but one consisting of one or more applications, used to

a. Collect, process, maintain, transmit, and report data about financial transactions
b. Support financial planning and budgeting
c. Store cost information
d. Aid in financial statement preparation

It is usually integrated with the main corporate application, or a module within it. If separate vendor used, it talks to main apps through some middle ware.

Internal Audit Bread and Butter Issues

Leadership - align with strategies
Strategic Management - map to corporate objectives
Decision Making - your employees can help with the budget
Executive Compensation - tax increases are coming?
Risk - fraud risk; risk management process
Analytics - the audit x-ray machine
Control Environment - stake claim to this turf
Automation - would be nice if it existed; now, just faster bicycles
IT Security - BCP, BRP, etc, etc...

Letterman - Top Ten Things I've Learned From Being An Accountant

http://www.youtube.com/watch?v=VWIlHl3j7CQ

This is really good

New Audit Tool - Free - Get It

THIS IS AN ARTIFICIAL INTELLIGENCE TOOL THAT CAN BE USED FOR AUDITING AND ANALYSIS

The Dispute Finder Firefox Extension highlights disputed claims on web pages you browse and shows you evidence for alternative points of view. Watch the Videos to learn more.
Use this web interface to tell Dispute Finder what snippets to highlight and what evidence to present for alternative viewpoints. You can create a new disputed claim, mark new instances of a claim on the web, and add evidence that supports or opposes a claim.

http://disputefinder.cs.berkeley.edu/

Whatever you are evaluating, get the opposite opinion. This just came out, and they are planning additional upgrades

What is accountants chronic condition?

Modified Accelerated Depreciation

US GAAP IFRS

PPF Professional Practice Framework from IIA

Describe basic principles that represent the practice of internal auditing as it should be;

Provide a framework for performing and promoting a broad range of value-added internal audit activities;

Establish the basis for the evaluation of internal audit performance; and

Foster improved organizational processes and operations.

Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Principles Internal auditors are expected to apply and uphold the following principles:

Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

Objectivity Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.

Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

Competency Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing services.

End Of Audit Tips

Auditors will arrange an exit meeting to discuss status and findings,
When exceptions are detailed, determine remediation deliverables.
Examine in detail the audit report in a timely manner.
Ask for input when implementing changes
Communicate remediation target dates. The corrective action deadlines may vary depending on the severity of the noncompliance.
Ask for feedback on how the level of support provided to auditors

How To Help Auditors

Be professional at all times. All differences of opinions can be resolved.
Avoid being judgmental.
Follow all documented and required procedures.
Make sure that you understand the purpose of the audit.
Ask questions or discuss compliance problems, if attention required.
Be flexible - any potential problem not within the scope of the audit - evaluate the potential risks of the problem if left unaddressed.
Communicate with the auditor as often is needed.

Audit Survival Tactics

Know what you are being audited for. Make sure you contact the auditor assigned to your audit before he/she comes into your facility. Be clear with the auditor on what will be audited, and what kind of support you will have to provide


Do your own pre-audit. Use internal audit program. Look for accountability from management to assure that all issues found during your internal audit are corrected using good “root-cause” corrective actions.


Use the same checklists or requirements that auditors may use

List previous findings. Examine findings from all your previous audits. Make sure everything which was found previously has ceased to be a problem.

Make sure everyone in your area knows the appropriate procedures.

Provide documented objective proof for compliance to your policies and procedures.

Tips Before an Audit

• Establish the authority of the audit team to increase the cooperation.
• Check the scope, area focus, frequency, resources, both IT and internal.
• Communicate your audit plans.
• Just what is the objective? Be it regulatory compliance, QA, adherence to policies?
• Share audit plans, purposes, and scope of the audits with audit staff.
• Determine what standards, policies, and procedures will be used for comparisons.
• Document in detail what documentation and reports you will use
• Have a wonderful and exciting opening meeting with the auditees.

PCI Security Milestones

Best practices for protecting against the highest risk factors and escalating threats facing cardholder data security:

· Milestone One: If you don’t need it, don’t store it

· Milestone Two: Secure the perimeter

· Milestone Three: Secure applications

· Milestone Four: Monitor and control access to your systems

· Milestone Five: Protect stored cardholder data

· Milestone Six: Finalize remaining compliance efforts, and ensure all controls are in place

PCI Compliance Standards

PCI Data Security Standard (PCI DSS) from PCI Security Standards Council (TM)

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters


Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks


Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes


Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

IT Security Matrix for Compliance

Create a matrix of controls on top and security layers on the left. When listing security layer or element, also identify whether it is a preventive or detective control. Control listings and security architecture maps should help.

