Articles
The following 852 items are listed by date.
September 6, 2010 50 Small Tips That Could Add Up to Big Improvements in Audit Efficiency The internal audit team lead is not only responsible for conducting high-risk, value-added audits but also for the effective and efficient management of an audit process that maximizes resources and stays within budget. Accomplishing this is often no easy task. The team lead needs to ensure that people and processes are used as efficiently as possible. With that in mind, this article focuses on 50 project management tips that can help make the most of internal audit’s productivity. CONTENT AREA: Articles TOPICS: Internal Audit, Performance Management/Measurement, Project Management, Training & Development September 6, 2010 A Business Case for ISO 27001 Certification ISO 27001 is intended to provide guidance on how to manage information security for an organization. To expand on this, the ISO standard is focused on an organization as a whole, including all information types, systems, people, policies, processes, and technologies. This chapter sets out the benefits and provides a business case for an information security management system (ISMS) that conforms to the ISO 27001 standard. CONTENT AREA: Articles TOPICS: Technology, IT In, Security, IT Audit, Application Development Security, Security Management Practices September 6, 2010 Exclusive Report: Audit Fees Continue to Plummet An exclusive report from Compliance Week finds that 63 percent of S&P 500 companies won reductions in audit fees—most from the Big 4 audit firms—amid unprecedented economic strife. Corporate giants that have logged significant declines include JP Morgan, Berkshire Hathaway, Home Depot, Wal-Mart, and scores more. Full details and results from our analysis are inside. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Sarbanes-Oxley Act, External Auditor, Cost Management August 30, 2010 ERP and Control Implementations Even in a downward economy, most companies continue to go through some type of enterprise resource planning (ERP) systems implementation, including system enhancements and upgrades. Risk and control considerations within enterprise system projects are often an afterthought or even overlooked. Sarbanes-Oxley Section 404 and changes in financial reporting standards, including International Financial Reporting Standards (IFRS), are bringing risk management and internal control considerations to the forefront of any major ERP system change program. This article discusses an endeavor that leveraged implementation methodologies to create a successful ERP “go-live” with control functions. CONTENT AREA: Articles TOPICS: IT Audit, IT Controls, IT Infrastructure, IT Strategy August 23, 2010 A Guide for Commercial Real Estate Tenants: Understanding the Variable Cost Risks of a Commercial Lease Organizations choose to lease commercial space for a variety of reasons, including: long-term financial objectives, ability to access limited resources, questionable long-term market viability and other considerations strategic to their individual business needs. Unfortunately, organizations often fail to fully understand the financial risks associated with the leases they engage in beyond base rent factors. This article discusses the nature, financial risks and management considerations for recurring lease-related occupancy costs. CONTENT AREA: Articles TOPICS: Financial Reporting, Expense Reporting, Risk Management , Cost Management August 23, 2010 There must be Thirty Ways to Steal Your ID Identity theft has been going on for ages, but the internet has created the opportunity for growth. This article outlines some thirty ways that fraudsters commonly commit identity theft and exploit stolen identities, with detailed information on phishing using actual phishing e-mails to illustrate the techniques. CONTENT AREA: Articles TOPICS: Internet/Intranet, Security, Investigations/Forensics, Network & Internet Security, Ethics, Fraud August 16, 2010 Privacy and Its Relation to Cloud-Based Information Systems Cloud computing has significant implications for the privacy of personal information as well as for the confidentiality of business and governmental information. Any information stored locally on a computer can be stored in a cloud. There has been a good deal of public discussion of the technical architecture of cloud computing and the business models that could support it; however, the debate about the legal and policy issues regarding privacy and confidentiality raised by cloud computing has not kept pace. CONTENT AREA: Articles TOPICS: Technology, Access Control Systems, Network & Internet Security, Laws & Regulations, Privacy August 9, 2010 Building Relationships, One Conversation at a Time Can you build a trusting relationship when you have never had an actual conversation? While it may be possible, it is pretty unlikely. To build relationships, a certain kind of conversation needs to take place that goes beyond the usual checklist review or status report. While this type of conversation requires more effort, it is almost impossible to collaborate successfully without it. This article offers guidelines to create opportunities for conversations expressly designed to build relationships. CONTENT AREA: Articles TOPICS: Business Continuity Management, Human Resources, Project Management, Segregation of Duties, Training & Development August 9, 2010 Changes in Enforcement Thanks to Dodd-Frank Only a portion of the 2,300-page Dodd-Frank Act is directed at the SEC and the enforcement of securities laws. Yet that small section includes a host of important provisions that will affect SEC registrants, compliance officers and corporate counsel, Compliance Week columnist Bruce Carton warns. His point-by-point analysis of those provisions and their implications are inside. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Whistleblower/Complaint Reporting, Fraud, Compliance August 2, 2010 Audit Committee Checklist: Good Disclosure Compliance Week’s Audit Committee Checklist series continues with a look at new challenges in compliance with disclosure rules. “Audit committees are more involved in review and discussing all disclosures—particularly in light of the continuing uncertainty in the business and regulatory environments,” says Mary Pat McCarthy of KPMG’s Audit Committee Institute. CONTENT AREA: Articles TOPICS: Financial Reporting, Internal Audit, Audit Committee & Board, Risk Management & Assessment, Reporting/Disclosure August 2, 2010 eDiscovery versus Computer Forensics It is imperative for an organization of any size or type to understand what is required under electronic discovery rules and best practices. Creating and practicing these procedures before they are actually required will save organization resources, time, and money. This article focuses on the what, when, why, where and how of discovering, recovering and preserving electronic evidence, and also brings out the difference between electronic discovery and computer forensics. CONTENT AREA: Articles TOPICS: IT Controls, Investigations/Forensics, Fraud, Laws & Regulations August 2, 2010 Ensuring Proper Royalties: Monitoring Licensee Compliance to Licensing Requirements Unlike most business processes and functions for which companies can implement controls to manage their risk, licensors must trust and rely on the internal control environment of their licensees to ensure intellectual property (IP) is protected and they are compensated fairly. Licensors must maintain professional skepticism to determine how to monitor the effectiveness of the licensee’s controls surrounding the protection and utilization of their IP while maintaining a symbiotic relationship. This publication offers guidance to individuals responsible for licensing programs and for those responsible for monitoring compliance to licensing requirements. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Testing, Cost Management, Intellectual Property July 19, 2010 Audit Committee Checklist: FCPA Compliance Compliance Week launches “Audit Committee Checklist,” a new six-part series that will assist in ensuring your company is on top of all the risks it may potentially face. First up is everyone’s favorite headache – FCPA compliance. From regulatory enforcement to civil lawsuits and more, what should your company worry about? Read this article to learn the questions to ask of your company. CONTENT AREA: Articles TOPICS: Corporate Governance, Internal Audit, Audit Committee & Board, Compliance, Fraud July 19, 2010 Information Destruction Requirements and Techniques Organizations need to keep information such as employee personnel records, financial statements, contracts and leases, and similar documents in a secure place. In today's litigious environment, there are a plethora of aggressive lawyers that would love to devour your organization for failure to take due care around document and media destruction. This article looks at the key areas to ensure that your organization does not fall prey to such lawyers when it comes to the physical destruction of documents and records. CONTENT AREA: Articles TOPICS: IT Audit, Physical Security, Security Management Practices, Best Practices, Laws & Regulations, Privacy, Document Retention July 12, 2010 Internal Audit’s Role in Continuous Monitoring Continuous monitoring is an evolving use of technology to improve operations integrity, information and transactions quality. This article encourages internal auditors to promote the expanded use of continuous monitoring by operations. CONTENT AREA: Articles TOPICS: IT Audit, Continuous Auditing, Internal Controls, Continuous Monitoring, FCPA, Guidance on Monitoring, CCM July 5, 2010 Managing the Risks in Audit Projects: Ten Project Management Techniques for In-Charge Auditors The audit team lead is responsible for the audit’s technical aspects and for completing the project on time and within budget. Essentially, the team lead’s role is to use the people and time assigned to the project in the best way to accomplish sufficient work within a defined audit scope. The article discusses 10 techniques that will help the audit team deliver valuable results on time and within budget. CONTENT AREA: Articles TOPICS: Internal Audit, Internal Audit Administration, Performance Mangement/Measurement, Project Management, Training & Development July 5, 2010 What's Your Core IT Competency? Really? Most everyone outsources some part of their technology operation for all sorts of reasons. There is a reason why the IT services industry is clipping along at well over $1B per day in the United States alone. More and more companies have discovered the benefits of outsourcing relative to the recruitment and maintenance of large internal IT staffs. In the early years, we all thought outsourcing was about saving money, but then we discovered the truth. Outsourcing is not only about saving money; it is about rerouting money from non-core to core activities. CONTENT AREA: Articles TOPICS: Business Continuity Management, IT Strategy, Outsourcing/Co-sourcing/Shared Services, Cost Management, Segregation of Duties July 5, 2010 When to Consider Splitting CEO, Chairman Roles The contentious question of splitting the CEO and board chairman roles offers compelling debates on either side of the issue. Compliance Week Columnist Richard Steinberg admits that once upon a time, he generally opposed splitting the jobs; now he’s not so sure. “It’s evident that many companies need stronger, more capable boards of directors, and having an independent chair may well be part of the solution,” he writes. More of his thoughts are inside. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Best Practices, Entity-Level Control June 21, 2010 A Five-Step Method to Tune Your ITSM Processes Efficient and effective processes and knowledgeable employees separate high-performing organizations from average or low performing organizations. This paper discusses a five-step method to focus IT Service Management processes on the knowledge needs for each role and identify the employee who possesses the needed knowledge. This five-step method employs a Dynamic Network Analysis (DNA) model that includes three classes (persons, roles and knowledge) and four important relationships between and within these classes. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Strategy, Security Architecture & Models, Project Management, Knowledge Management June 21, 2010 Building a Department of Integrated Auditors As internal audit leaders look to improve staff skills and increase audit efficiencies, they should put at the top of their priorities the concept of “the integrated auditor,” which combines both generalist and specialist skills, particularly the ability to use and apply the most effective technologies and the traditional responsibilities in financial, operational and compliance areas. Having integrated capabilities greatly increases an audit team’s technical and functional competencies. Rather than settling for minimum proficiency levels defined for auditors, training your staff to become integrated auditors opens up opportunities to build further expertise and enhance your department’s capabilities. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Testing, Continuous Auditing, Risk Management & Assessment, IT Audit June 21, 2010 Measuring and Explaining the ROI on Compliance Compliance can’t quite be measured in hard numbers that translate into a bottom-line return on investment. So how can you state your case to get the resources your compliance department needs? Inside, hear from several CCOs about how they calculate the value of their compliance functions. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Compliance, Cost Management, Enterprise Risk Management, Performance Management/Measurement June 14, 2010 Introduction to Cryptography The U.S. economy fundamentally changed in the last 20 years as manufacturing and heavy industry moved overseas, replaced by a new focus on knowledge and data. This transformation has underscored the importance of safeguarding information through encryption. This article focuses on state-of-the-art encryption techniques used pervasively to protect data, such as personal identity, medical records, financial transactions and electronic mail, to name a few. CONTENT AREA: Articles TOPICS: Disaster Recovery, Access Control Systems, Network & Internet Security, Security Management Practices, Ethics, Fraud June 7, 2010 Do You Have a Disaster Recovery Plan? Most home users are reactive rather than proactive when it comes to protecting data and planning for disasters. As a result, personal items such as photos and music are often lost when a hard drive crashes or when a personal computer is stolen. This article provides advice on how home users can protect their drives for relatively little money. It also provides tips for creating a personal disaster plan that will assist in times of crisis, and gives them the items to think about that are often taken for granted, such as needing to access to email, voicemail and other important contact information. CONTENT AREA: Articles TOPICS: Business Continuity Management, IT Controls, Network & Internet Security, Physical Security, Security Management Practices, Privacy June 7, 2010 Talking ERM at Tyco Electronics This article features an interview with Richard Suminski, chief ethics and compliance officer of Tyco Electronics. Inside, Suminski talks about how Tyco Electronics established its risk management program, and what risks he is still struggling to manage effectively. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Risk-management frameworks, Ethics, Performance Management/Measurement, Enterprise Risk Management June 7, 2010 The Worst Practices for Marketing and Selling Internal Audit Reviewing these 50 worst practices is a fun and fresh way to explain why some practices are better than others, and why some should be avoided at all costs. When it comes to the marketing and selling of internal audit, there are many potential mistakes. Perhaps the biggest is the failure to understand the need for marketing and selling. CONTENT AREA: Articles TOPICS: Sales Process & Marketing, Internal Audit, Audit Committee & Board, Internal Audit Administration May 31, 2010 Exception Management Explained The growing need for “exception management” capabilities among organizations of all sizes stems from a steady flow of new regulatory compliance and risk management requirements