On the lighter side

Why was the auditor named, Mr. Magoo?  He kept getting lost on the audit trail.

How do cannibal auditors honor their clients?  They toast them.

What do you call an accountant with an opinion?  An auditor

What did the auditor do at a vampire convention?  Count Dracula

How expensive is cannibal auditor's consulting?  They charge an arm and a leg.

How can you cook the books without burning down the office?

Why auditors appears so reserved?  They have strong internal controls.

What does accountant do hitting the mid-life crisis?  Gets a faster calculator.

Effective Motivation for Increased Productivity

• You can attempt to get blood out of a stone.
• You can attempt to motivate a stone to give blood.
• You can empower a stone to motivate itself to give blood.
• You can inspire a stone to empower itself to motivate itself to give blood.
• You can embolden a stone to inspire itself to empower itself to motivate itself to give blood.
• You can ennoble a stone to embolden itself to inspire itself to empower itself to motivate itself to give blood.

Characteristics of Processes

Processes

•         Are defined in terms of actions, dependencies, and sequence

•         Are measurable in management terms, such as cost and quality, and in practitioner terms, such as duration and productivity.

•         Exist to deliver specific results, which are identifiable and countable.

•         Have customers or stakeholders with expectations that must be met by the result that the process delivers

•         Respond to specific events, which act as triggers for the processes.

Estimating Costs of Automated Controls

ü Cost of hardware and supporting software

ü Cost of automated control software, through license fees

ü Cost of implementation and continuing maintenance

ü Cost of developmental and operational training

Major IT Governance Areas

•         Human Resource Governance

•         IT Business Governance

•         Application Governance

•         Infrastructure Governance

•         Information Governance

•         Security Governance

•         Strategy & Governance

•         Architecture Governance

Goals of Process Improvement

·         Align to business goals:   Strategic goals should provide the key direction for any process improvements, with help of programs like Balanced Scorecard, Six Sigma, and metrics.

·         Further focus on customer:  Fast-changing needs underscore the importance of aligning business processes to achieve higher customer satisfaction through ascertaining the input from customer for reviewing or redesigning any process.

·         Benchmark to determine results: Benchmarks may be internal (within the organization), external (from other competing / noncompeting organizations) or dictated by the senior management of the organization as an inspirational target.

·         Assign process owners:   To control a process, clarity on who is the process owners, and what constitutes success/failure of the process, for a range of acceptable results.

Governance Process Principles

Clearly Defined Logical Process:  The Governance process must be efficient effective, clear, consistent, enforceable, a standard operating procedure and automated wherever feasible.

Flexible Accommodating Process:  The process must be flexible to accommodate planned, emergency and expedited changes.

Change Management Information:  Key release notes and activity reports will be viewable and published to primary stakeholders and groups

Process Governance:  The process will include a procedure for governing  the prioritization of changes.

Process Maturity:  Process measurements will be defined and trends tracked to facilitate continuous improvement

Politics of Cost Cutting

Identifying opportunities for cost cutting leaves those in charge vulnerable to accusations of inadequate cost monitoring.  “If it is possible to cut costs now, why were they not cut before?”  This risk increases for quick wins, as they take least effort and have the least amount of negative impact.  

A cost-conscious continuous-improvement culture implies that room for improvement exists; continuously look for improvements and being mindful of complacency.  Communicating during cost reductions is critical and can be the difference between a successful and unsuccessful cost reduction effort.

Define cost reduction proposals using words such as eliminate waste, increasing productivity, streamlining operations, reducing, transforming, and obtaining more value for expenditures.

Avoid words with negative impressions such as cost cutting, belt tightening, downsizing, and eliminating redundancies, terminating, and eliminating the dead weight.

Risk Treatment

Risk treatment involves the modification of risks using one or approaches, such as

•         Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk

•         Taking or increasing the risk in order to pursue an opportunity

•         Removing the risk source

•         Changing the likelihood

•         Changing the consequences

•         Sharing the risk with another party or parties (including contracts and risk financing)

•         Retaining the risk by informed decision.

Improving Judgment

Most will admit to a certain degree of forgetfulness, but who will admit to making consistently bad decisions, or to having bad judgment?

·         Seek diverse friends and diverse opinions.

·         Run away when experts agree on something.

·         Validate your convictions, no matter how carefully developed based on best data.

·         Look for input from the odd balls.

·         If everyone were right, we all would be driving Mercedes’s or BMW’s, even Bentley’s.

·         Eradicate every cognitive filter you discover during self-exploration.

·         Excessive optimism makes you take more risks than you should or can afford.

·         What is your Plan “B”?

·         Try not to be just another sheep, if you can, by deciding based on what makes someone else happy.

Avoiding Drift from Established Procedures

- Develop more effective cross-functional teams.