Use clear, green, yellow, and red to identify which layers/control types meet completely, partially, or not meet the control requirements on top. The deliverable will be a control assessment.

In some cases, two or more controls may provide a partial protection individually, but together may meet fully the control requirements.

Check to see if there are unnecessary controls, and analyze to identify where a single layer may address a control cluster.

Audit TCP/IP Infrastructure

•Review network policies and procedures
•Analyze network diagrams (layer 1 & 2), design, and walk-through, list of network equipment and IP address list
•Verify diagrams with Ping and Trace Route
•Review utilization, trouble reports and help desk procedures
•Probe systems using scanning tools
•Verify network vendor oversight, user support, and network technicians services
•Review software settings on network equipment
•Inspect computer room and network locations
•Evaluate back-up and operational procedures

WLAN and Wireless Compliance

Review the FCC Part 15 regulatory requirements.

http://www.fcc.gov/oet/info/rules/part15/part15-91905.pdf

It covers various emission guidelines and regulations, focusing on unlicensed transmissions, such as low-power broadcasting. The 802.11x Wireless LAN (e.g. "Wi-Fi") 2.4 GHz, 5 GHz (U-NII) is under this regulation.

Include compliance requirements as appropriate in your WLAN and wireless compliance reviews, recommendations, and proposed documented policies, procedures, or internal standards.

Third-party BCP Impact Audit Scope

Vendor contract obligations
Defined cut over procedures
Risks to shared facilities and overall availability
Data backups and storage
Hardware and applications availability
Access security controls
Facility and environmental controls
Time frames for acceptable off site processing

Security and Audit - Improve The Relatioship

Document everything. List your measures to reduce risk, and decisions to accept risk, when flexibility or potential benefits dictate it.

Good controls should be part of the process, not after thought insertions. They address compliance requirements and enhance security. Monitor through metrics.

Design and implement best practices that fit your infrastructure; then, track through measurable performance metrics.

Be prepared to prove your assessment of the effectiveness of controls framework and mitigating factors.

Audit Healthcare Provider Fraud Schemes

Billing for services not performed
Documenting non-covered treatments as covered
Recording diagnosis and treatments based on what is covered
Performing more care than necessary
Coding for high pay than was performed
Misstating services performed
Pretending to be a health care worker to bill
Un-bundling services and coding

Guess What's On Your Hard Drive

In addition to documents, graphics, and sound files, there are

Internet Browser History Files
Temporary Internet Files
Automatic Backup Files
Power Saver Functions
Data about your data files
Unique Identifiers
Virtual Memory and Swap Files
Temporary Files
Spooled Files

Plenty of data for forensics and privacy issues

Internal Audit Essential Objectives

Learn and know the business supported by processes

Adopt auditing appropriately to the environment

Upgrade audit skills inventory for effective performance

What Corporations Want from Internal Auditors

Appropriate scope of audit activities
Input in risk mitigation
Efficient and effective periodic internal control assessments
Value-added improvements in processes and error reductions
Help with cost reductions
Providing appropriate assistance in achieving compliance
Assistance in fraud prevention, detection, and evaluations
Help with financial statement assurance

Role of an Internal Auditor

Mistakes Responding to Auditors

Misreading what the auditor is asking or asking for

Not fully understanding the scope and implications of auditor inquiries

Forwarding documents to auditors with obvious errors

Responding with the wrong policy or procedure documents

Being distracted or confused by auditor's multiple requests

Not providing relevant info due to elimination of areas that are applicable to a request

Not having detail knowledge of the specific test area, and not asking for appropriate help

Attempting to respond to auditors by guessing or using intuition

IFRS Impact on Audit

Analyze the adequacy and appropriateness of identification of gaps between US GAAP and IFRS

Determine whether proposed internal control changes are aligned with the identified gaps.

Review current policies and documented processes to assess alignment

Analyze whether information gathering processes will support the new data requirements

Evaluate any workarounds to meet compliance requirements, resulting from lack of adequate information system integration of data collection processes

Review transition plans for risks and adequacy of testing

Determine whether adequate backup plans exist, and how backward compatibility will be maintained (this could be the sticky one)

Current Compliance Challenges

Companies operating in more than one state, country, or continent, face multiple and diverse regulations.

Developing coherent compliance strategies and policies becomes a challenge because of the diversity of regulations and potential conflicts among these regulations in different markets.

This creates a form a risk for corporations attempting to develop efficient and effective strategies to meet their obligations.

