Monday, August 31, 2009

Involving Right Deparments in Compliance Issues

Employee Mistreatment HR, Compliance/Ethics
Accounting Irregularities Audit Committee, External/Internal Auditors, Compliance
Fraud Internal Audit, Loss Prevention, Risk Management, Compliance/Ethics
Workplace Violence Security, Operations, Legal, HR
Employee Theft (other than by head-hunters) Loss Prevention, HR

ETHICS The Federal Sentencing Guidelines for Organizations

Written standards of ethical workplace conduct
Means for an employee to anonymously report violations of ethics standards
Orientation or training on ethical workplace conduct
A specific office, phone line, e-mail, or Web site so that emps can get ethics advice
Evaluation of ethical conduct as part of regular performance appraisals
Discipline for employees who commit ethics violations

Sunday, August 30, 2009

Compliance Committee Key Issues

1. Communicate with outside auditors
2. Review reports on internal controls
3. Examine all external reporting
4. Read internal audit reports
5. Evaluate internal audit activities, budget, staffing, and responsibilities
6. Consider all inquiries from external sources (including governmental)
7. Deal with all related party transactions and conflict of interests
8. Update conduct and ethics statements
9. Assess compliance program, including corporate communications.
10. Obtain input from Legal, Compliance, Board, and Internal Audit on compliance issues.

On Blogging by "mother of the blog revolution"

Friday, August 28, 2009

Deal with Human Component As Security Threat

Implement the principle of least privilege
Control the use of portable devices on the network
Trust employees, but not too much
Monitor network activity and audit who is doing what
Watch out for curious pokers into network and data security configurations
Determine your single point of failure
Physical security--no compensating controls here.

Wednesday, August 26, 2009

Audit Vulnerability

  • Get raw info from people in crucial information flow areas.
  • Get beyond surface concerns, and get to the real worries.
  • Analyze information for gaps and inconsistencies,
  • Determine where weakest links are
  • Develop potential threats and their impacts list
  • Communicate findings with change recommendations
  • Focus on most likely threats and risks

Frequent QAR Findings In Internal Audit Departments

  • Internal Audit Charter does not exist, is out of date, or not appropriate for the organization
  • No on-going formal, consistent, self-assessments
  • Limited input to the corporate governance and IT governance process and compliance assurance
  • Hazy or improper reporting lines
  • Too technically oriented IT audits, missing overall control framework contexts
  • No effective continuing education opportunities and skills development
  • Poor time tracking and remediation follow ups
  • Lack of adequate formal audit planning and soliciting management's input on key risks
  • Poor audit planning and approval documentation

Friday, August 21, 2009

Social Audit of Public Companies

1. Align the nature of the audit to match the social criteria to be audited (simple, but here problems occur)
2. Determine your culture's social and human focus initiatives and priorities
3. Link social obligations to corporate mission, culture, and responsibilities
4. Assess what problems you may be facing on a social audit-what you control, what don't
5. Determine the framework and methodology to use for audit
6. Determine the framework and methodology to use for comparison to actual practices.
7. Conclude on "integrated audit" Integrated here means key issues and peripheral concerns.

Friday, August 7, 2009

Total Risk Management Program

Define the Risk Management Framework
Specify boundary conditions and data input needed for predictive analysis
Select time scope for evaluation, and conditions to be measured
Establish an acceptable results range, and what is outside of it
List relevant predictors for the condition tested
Determine the cause for the risk condition
Measure conditions identify, and attempt to determine any value associated with it
Decide on the risk response to identified risk condition
Evaluate your "risk margin" and what risk to transfer
Choose between lowering threats (risks) and potential opportunities foregone.

Don't forget to have fun, while doing this.

Security When Facing Reduction In Force

  • Check access and system logs often
  • Secure weak spots, like "back door" facilities
  • Inspect physical access controls, wake them up if you have to
  • Examine existing change controls
  • Timely remove asset access
  • Inventory IT assets and track equipment returns
  • Activate available audit trail recording features

Internal Risk Management

IRM = Management of the “Insider Threat”

“Insider Threat” = Risk of actions of an Insider

Malicious Insider = Current or former employees or contractors who:

–intentionally exceeded or misused an authorized level of access to networks, systems or data,

and;

–affected the security of the organizations’ data, systems, or daily business operations

FMS Financial Management System

Well, it is an information system, but one consisting of one or more applications, used to

a. Collect, process, maintain, transmit, and report data about financial transactions
b. Support financial planning and budgeting
c. Store cost information
d. Aid in financial statement preparation

It is usually integrated with the main corporate application, or a module within it. If separate vendor used, it talks to main apps through some middle ware.

Thursday, August 6, 2009

Internal Audit Bread and Butter Issues

Leadership - align with strategies
Strategic Management - map to corporate objectives
Decision Making - your employees can help with the budget
Executive Compensation - tax increases are coming?
Risk - fraud risk; risk management process
Analytics - the audit x-ray machine
Control Environment - stake claim to this turf
Automation - would be nice if it existed; now, just faster bicycles
IT Security - BCP, BRP, etc, etc...

Sunday, August 2, 2009

Letterman - Top Ten Things I've Learned From Being An Accountant

http://www.youtube.com/watch?v=VWIlHl3j7CQ

This is really good

New Audit Tool - Free - Get It

THIS IS AN ARTIFICIAL INTELLIGENCE TOOL THAT CAN BE USED FOR AUDITING AND ANALYSIS

The Dispute Finder Firefox Extension highlights disputed claims on web pages you browse and shows you evidence for alternative points of view. Watch the Videos to learn more.
Use this web interface to tell Dispute Finder what snippets to highlight and what evidence to present for alternative viewpoints. You can create a new disputed claim, mark new instances of a claim on the web, and add evidence that supports or opposes a claim.

http://disputefinder.cs.berkeley.edu/

Whatever you are evaluating, get the opposite opinion. This just came out, and they are planning additional upgrades