- Perform detailed after-action reviews to improve processes.

- Foster a climate of open and candid dialogue.

- Focus on information “handed off” from one unit of the IT to another.

- Challenge silo thinking and work out inter-unit rivalries.

- Support transparency in the IT organizational units and systems.

- Avoid duck-tape approaches to small problems.  Small problems may hide large ones.

Change Strategy in Complex Systems

1.  CHANGE = Mission, Skills, Incentives, Resources, Project Plan
2.  Inappropriate Starts = No Project Plan
3.  Frustration = Lack of Resources 
4.  Slow change = Lack of Incentives  
5.  Errors Made = Lack of Skills  
6.  Confusion = Lack of Mission or vision

Risk Factors in Complex Systems

• Inter-dependency among system components
• Connectedness of a each component to the number of other components of a system
• Diversity exists where different software packages perform same function (not good thing)
• Adaptation through fixes and upgrades allowing the system to handle new conditions

Risk Categories

1.   Routine, simple cause-effect relationship risks

2.   Complex and moderately uncertain risks

3.   Highly uncertain risks

4.   Highly ambiguous risks (high degree of controversy, variety of judgments)

5.   Imminent dangers or crises (need for fast response)

Key Risk Governance Concepts

1.  Both “real” and "perceived" risk elements are significant.

2.  For risk planning all stakeholders should be included as contributors.

3.  Risk evaluation should be focused and based on impact and likelihood.  It should be transparent, equitable, effective, efficient, and accountable.

4.  Risk determination should be based on a model that integrates various components of complex systems.

5.  Timely updates should be made to assure that risk assessment is based on the best available knowledge and judgment.

Finding RIGHT Work

Corporate Fraud Prevention and Detection

Strategies When Facing Job Loss

E-Governance

E-Governance refers to the use of data from IT to improve the accountability, efficiency, effectiveness, and transparency within an organization. Comprised of IT, people and processes, it is an application of electronic means to improve exchange of information and increase the operational effectiveness and efficiency. E-Governance involves determination and application of relevant regulations such as domain name to govern presence on the internet. Its focus is on the appropriateness of internal/external web user experience.

Why IT Governance

1. Implementation and integration of new IT strategies while overcoming institutionalized “silo” programs and funded processes.

2. Rewards based on singular program accomplishments, without the broader strategic focus.

3. Lack of delivery strategies across program boundaries

4. Increased user pressure from cloud/internet functionality and ease of use expectations

5. Drive for a cost-efficient single, common service and delivery interface in meeting user needs

Information Technology Governance

Information technology governance focuses mainly on leadership in effectively and efficiently using IT resources to meet business needs, encompassing structures and processes to implement strategies, develop standards and principles, and evaluate IT investment priorities, leveraging technology to add business value.

It combines accountability with the assignment of decision-making responsibilities. Governance includes cross-level communications about processes and key IT investments. When fully employed, IT governance is aligned with business governance. Its key components include collaboration, modular and incremental development and implementation of strategic and tactical initiatives.

Dodd-Frank Act for Banks

• Volcker Rule
• Abolishes the Office of Thrift Supervision:
• Stronger lending limits
• Improves supervision of holding company subsidiaries
• Intermediate Holding Companies
• Interest on business checking
• Charter Conversions
• New Offices of Minority and Women Inclusion at the fed financial agencies

Dodd-Frank Act for Extraction Industry

TRANSPARENCY FOR EXTRACTION INDUSTRY

Public Disclosure

SEC Filing Disclosure

Congo Conflict Minerals Disclosures

Dodd-Frank Act

- Consumer Protections with Authority and Independence
- Ends Too Big to Fail Bailouts
- Advance Warning Systems
- Transparency & Accountability for Exotic Instruments
- Executive Compensation and Corporate Governance
- Protects Investors
- Enforces Regulations on the Books

Six Sigma 5S

Six Sigma Internal Audit

Six Sigma

Define

Measure

Analyze

Improve

Control

Internal Audit

Planning

Performance

Analysis

Recommendations

Follow Up

Key Sox Compliance Items

Develop action plans for ongoing maintenance and monitoring of internal controls in accordance policies and regulatory requirements, including the Sarbanes-Oxley Act.

Identify and implement internal controls process improvements

Recommend and implement process improvement solutions, including tools which enable these solutions.

Implement the Sarbanes-Oxley testing and evaluation plan and develop the ongoing procedures for maintenance and testing of company controls.

Provide metrics that measure effectiveness these of initiatives.

Ensure that all compliance and process improvement activities follow the appropriate change management, governance, and documentation requirements.

Conduct walk through(s) of processes and develop control guidance documentation and training materials.