Improve Internal Audits

Like zero-based budgeting, determine what audits to perform, not just repeat last year

Envision potential value of recommendations, to ensure that higher-value areas are covered

Define audit objectives in detail to avoid over-extending resources

Use established formats for every audit process step to slow the flurry of emails

Risk assessments should use process owners input

Audit tools are fine as long as auditors understand what is obtained and tools limitations

Not only false positives are audit tool problems, but are things fine if no exceptions show up?

Audit findings should be meaningful, not just enough to fill up a report

Just What Is Internal Auditing?

Getting back to basics reminder:

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”*


* The International Standards for the Professional Practice of Internal Auditing
promulgated by the Institute of Internal Auditors

Develop High-Performance Audit Teams

1. Communicate confidence in your auditors. It will promote creative problem solving and independent decision making.

2. Let everyone in on what's going on. When changes happen, no one will be surprised. Ask for help and input when struggling with your decisions. Everyone appreciates the opportunity to add insight to important decisions. Hey, it also helps to build consensus.

3. Focus on obstacles and objectives. Not everything turns out as planned, but great teams shine by how they adjust to unforeseen changes.

4. Relax, you don't need to know everything. Let everyone share their experience and provide facts, analysis, and recommendations.

5. Get to know them and their goals, interests, and passions. For one thing, you will be able to connect what needs to be done to those persons and interests, and increase effectiveness and efficiency.

Fastrack BCP Steps

1. Assess business impact of a disaster, using process owners, and prioritizing operations

2. Know your data and ensure that it is protected, testing to ensure compatibility of restores

3. Check the UPS choices for your key servers, networks, ensuring that essential apps will be up

4. Document all, including your testing and changes to underlying process support

5. Develop communication duplications, assuming that what you rely on will fail

6. Be able to provide management with choices and costs, to permit right timely decisions

Audit Team Effectiveness Criteria

When evaluating audit team performance within a team-oriented corporate culture, consider rating on the following items:

- Results that match goals and objectives
- Employing effectively available resources
- Developing cooperative relationships that enhance conflict resolution
- Bringing new insights and finding improved methods
- Developing appropriate team roles and responsibilities
- Ability to handle various organizational levels and interpersonal challenges
- Group effectiveness in decision-making and responding to unforeseen developments
- Being seen as providing added-value leadership on key issues
- Adherence to established internal audit processes

Computer Forensics Can Do

1. Who accessed what information and when
2. Who created/edited/deleted what and when
3. What documents were copied, and to what device
4. What was the content of communication between employees and outsiders
5. What other out of policy acts were attempted by the use of information systems

Privacy Compliance

Privacy, the current focus for corporations, presents a new set a potential liabilities that have to be addressed by audit and information security. Worse yet, these complex set of issues are not being handled by general control reviews, SOD, access or even accounting controls.

Privacy policies, if in place, have to encompass various requirements like PII, some of which seem almost contradictory. Generally, privacy is the safeguarding of information that can be identified with a person. The right to privacy implies ownership rights to one's own personal data.

For organizations, the concern is how to define, protect, and respond to privacy issues. Thus, auditors need to determine whether privacy-related information handling meets various privacy requirements.

A good starting point is to examine the current privacy statements, especially those sent to customers, and trace back to ensure that what is promised is adequately covered by policies, procedures, and actual practices. It will help to avoid potential false and deceptive business practices issues arising from not actually performing what has been promised to customers.

Comply While Centralizing Information and Data

Centralizing data allows for access from wired, wireless, and portable devices. Check the following for right coverage.

Know your data and its location Map data and applications that handle it. Make sure you identify owners as data moves across applications.

Examine security for your and vendor-kept data Check third-party vendor contract for security specifications, and verify access over in-house data

When putting all your data in a single basket, watch the power flowing to it Examine potential and protection against any power disruptions

Monitor Activity Look at vendor performance reports and your own data stats. Compare it to the agreed service levels, and trace back to service levels to vendor contracts, determining if contracts adequately address performance.

Above all, have fun.

This News Just In ! ! !

Looks like we are moving into recovery. As always, experts are surprised.

How Not to Misunderstand an Auditor

Understand the question in terms of the applicable context.
Get a clear idea on what is to be delivered-the deliverable.
Provide only the appropriate documentation.
Check for errors on all documents provided, and keep a list of what was given.
Avoid being distracted by multiple requests when completing a specific request.
Don't overlook appropriate and relevant information.
If you don't understand what to provide, ask those who know more details.
Pay attention to the wording of requests, leaving intuition for picking lotto numbers.

Spot the Exception

(Answer: It's the fox in the milddle)

Policy & Procedure Tactics

Promote commitment to compliance through developing and living by compliance policies and procedures, focusing on specific areas because of of audit findings or other new requirements.