Understand Information Systems Relevant to the Audit

• The manner in which transactions are initiated

• The nature and type of records and source documents

• The processing involved from the initiation of transactions to their final processing, including the nature of computer files and the manner in which they are accessed, updated, and deleted

• For financial audits, the process used to prepare the entity's financial statements and budget information, including significant accounting estimates, disclosures, and computerized processing.

FISCAM Federal Information System Controls Audit Manual Approach

Top-down, risk based approach that considers materiality and significance in determining effective and efficient audit procedures and is tailored to achieve the audit objectives.

Evaluation of entity-wide controls and their effect on audit risk.

Evaluation of general controls and their pervasive impact on business process application controls.
Evaluation of security management at all levels (entitywide, system, and business process application levels).

A control hierarchy (control categories, critical elements, and control activities) to assist in evaluating the significance of identified IS control weaknesses

Groupings of control categories consistent with the nature of the risk.

Experience gained in GAO’s performance and review of IS control audits, including field testing the concepts in this revised FISCAM.

Document Network Architecture

● internet presence
● firewalls, routers, and switches
● intrusion detection or prevention systems
● critical systems, such as Web and mail systems, file transfer systems, etc.
● network management systems
● connections to inter- and intra-agency sites
● connections to other external organizations
● remote access—virtual private network and dial-in
● wireless connections.

Plan the Information System Controls Audit

● Understand the overall audit objectives and related scope of the IS controls audit
● Obtain an understanding of an entity and its operations and key business processes
● Obtain a general understanding of the structure of the entity’s networks
● Identify key areas of audit interest (files, applications, systems, locations)
● Assess IS risk on a preliminary basis
● Identify critical control points (for example, external access points to networks)
● Obtain a preliminary understanding of IS controls
● Perform other audit planning procedures

Worried About Finances and Economy - Watch This!

How to delete Facebook Account

Considering new privacy policies, some are considering deleting their Facebook accounts. This is not easy as the delete button is buried oh ever so deeply in the menu structure. Great instructions can be found on "wikiHow" website.
http://www.wikihow.com/Permanently-Delete-a-Facebook-Account

Someone posted 10 reasons that you won't be able to delete your Facebook account. Here is the link
http://www.businessinsider.com/10-reasons-youll-never-quit-facebook-even-if-you-think-you-want-to-2010-5#youre-not-going-to-go-back-to-waiting-an-hour-to-send-an-email-to-30-people-with-40-photos-attached-1

There is one reason that may override others: Employability and Marketability. Hey, it's just your life on the Internet. Enjoy the ride, no matter what you decide.

OFAC Compliance - Not as Easy as it Appears

OFAC compliance is tricky as:

1. Rules and customs vary from country to country, confusing companies entering global operations without adequate requirements preparation.

2. OFAC rules, along with the names on the SDN list, change often;

3. Third-party service providers and their own vendors may end up dealing with those OFAC prohibits.

Jimmy Carter on History of FCPA

Internet Security Standards Setting Bodies

Internet Engineering Task Force (IETF) for TCP/IP, HTML, POP, STMP, FTP, SSL, and more

International Telecommunications Union (ITU) X.273, Open Systems Network Layer Security, and X.509, Authetication Framework

International Standards Organization (ISO) ISO 17799

Institute of Electrical and Electronic Engineers (IEEE)

European Computer Manufacturers Association

Business Lunch Tips for Auditors

1. Always place you napkin in your lap and use it as needed.

2. Always say please and thank you.

3. Don't eat too fast or too slow, try to stay in step with your host.

4. Always take modest portions and not heaping helpings.

5. If you don't like something just leave it on your plate.

6. Be polite and respectful at all times

7. Never smoke at the table.

8. Never begin to eat until everyone at your table has been served.

9. Never slurp a drink or with a straw.

10. Never chew ice during a meal or at the table.

11. Never use toothpicks at the table.

12. Never get up and leave the table without first excusing yourself.

Cut Your Public Audit Bill

1. Bag food to work, to save on food during working sessions with auditors

2. Change procedures and processes only if you really have to; otherwise, don't change a thing.

3. Close books monthly on time.

4. How many sub-organizations do you really need? Limit organization units.

5. Anticipate what auditors will ask for.

6. USE INTERNAL AUDIT STAFF and get more audits done!!!!

Why Travel on Audits Light

#10: Nobody can steal your luggage

#9:  Be more independent

#8:  Extra time to get to the airport

#7: Volunteer to be bumped, as no worry about luggage coming on the same flight

#6: Catch public transportation, as no suitcases to roll around among lots of people

#5:  Don’t wait for getting luggage

#4:  Avoid tipping

#3:  Be environmental, as fewer luggage means less weight to lift

#2:  Avoid fees

#1: “Lost Luggage

Photo Evidence Audit

Check for:

• Document title
• Description
• Description writer
• Author
• Title
• Style
• Key Words

Useful tools include Paint Shop Pro, Adobe Bridge, Photoshop, or Lightroom, Exifer, or ExitToolGUI.

Lava Lamp for Auditors

Generate findings about the future. You cannot change yesterday.
If you wish to remember some facts, try intensely to forget them.
Auditing skills promote full employment for auditors.
If you laid all your sampling tests end to end, would they reach a conclusion?
Get your facts first, then you can properly arrange them.
An audit is just a flurry of activity without a program.
Audit opinions are plenty, implementations can be expensive.

Develop Your Own Voice as Auditor

Start with a clean slate. Determine your own moral conduct and practice sticking to it.

Stope over-analyzing what everyone else thinks! You cannot please everyone, and you cannot live in your head only all the time.

Search and Find Your Own Reasons to help others by auditing.

Audit your own goals, attitudes, resentments by asking yourself every question in the "book."

Write down your own reasons for passion to be an auditor. When you write things down you automatically reflect, and remember all those written "to do" lists that did get done.

Don't just file it, do something, act on your reasons to be great at auditing.

Don't worry about the dead ends. Just back up and move forward.

Achieve Happiness As Auditor - Yes You Can

1. We don't have enough annoying strangers in our lives. We block annoying people, and lose ability to handle annoyance. Find annoying people and refresh your coping skills.

2. Don't forget to keep around a few annoying friends. It will sharpen your skills in dealing with incompatible people, and help you function in the world with people not like you.

3. Texting is for thumb people. Studies show that over 40% of what you write in emails is misunderstood.

4. Online friends don't exits in 3D real world. Only 7% of inter-personal exchange takes place through words, the rest, a mere 93% is non-verbal. We know that we exist, and who we are by seeing ourselves in the mirrors of other people's eyes.

5. No real friends, no spontenous criticism, and we miss it. Non-direct forms of communication are a great way to avoid being honest, by having the time to choose and craft words. We need quirks, humiliations and vulnerabilities that only real friendships provide.

6. Media Negativity Does Affect Us. After constant negative spins on just about everything, we feel at odds with the rest of the world. Like Mark Twain said, turn off all the news, and be happy. Almost no news will really affect your life, and what does affect, you won't be able to change anyway.

7. We feel less because we have less (friends). All these on-line friends don't place demands on us. BUT, we were wired to help and take care of others. We are a product of social interactions, so we need to be connected in real life, not through flat-screen monitors. Find a way to do something simple, but physical to help someone else. It really works.

Scoring Risks

• The adequacy of internal controls
• The potential threats from transactions
• History of problems with system or application
• IT Architecture and Data Classification - is there a match
• The physical and logical security of information, equipment, and premises
• The adequacy of operating management oversight and monitoring
• Human resources, including the experience of management and staff, turnover, technical competence, management’s succession plan, and the degree of delegation
• Senior management oversight and appropriate governance

Great New Email Functions

• Undo sent message
• Snooze this message
• Reply to selected text
• Smart reply templates
• Attachment reminders
• Language-based filtering
• Usage trending
• Related message search

5 Key IT Skills Worth Having

1. Python
2. Java
3. Lisp
4. C/C++
5. Unix form O/S familiarity

Knowing syntax to be able to read would be helpful for some IT Auditors

Sign Your Should Charge More in Consulting Fees

Is that your daily or hourly rate?
They have new jobs after you finish this one.
You work and still get poverty assistance
Hey, any catch with your quote for the job?
Here you go, I have enough cash on me to pay you.
You have no friends among consultants.
You are hired without even telling them how much you charge
As you can't get all the work done, you live on cola and pizza
You get jobs from overseas outsourcers

Measuring Fraud Drivers - Yes, It Can Be Done

Greed Average income compared with number of people living below the poverty line.
Envy Total thefts (robbery, burglary, larceny, and grand theft auto) per capita.
Wrath Number of violent crimes (murder, assault, and rape) per capita.

Sloth Expenditures on art, entertainment, and recreation compared with employment.
Gluttony Number of fast-food restaurants per capita.
Lust Number of STD cases reported per capita.

Pride Aggregate of the other six offenses—because pride is the root of all sin.

Feel free to put add these measures into a dashboard.