1. Baseline Policies: Review existing policies, creating an initial list of baseline compliance policies that will be maintained.

2. Issue-Specific Policies: See if there is a need to create any new issue-specific policies.

3. Existing Non-Compliance Policies: Which existing noncompliance policies should be reviewed for compliance with legal people?

4. Annual Policy Review: Each year review all compliance policies and procedures and determine whether any of the policies require revisions or updates.

Prepare the first draft of baseline and issue-specific compliance policies and procedures, as well as revisions to existing policies. Then, submit the first draft of the policies for appropriate approval. Next, get feedback on any draft policy via redlined draft or comments within a week of receipt of the draft. Get the right approval group to review and authorize the revisions

Surviving Stress of Organizational Change

Only you can reduce your stress

As companies have to change, make your own adjustments to stay relevant

Whatever is going on, it is the reality, so decide to move on

Look how pressures and priorities have changed, so play by the new rules

Align with organization that changes even if painfully, low-stress entities give short-term comfort, but may not survive

Some things are well beyond personal control, so no use trying to affect something you cannot

When deciding on personal change, keep up the needed pace, so as not to lag behind

Reengineer what is under your scope, to meet current or new goals, eliminating the rest

Increase pace to maximize your personal productivity

Forget spending time worrying; be productive today and create your own future today

Make sure that you take on only as much as you can handle

Develop desire, passion, and love for your job, and stay romantically involved. Much of your life is spent there.

Find new assignments where you can grow, don’t just stay in your limited comfort zone

Life would be unbearably boring if you knew how everything ends. Enjoy uncertainty and instability, as they give the spice to life.

Organizations have to answer to many stakeholders, so they may not be able to look out for you as much we all hope.

Example of Partial Compliance

As with speed limit, you are either under the limit or over.

How To Talk To Auditors

Like any other interaction at work, a professional and trusting relationship is a needed for a successful collaboration.

When interacting with the auditors in a professional manner, you project to audit teams that its function is respected and supported.

Expect professional interaction from the audit team and push back whenever there is an exception to this practice.

To contribute to a successful and accurate audit report, be receptive to auditor observations and the audit team’s recommendations.

Be firm when discussing anything they see as incorrect, in order to ensure there are no misunderstandings.

Keep in mind that you, and not the auditors, are responsible for defining and implementing solutions to issues found in the audit. Everyone will benefit from a cooperative, collaborative audit process that respects the independence and discretion of all participants.

Of course, auditors should listen to process management. And for its part, process management should encourage staff to be open and honest with auditors.

Corporate Compliance Goals Include:

Meet all federal, state, and local governmental laws, regulations, and guidelines pertaining to proper documentation for all processes and services provided.

Monitor the strengths and weaknesses of the documentation processes followed for all operations, and develop means to prevent and detect any improper acts or practices.

Develop a culture promoting prevention, detection, and resolution of exceptions that do not conform to federal and state law and public and private requirements.

Show and communicate the commitment to the compliance process.

Provide a centeral place for information and guidance on relevant federal and state statutes, regulations, and other requirements.

Let everyone know that they should report non-compliance issues, and consequences when not complying.

Develop mechanisms for handling any regulatory investigation or audit.

Record of all due diligence taken to comply with all regulations, rules, as well as interla policies.

How Vague or Transparent Auditors Should Be?

Consider an auditor as a corporate leader. Then, how being realistic or pessimistic affects the audit communication process and auditor effectiveness?

Being vague or diplomatic enhances relationships long after audit findings are remediated. As a leader, an auditor facing hard facts about lack of compliance may need to communicate the causes of low-level of performance. This can reframe any problem into a more pessimistic and less remediation-oriented focus.

An auditor being a leader has to balance the need for productive relations within an organization and frank assessments of condidtions. The concern is, of course, that by the way exceptions are framed, an auditor may be creating a self-fulfilling prophecy, positive or negative one.

What are your thoughts or experiences regarding this?

Auditors Favorite Laws & More

- You will always find something in the last place you look.
- If you are looking for more than one thing, you'll find the most important one last.
- You will always get all the credit for the dumb audit finding or recommendation.
- When things are going right, you won't notice errors, so listen carefully to thoese being audited
- You only don't understand what you are auditing if you admit it.
- The glass is always full, half with water and half with air.
- You can't reason with Operations people who used to be auditors.
- Every audit finding is replaceable with a bigger finding.
- Whenever you make a finding, you will always find much more that needs to be fixed.
- The probability that you find something wrong is directly proportional to the square of the amount of inconvenience it can cause you during the exit conference.
- No degree of acceptance of audit findings can equal actual remediation of issues
- If things really look good, watch out, there is polyester over your eyes.