Web site Content Hell

You know that you are IN HELL when you see:

• hit counters
• guestbooks
• stale links
• pages forever under construction
• pointless vanity pages
• advertisements from hell
• no email address for feedback
• unstable extensions
• broken HTML
• blinking text
• gratuitous animation
• marquees
• garish backgrounds
• unreadable text/background combinations
• "Best viewed with..."
• pop-up windows
• menus made entirely from image maps
• background MIDI, Flash, Shockwave

Becoming a Hacker

1. Love to solve difficult problems
2. Don't bother trying to solve a previously solved problem: no glory
3. Hate boredom and repetitive work?
4. Love freedom without borders?
5. Forget attitude, impress with competence.
6. Get a really cool shirt at the next Def Con in Las Vegas (usually in August)

Compliance Program Key Elements

1. Corporate Compliance Officer & Compliance Committee

2. Written updated policies and procedures

3. Training and education programs

4. Effective lines of communication

5. Published standards and disciplinary guidelines

6. Auditing and monitoring processes

7. Documented response to offenses

8. Development of corrective action plans

Involving Right Deparments in Compliance Issues

Employee Mistreatment HR, Compliance/Ethics
Accounting Irregularities Audit Committee, External/Internal Auditors, Compliance
Fraud Internal Audit, Loss Prevention, Risk Management, Compliance/Ethics
Workplace Violence Security, Operations, Legal, HR
Employee Theft (other than by head-hunters) Loss Prevention, HR

ETHICS The Federal Sentencing Guidelines for Organizations

Written standards of ethical workplace conduct
Means for an employee to anonymously report violations of ethics standards
Orientation or training on ethical workplace conduct
A specific office, phone line, e-mail, or Web site so that emps can get ethics advice
Evaluation of ethical conduct as part of regular performance appraisals
Discipline for employees who commit ethics violations

Compliance Committee Key Issues

1. Communicate with outside auditors
2. Review reports on internal controls
3. Examine all external reporting
4. Read internal audit reports
5. Evaluate internal audit activities, budget, staffing, and responsibilities
6. Consider all inquiries from external sources (including governmental)
7. Deal with all related party transactions and conflict of interests
8. Update conduct and ethics statements
9. Assess compliance program, including corporate communications.
10. Obtain input from Legal, Compliance, Board, and Internal Audit on compliance issues.

On Blogging by "mother of the blog revolution"

Deal with Human Component As Security Threat

Implement the principle of least privilege
Control the use of portable devices on the network
Trust employees, but not too much
Monitor network activity and audit who is doing what
Watch out for curious pokers into network and data security configurations
Determine your single point of failure
Physical security--no compensating controls here.

Audit Vulnerability

• Get raw info from people in crucial information flow areas.
• Get beyond surface concerns, and get to the real worries.
• Analyze information for gaps and inconsistencies,
• Determine where weakest links are
• Develop potential threats and their impacts list
• Communicate findings with change recommendations
• Focus on most likely threats and risks

Frequent QAR Findings In Internal Audit Departments

• Internal Audit Charter does not exist, is out of date, or not appropriate for the organization
• No on-going formal, consistent, self-assessments
• Limited input to the corporate governance and IT governance process and compliance assurance
• Hazy or improper reporting lines
• Too technically oriented IT audits, missing overall control framework contexts
• No effective continuing education opportunities and skills development
• Poor time tracking and remediation follow ups
• Lack of adequate formal audit planning and soliciting management's input on key risks
• Poor audit planning and approval documentation

Social Audit of Public Companies

1. Align the nature of the audit to match the social criteria to be audited (simple, but here problems occur)
2. Determine your culture's social and human focus initiatives and priorities
3. Link social obligations to corporate mission, culture, and responsibilities
4. Assess what problems you may be facing on a social audit-what you control, what don't
5. Determine the framework and methodology to use for audit
6. Determine the framework and methodology to use for comparison to actual practices.
7. Conclude on "integrated audit" Integrated here means key issues and peripheral concerns.

Total Risk Management Program

Define the Risk Management Framework
Specify boundary conditions and data input needed for predictive analysis
Select time scope for evaluation, and conditions to be measured
Establish an acceptable results range, and what is outside of it
List relevant predictors for the condition tested
Determine the cause for the risk condition
Measure conditions identify, and attempt to determine any value associated with it
Decide on the risk response to identified risk condition
Evaluate your "risk margin" and what risk to transfer
Choose between lowering threats (risks) and potential opportunities foregone.

Don't forget to have fun, while doing this.

Security When Facing Reduction In Force

• Check access and system logs often
• Secure weak spots, like "back door" facilities
• Inspect physical access controls, wake them up if you have to
• Examine existing change controls
• Timely remove asset access
• Inventory IT assets and track equipment returns
• Activate available audit trail recording features

Internal Risk Management

IRM = Management of the “Insider Threat”

“Insider Threat” = Risk of actions of an Insider

Malicious Insider = Current or former employees or contractors who:

–intentionally exceeded or misused an authorized level of access to networks, systems or data,

and;

–affected the security of the organizations’ data, systems, or daily business operations

FMS Financial Management System

Well, it is an information system, but one consisting of one or more applications, used to

a. Collect, process, maintain, transmit, and report data about financial transactions
b. Support financial planning and budgeting
c. Store cost information
d. Aid in financial statement preparation

It is usually integrated with the main corporate application, or a module within it. If separate vendor used, it talks to main apps through some middle ware.

Internal Audit Bread and Butter Issues

Leadership - align with strategies
Strategic Management - map to corporate objectives
Decision Making - your employees can help with the budget
Executive Compensation - tax increases are coming?
Risk - fraud risk; risk management process
Analytics - the audit x-ray machine
Control Environment - stake claim to this turf
Automation - would be nice if it existed; now, just faster bicycles
IT Security - BCP, BRP, etc, etc...

Letterman - Top Ten Things I've Learned From Being An Accountant

http://www.youtube.com/watch?v=VWIlHl3j7CQ

This is really good

New Audit Tool - Free - Get It

THIS IS AN ARTIFICIAL INTELLIGENCE TOOL THAT CAN BE USED FOR AUDITING AND ANALYSIS

The Dispute Finder Firefox Extension highlights disputed claims on web pages you browse and shows you evidence for alternative points of view. Watch the Videos to learn more.
Use this web interface to tell Dispute Finder what snippets to highlight and what evidence to present for alternative viewpoints. You can create a new disputed claim, mark new instances of a claim on the web, and add evidence that supports or opposes a claim.

http://disputefinder.cs.berkeley.edu/

Whatever you are evaluating, get the opposite opinion. This just came out, and they are planning additional upgrades

What is accountants chronic condition?

Modified Accelerated Depreciation

US GAAP IFRS

PPF Professional Practice Framework from IIA

Describe basic principles that represent the practice of internal auditing as it should be;

Provide a framework for performing and promoting a broad range of value-added internal audit activities;

Establish the basis for the evaluation of internal audit performance; and

Foster improved organizational processes and operations.

Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Principles Internal auditors are expected to apply and uphold the following principles:

Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

Objectivity Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.

Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

Competency Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing services.

End Of Audit Tips

Auditors will arrange an exit meeting to discuss status and findings,
When exceptions are detailed, determine remediation deliverables.
Examine in detail the audit report in a timely manner.
Ask for input when implementing changes
Communicate remediation target dates. The corrective action deadlines may vary depending on the severity of the noncompliance.
Ask for feedback on how the level of support provided to auditors

How To Help Auditors

Be professional at all times. All differences of opinions can be resolved.
Avoid being judgmental.
Follow all documented and required procedures.
Make sure that you understand the purpose of the audit.
Ask questions or discuss compliance problems, if attention required.
Be flexible - any potential problem not within the scope of the audit - evaluate the potential risks of the problem if left unaddressed.
Communicate with the auditor as often is needed.

Audit Survival Tactics

Know what you are being audited for. Make sure you contact the auditor assigned to your audit before he/she comes into your facility. Be clear with the auditor on what will be audited, and what kind of support you will have to provide


Do your own pre-audit. Use internal audit program. Look for accountability from management to assure that all issues found during your internal audit are corrected using good “root-cause” corrective actions.


Use the same checklists or requirements that auditors may use

List previous findings. Examine findings from all your previous audits. Make sure everything which was found previously has ceased to be a problem.

Make sure everyone in your area knows the appropriate procedures.

Provide documented objective proof for compliance to your policies and procedures.

Tips Before an Audit

• Establish the authority of the audit team to increase the cooperation.
• Check the scope, area focus, frequency, resources, both IT and internal.
• Communicate your audit plans.
• Just what is the objective? Be it regulatory compliance, QA, adherence to policies?
• Share audit plans, purposes, and scope of the audits with audit staff.
• Determine what standards, policies, and procedures will be used for comparisons.
• Document in detail what documentation and reports you will use
• Have a wonderful and exciting opening meeting with the auditees.

PCI Security Milestones

Best practices for protecting against the highest risk factors and escalating threats facing cardholder data security:

· Milestone One: If you don’t need it, don’t store it

· Milestone Two: Secure the perimeter

· Milestone Three: Secure applications

· Milestone Four: Monitor and control access to your systems

· Milestone Five: Protect stored cardholder data

· Milestone Six: Finalize remaining compliance efforts, and ensure all controls are in place

PCI Compliance Standards

PCI Data Security Standard (PCI DSS) from PCI Security Standards Council (TM)

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters


Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks


Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes


Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

IT Security Matrix for Compliance

Create a matrix of controls on top and security layers on the left. When listing security layer or element, also identify whether it is a preventive or detective control. Control listings and security architecture maps should help.

Use clear, green, yellow, and red to identify which layers/control types meet completely, partially, or not meet the control requirements on top. The deliverable will be a control assessment.

In some cases, two or more controls may provide a partial protection individually, but together may meet fully the control requirements.

Check to see if there are unnecessary controls, and analyze to identify where a single layer may address a control cluster.