IF YOU ARE NOT ALWAYS CONFUSED, YOU ARE NOT IN TOUCH WITH REALITY
So stay confused, it's more fun that way.

Risk Assessment? What's Your Framework?

Consider, if you will,

- Company culture
- Corporate objectives and strategies
- Level of complexity of organizational processes, as they will be analyzed
- Competitive fit for the entity and availability of resources
- Entity units chart, to ascertain level of organizational complexities
- Key processes, transaction types, way of measuring business activities
- Hungry? What's your risk appetite and risk tolerance?
- So, do you have skills and staff and time to get it all done? Congratulations.

Let me know how it turns out.

(the answer is ERM COSO and CobiT, but you knew that)

Become Audit Proof

- Know your business strategy and goals, make sure your controls support them
- ID key business processes, as these are the skills your organization sells
- Protect your key business processes through BCP/DR
- Verify and document process changes
- Risk map your processes and verify that your key controls actually are the key controls
- Consider automating processes to eliminate risks, without causing new weaknesses
- Identify sensitive data, checking for Personally Identifiable Information (PII)
- What will you do when customer data is lost or stolen? Have a detailed plan.
- Document your areas of process owneship to avoid misunderstandings of responsibilities
- Above all, attempt to work together with auditors, enjoying the helpful consultative review.
- Remember that auditors really are to help and advise.
- Auditors want to add value just like everyone else.

Why Auditors Make Mistakes?

Practice saying "Could you tell me again..."

- Premature stopping of fact gathering and diagnosis
- Relying too much on first impressions
- Relying too much on pattern recognition, especially if it looks like something from the past
- Human tendency to favor negative conclusions or rely on stereotypes to make decisions
- Defining conditions inaccurately because of biases or preconceptions
- Being influenced by others' opinions or analysis
- Judging based on easily recallected data
- Going with the gut, and not the systematic problem analysis

Data Management Notes

Keep your Data Map updated.

If you have paper and electronic, you need to keep the source—electronic. But, if you write anything on the paper, then the paper report becomes a unique document, so you must keep it.

MS Access DB may have to be provided, BUT ALSO reports may have to be run and provided, as these reports may use computations and data combinations, which makes them unique.

MS Excel spreadsheets also give formula information, unlike a paper report from it.

Encryption has to be selective. One company used a single encryption key and had to share that key, which allowed reading all their data, not just what was asked for.

A company must show that it exerted complete control over held documents, by showing restrictions to access, so that the data was not changed.

Data on portable devices is a problem. Get it off these gizmos.

For those people who have hold documents, put RED FLAGS, so that if they try to get a new PC, laptop, that the data on the old one is not destroyed or compromised.

Have documented, enforced, and monitored rules regarding email access and downloading You may end up searching for hold documents on numerous portable devices.

eDiscovery Insights

-Must understand fully lawyers’ requirements
-Seek clarifications and monitoring feedback to ensure staying on proper track.
-Review ops to see what info sec processes can be used for a eDiscovery response program.
-Stay proactive. Develop the capabilities, have processes in place.
-Companies are defaulting to other party as they cannot provide info, usually within 30 days.
-Have not found specific legal requirement on the manner of preserving business documents.
-Look at Rules of Evidence and Discovery in the Federal Rules of Civil Procedures. Fun Read
-ISSUE: Retention of Records
-ISSUE: Back up of Files (BCP) Do not rely on tapes for storage of hold documents.
-Tapes—the problem is that you don’t where on the tape the info can be. Can be costly to find out
-For tapes from years back, must have backward capability to restore the system to the state that existed when the tape was created, to be able to read it without affecting it.
- DEFINE the DATA to be held. All further work will depend on that definition. Make sure it is not easily misinterpreted. Do not get more or you risk fishing expeditions.
- There could be multiple litigation holds on the same data that can extend its hold for years.

Data Breach Handling Considerations

- Have data classification schemes and use them, know what data you have.
- Must make sure that policies and procedures are actually followed.
- Secure “essentials” first, then move on to “excellent” security practices
- Secure partner connections. Many break-ins start with sub-sub-sub vendors.
- Create data retention plan, detailing how long to keep data.
- Have a plan to respond to data breaches, a breach incident response plan
- Conduct mock incident testing, even if only desk testing
- Put firewalls WITHIN the organization between divisions
- Stop communication of sensitive data through establishment of data zones.
- Monitor Event Logs
- Don’t rely on standards.

All the big names that got customer data stolen (we heard about from newspapers) were all PCI compliant.