Audit TCP/IP Infrastructure

•Review network policies and procedures
•Analyze network diagrams (layer 1 & 2), design, and walk-through, list of network equipment and IP address list
•Verify diagrams with Ping and Trace Route
•Review utilization, trouble reports and help desk procedures
•Probe systems using scanning tools
•Verify network vendor oversight, user support, and network technicians services
•Review software settings on network equipment
•Inspect computer room and network locations
•Evaluate back-up and operational procedures

WLAN and Wireless Compliance

Review the FCC Part 15 regulatory requirements.

http://www.fcc.gov/oet/info/rules/part15/part15-91905.pdf

It covers various emission guidelines and regulations, focusing on unlicensed transmissions, such as low-power broadcasting. The 802.11x Wireless LAN (e.g. "Wi-Fi") 2.4 GHz, 5 GHz (U-NII) is under this regulation.

Include compliance requirements as appropriate in your WLAN and wireless compliance reviews, recommendations, and proposed documented policies, procedures, or internal standards.

Third-party BCP Impact Audit Scope

Vendor contract obligations
Defined cut over procedures
Risks to shared facilities and overall availability
Data backups and storage
Hardware and applications availability
Access security controls
Facility and environmental controls
Time frames for acceptable off site processing

Security and Audit - Improve The Relatioship

Document everything. List your measures to reduce risk, and decisions to accept risk, when flexibility or potential benefits dictate it.

Good controls should be part of the process, not after thought insertions. They address compliance requirements and enhance security. Monitor through metrics.

Design and implement best practices that fit your infrastructure; then, track through measurable performance metrics.

Be prepared to prove your assessment of the effectiveness of controls framework and mitigating factors.

Audit Healthcare Provider Fraud Schemes

Billing for services not performed
Documenting non-covered treatments as covered
Recording diagnosis and treatments based on what is covered
Performing more care than necessary
Coding for high pay than was performed
Misstating services performed
Pretending to be a health care worker to bill
Un-bundling services and coding

Guess What's On Your Hard Drive

In addition to documents, graphics, and sound files, there are

Internet Browser History Files
Temporary Internet Files
Automatic Backup Files
Power Saver Functions
Data about your data files
Unique Identifiers
Virtual Memory and Swap Files
Temporary Files
Spooled Files

Plenty of data for forensics and privacy issues

Internal Audit Essential Objectives

Learn and know the business supported by processes

Adopt auditing appropriately to the environment

Upgrade audit skills inventory for effective performance

What Corporations Want from Internal Auditors

Appropriate scope of audit activities
Input in risk mitigation
Efficient and effective periodic internal control assessments
Value-added improvements in processes and error reductions
Help with cost reductions
Providing appropriate assistance in achieving compliance
Assistance in fraud prevention, detection, and evaluations
Help with financial statement assurance

Role of an Internal Auditor

Mistakes Responding to Auditors

Misreading what the auditor is asking or asking for

Not fully understanding the scope and implications of auditor inquiries

Forwarding documents to auditors with obvious errors

Responding with the wrong policy or procedure documents

Being distracted or confused by auditor's multiple requests

Not providing relevant info due to elimination of areas that are applicable to a request

Not having detail knowledge of the specific test area, and not asking for appropriate help

Attempting to respond to auditors by guessing or using intuition

IFRS Impact on Audit

Analyze the adequacy and appropriateness of identification of gaps between US GAAP and IFRS

Determine whether proposed internal control changes are aligned with the identified gaps.

Review current policies and documented processes to assess alignment

Analyze whether information gathering processes will support the new data requirements

Evaluate any workarounds to meet compliance requirements, resulting from lack of adequate information system integration of data collection processes

Review transition plans for risks and adequacy of testing

Determine whether adequate backup plans exist, and how backward compatibility will be maintained (this could be the sticky one)

Current Compliance Challenges

Companies operating in more than one state, country, or continent, face multiple and diverse regulations.

Developing coherent compliance strategies and policies becomes a challenge because of the diversity of regulations and potential conflicts among these regulations in different markets.

This creates a form a risk for corporations attempting to develop efficient and effective strategies to meet their obligations.

Improve Internal Audits

Like zero-based budgeting, determine what audits to perform, not just repeat last year

Envision potential value of recommendations, to ensure that higher-value areas are covered

Define audit objectives in detail to avoid over-extending resources

Use established formats for every audit process step to slow the flurry of emails

Risk assessments should use process owners input

Audit tools are fine as long as auditors understand what is obtained and tools limitations

Not only false positives are audit tool problems, but are things fine if no exceptions show up?

Audit findings should be meaningful, not just enough to fill up a report

Just What Is Internal Auditing?

Getting back to basics reminder:

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”*


* The International Standards for the Professional Practice of Internal Auditing
promulgated by the Institute of Internal Auditors

Develop High-Performance Audit Teams

1. Communicate confidence in your auditors. It will promote creative problem solving and independent decision making.

2. Let everyone in on what's going on. When changes happen, no one will be surprised. Ask for help and input when struggling with your decisions. Everyone appreciates the opportunity to add insight to important decisions. Hey, it also helps to build consensus.

3. Focus on obstacles and objectives. Not everything turns out as planned, but great teams shine by how they adjust to unforeseen changes.

4. Relax, you don't need to know everything. Let everyone share their experience and provide facts, analysis, and recommendations.

5. Get to know them and their goals, interests, and passions. For one thing, you will be able to connect what needs to be done to those persons and interests, and increase effectiveness and efficiency.

Fastrack BCP Steps

1. Assess business impact of a disaster, using process owners, and prioritizing operations

2. Know your data and ensure that it is protected, testing to ensure compatibility of restores

3. Check the UPS choices for your key servers, networks, ensuring that essential apps will be up

4. Document all, including your testing and changes to underlying process support

5. Develop communication duplications, assuming that what you rely on will fail

6. Be able to provide management with choices and costs, to permit right timely decisions

Audit Team Effectiveness Criteria

When evaluating audit team performance within a team-oriented corporate culture, consider rating on the following items:

- Results that match goals and objectives
- Employing effectively available resources
- Developing cooperative relationships that enhance conflict resolution
- Bringing new insights and finding improved methods
- Developing appropriate team roles and responsibilities
- Ability to handle various organizational levels and interpersonal challenges
- Group effectiveness in decision-making and responding to unforeseen developments
- Being seen as providing added-value leadership on key issues
- Adherence to established internal audit processes

Computer Forensics Can Do

1. Who accessed what information and when
2. Who created/edited/deleted what and when
3. What documents were copied, and to what device
4. What was the content of communication between employees and outsiders
5. What other out of policy acts were attempted by the use of information systems

Privacy Compliance

Privacy, the current focus for corporations, presents a new set a potential liabilities that have to be addressed by audit and information security. Worse yet, these complex set of issues are not being handled by general control reviews, SOD, access or even accounting controls.

Privacy policies, if in place, have to encompass various requirements like PII, some of which seem almost contradictory. Generally, privacy is the safeguarding of information that can be identified with a person. The right to privacy implies ownership rights to one's own personal data.

For organizations, the concern is how to define, protect, and respond to privacy issues. Thus, auditors need to determine whether privacy-related information handling meets various privacy requirements.

A good starting point is to examine the current privacy statements, especially those sent to customers, and trace back to ensure that what is promised is adequately covered by policies, procedures, and actual practices. It will help to avoid potential false and deceptive business practices issues arising from not actually performing what has been promised to customers.

Comply While Centralizing Information and Data

Centralizing data allows for access from wired, wireless, and portable devices. Check the following for right coverage.

Know your data and its location Map data and applications that handle it. Make sure you identify owners as data moves across applications.

Examine security for your and vendor-kept data Check third-party vendor contract for security specifications, and verify access over in-house data

When putting all your data in a single basket, watch the power flowing to it Examine potential and protection against any power disruptions

Monitor Activity Look at vendor performance reports and your own data stats. Compare it to the agreed service levels, and trace back to service levels to vendor contracts, determining if contracts adequately address performance.

Above all, have fun.

This News Just In ! ! !

Looks like we are moving into recovery. As always, experts are surprised.

How Not to Misunderstand an Auditor

Understand the question in terms of the applicable context.
Get a clear idea on what is to be delivered-the deliverable.
Provide only the appropriate documentation.
Check for errors on all documents provided, and keep a list of what was given.
Avoid being distracted by multiple requests when completing a specific request.
Don't overlook appropriate and relevant information.
If you don't understand what to provide, ask those who know more details.
Pay attention to the wording of requests, leaving intuition for picking lotto numbers.

Spot the Exception

(Answer: It's the fox in the milddle)

Policy & Procedure Tactics

Promote commitment to compliance through developing and living by compliance policies and procedures, focusing on specific areas because of of audit findings or other new requirements.

1. Baseline Policies: Review existing policies, creating an initial list of baseline compliance policies that will be maintained.

2. Issue-Specific Policies: See if there is a need to create any new issue-specific policies.

3. Existing Non-Compliance Policies: Which existing noncompliance policies should be reviewed for compliance with legal people?

4. Annual Policy Review: Each year review all compliance policies and procedures and determine whether any of the policies require revisions or updates.

Prepare the first draft of baseline and issue-specific compliance policies and procedures, as well as revisions to existing policies. Then, submit the first draft of the policies for appropriate approval. Next, get feedback on any draft policy via redlined draft or comments within a week of receipt of the draft. Get the right approval group to review and authorize the revisions