in recent years. These requirements force process owners to incorporate more rigorous compliance and risk-monitoring into their activities. This need, combined with the evolution of business analysis requirements, has given rise to continuous auditing and continuous monitoring, particularly at companies committed to getting the most valuable bang for their internal audit buck. CONTENT AREA: Articles TOPICS: Internal Audit, Continuous Auditing, Audit Testing, IT Audit May 31, 2010 Leading vs. Managing Remote Teams: Making the Crucial Distinction As more organizations work virtually, managers of traditional work teams are tapped to lead geographically dispersed teams. When thrust into this unfamiliar territory, many managers flounder, especially those who rely on command-and-control tactics to get work done across locations, functions, cultures and time zones. This article presents a summary of some of those skills that are especially important for those who lead geographically dispersed teams. CONTENT AREA: Articles TOPICS: Business Continuity Management, Human Resources, Outsourcing/Co-sourcing/Shared Services, Project Management May 24, 2010 E-Mail Discovery: Latest Cases Impel Public Agencies to Retain Records Since the adoption of special amendments to the Federal Rules of Civil Procedure in late 2006, the field of e-discovery law has grown more dangerous for public agencies. Recent cases show courts are serious about expecting litigants to possess and be able to find their e-mail and other electronic records. Litigation trends suggest that an agency is wise to be generous in the retention of e-mail by decision makers and to be capable of easily finding and searching the more recent records. A prudent course would be for the agency to implement a central e-mail archival system. CONTENT AREA: Articles TOPICS: Document Retention, Fraud, Investigations/Forensics, Laws & Regulations, Software May 24, 2010 Internal Audit’s Role in a Successful IFRS Conversion As the United States, along with every major capital market, moves toward International Financial Reporting Standards (IFRS), it is important for internal audit to sort out its role as a participant in the process. No matter what the SEC does, convergence seems likely to continue to occur and companies, public or private, should prepare for that eventuality. It is not too soon to focus on the process and the role internal audit can best play. CONTENT AREA: Articles TOPICS: Financial Reporting, Internal Audit, Risk Management & Assessment, IFRS, Project Management May 17, 2010 Auditing the HR Function Workforce practices around compensation, recruitment, retention, diversity and business conduct often convey a company’s commitment to good values. As such, occasional audits of the human resources function are necessary lest sloppy HR practices lead to an ethics or compliance failure. This week, Compliance Week Columnist José Tabuena gives his views on what to audit and how to effectively review the HR function. CONTENT AREA: Articles TOPICS: Human Resources, Payroll, Internal Audit, Audit Testing May 17, 2010 Bribery Bill: The Impact on U.K. Business In March 2009, the U.K. government published a draft Bribery Bill which places greater accountability on individuals and corporations registered or carrying out business in the U.K. to prevent bribery by their employees or agents. The bill is expected to be enacted during 2010.The information in this article is based on the Bribery Bill as it currently stands. Issues related to corporate hospitality, facilitation payments and offset arrangements have been raised by the industry, and such activities will be limited by the “improper performance” test and subject to prosecutorial discretion. CONTENT AREA: Articles TOPICS: Cross Border & Non-US Issues, United Kingdom, Ethics, Fraud, Laws & Regulations May 17, 2010 The New Intelligence: The Birth of the Knowledge Management Industry The introduction of computers has led to an unmanageable proliferation of data, which stimulated the birth of knowledge management (KM). The goal of KM is to turn raw data into knowledge, if not wisdom. Measuring the value of intellectual assets to ascertain the true value of an organization's future earning potential is almost turning into a field of its own. KM is starting to play an important role in an organization’s growth trajectory by being part of strategic decision making. CONTENT AREA: Articles TOPICS: Technology, Change Management, Document Retention, Knowledge Management May 10, 2010 An E-Business Audit Service Model in the B2B Context This research studies E-business audit as a specialized service rendered in an information technology intensive environment. A field study of information technology auditors showed that both knowledge of the business processes and of the technologies were critical for them to render reliable and accurate E-business audit findings. The results showed the need for higher training levels in advanced IT methods and tools for technology auditors in rendering IT audit judgments for the business-to-business (B2B) context. CONTENT AREA: Articles TOPICS: IT Audit, IT Controls, IT Strategy May 3, 2010 Composing a Competent Board of Directors If your company doesn’t have the right directors on its board, you may have a problem. “Getting board composition right has always been a critical element in a company’s success, and today it’s more important than ever,” writes Compliance Week Columnist Richard Steinberg. Inside, he explores how the best boards are built. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Best Practices, Compliance May 3, 2010 Successful Project Risk Management for Engineers and Technologists Risk management is something you either do or don’t do. If you do it, it’s worth doing it well. If you don’t do it – well then you probably already experienced a raise in your blood pressure. This article focuses on how you can get off to a great start in identifying risk and features tips for calmer project management. CONTENT AREA: Articles TOPICS: Enterprise Risk Management, Project Management April 26, 2010 Using Analytics to Restore Public Trust The data-driven convention known as analytics is taking center stage in organizations that have discovered ways to put data to work to drive performance and improve profitability. Can the same technique be used to drive much needed corporate governance reforms to restore public and investor trust? A group of finance and accounting professionals have taken an innovative approach creating an online forum where employees of U.S. publicly traded companies can anonymously disclose information about the business practices of their company and its executives. CONTENT AREA: Articles TOPICS: Human Resources, Corporate Governance, Sarbanes-Oxley Act, Whistleblower/Complaint Reporting, Ethics, Fraud April 19, 2010 How IT Can Help Internal Audit IT and internal audit departments have the same business mission, but they can face conflicting responsibilities. The solution must enable IT to provide data without losing confidence, at the same time also giving internal audit enough flexibility to fulfill the ‘‘access to all data’’ mandate in every audit charter. This article describes internal audit’s four key data issues, the role of audit analytics in business assurance, and some best practices that can help both IT and internal audit manage the key data issues. CONTENT AREA: Articles TOPICS: IT Infrastructure, Internal Audit, IT Audit, Security, Enterprise Risk Management April 19, 2010 Role of Technology in the Risk Assessment Process The internal auditor needs to consider issues of risk at a number of levels in the course of fulfilling the internal audit mandate. This article will focus on technology’s critical role in this process. Technology offers the ability to examine entire populations of transactions and business activities – on a timely basis – to look for indicators of risks that are not effectively mitigated or controlled. CONTENT AREA: Articles TOPICS: IT Controls, Internal Audit, Continuous Auditing, IT Audit, Risk Management & Assessment April 12, 2010 Creating IT Road Maps to Manage Complex IT Scenarios Companies today are confronted with the complexity of multi-vendor hardware and software solutions, accelerated business and organizational change, and a growing number of heterogeneous technology alternatives. Because of this, they face significant challenges planning and managing their IT programs and making informed investment decisions. Road-mapping enables organizations to collaboratively plan and manage the numerous and nontrivial steps along the way. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, IT Strategy, Performance Management/Measurement, Project Management April 12, 2010 Evolving Answers on Good Accounting Policy Questions about accounting policy never change. Old ways of doing business give way to the new. In some instances, however, the old ways might be worth keeping around. This week, Compliance Week Columnist Scott Taub, former deputy chief accountant at the SEC, reviews wisdom from the past that regulators and companies alike might want to apply to problems of today. CONTENT AREA: Articles TOPICS: Accounting/Finance, Financial Reporting, Best Practices, Change Management, Compliance, Internal Controls April 5, 2010 Corporate Governance Transition – Sarbanes-Oxley Readiness There is much more to SOX than simply testing a company’s internal control over financial reporting. Companies entering public markets must have the proper board composition, evaluate the need for an internal audit function (required by the New York Stock Exchange), and have the requisite corporate policies and procedures. They also must be prepared to provide quarterly executive certifications, and eventually, management’s conclusion on the internal control over financial reporting. This compliance effort can be costly, but does not have to be if organizations proactively focus on implanting a sustainable process. CONTENT AREA: Articles TOPICS: Financial Reporting, Corporate Governance, Sarbanes-Oxley Act, Section 404 - Internal Control Reporting, Cost Management, Project Management April 5, 2010 Split Opinions on Internal Audit Scrutinizing Compliance A new study from the Open Compliance & Ethics Group finds that internal auditors are quite confident that they can assess the effectiveness of compliance departments—and also that executives in other governance roles disagree. The poll underscores the perception, right or wrong, that internal auditors are still mostly Sarbanes-Oxley specialists, many say. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Audit Planning, Sarbanes-Oxley Act, Compliance April 5, 2010 The Evolution of Cyber Fraud Techniques: Trojans and Toolkits Trojans are the future of cyber fraud and are even beginning to dominate its present. There are several basic categories of Trojans, differentiated here by their behavioral function, rather than by their design, that is, the manner in which they compromise a system, or distribution scheme. CONTENT AREA: Articles TOPICS: Technology, Software, Risk Management & Assessment, Security, Fraud, Privacy March 29, 2010 Financial Reporting Risk Profile – Are You Ahead of the Risk Curve? To stay ahead of ever-expanding challenges, companies need to get out in front of financial reporting issues before they become reputation-threatening. The increasing complexity of this environment drives the need for a risk-based process to sharpen management’s focus when evaluating internal controls related to financial reporting. For a pre-public entity, the understanding and continuous evaluation of an organization’s financial reporting risk profile (FRRP) is critical to senior management and directors. CONTENT AREA: Articles TOPICS: Accounting/Finance, Financial Reporting, Risk Management & Assessment, PCAOB, Financial and Credit Risk March 29, 2010 The Effect of IT Governance Maturity on IT Governance Performance There are several best practice-based frameworks that detail effective arrangements for the internal structure of an IT organization. This article has studied the correlation between IT governance maturity and IT governance performance. CONTENT AREA: Articles TOPICS: IT Strategy, Performance Management/Measurement, Segregation of Duties March 22, 2010 Assessing and Reducing Information Exposure As someone responsible for security, you should ask yourself several questions to determine how much of your corporate information is at risk. While it may sound simple, many organizations don’t take the time to examine information from all sides, including both an internal view and an external view. As information traverses networks, applications, endpoints and people, an information exposure assessment of actual data loss risk across networks, Web applications, storage and endpoints can help companies determine how exposed their information might be. CONTENT AREA: Articles TOPICS: IT Infrastructure, Risk Management & Assessment, Security, Network & Internet Security, Enterprise Risk Management, Privacy March 22, 2010 Defining, Redefining and Achieving Work-Life Balance: A Moving Target Although U.S. unemployment hovers at double digits, employees demand work-life balance, which seems counterintuitive. According to the news reports, job prospects for new college graduates and those who are unemployed seem bleak. Shouldn’t those who have jobs just be happy that they are employed? What does work-life balance really mean, and how can it become a reality? CONTENT AREA: Articles TOPICS: Human Resources, Performance Management/Measurement March 22, 2010 Internal Auditing is an Asset for Small Companies as well as Large Ones The term “internal audit” usually inspires two immediate responses. The first is fear: The second is the image of a large FORTUNE 500 company with the people and other resources that an internal audit function requires. But smaller organizations and even entrepreneurs can perform internal auditing or have it performed in an efficient and cost-effective way that produces positive change and results, improves the business and its underlying processes, and may even make employees happier about the work they do and how they do it. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Audit Planning, Risk Management & Assessment March 15, 2010 Choosing the Right Risk-Management Framework When it comes to choosing a framework for implementing enterprise risk management, companies should research their options carefully and weigh the many choices out there. In this article, experts offer their tips on how to select the one framework that best fits a company’s needs. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, COSO, Enterprise Risk Management March 15, 2010 Digital Multifunctional Devices: Forensic Value and Corporate Exposure Every day, billions of pages of confidential information -- medical records, legal documents, and financial data -- are produced and distributed using sophisticated digital office systems -- printers, copiers, facsimile, and MFDs. Many businesses may be unaware that whenever these devices are connected to a network, the risk of unauthorized access and data loss exists. Critical data and documents are therefore vulnerable to security breaches, yet organizations often focus on securing their network, PCs and servers and not on device input/output equipment - leaving a back door open to anyone intent on undermining your business interests. An MFD may also be a source of electronic evidence for an auditor or investigator. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Security, Enterprise Risk Management, Fraud March 8, 2010 Designing Backup for Recovery The goal of this article is to discuss how a backup system needs to be designed to facilitate recoveries. The purpose of a backup is to provide a mechanism to recover lost information. Therefore, backup systems must be designed to allow those recoveries to take place with as little effort or cost as possible. CONTENT AREA: Articles TOPICS: Business Continuity Management, Disaster Recovery, IT Infrastructure, Risk Management & Assessment, Document Retention, Enterprise Risk Management March 8, 2010 Revenue Recognition: Does Your Company Have it Right? Most pre-IPO companies realize the need for consistent, reliable revenue recognition -- and they are not going public until they get it. While elevated pressures on company directors and executives for more revenue accountability, better internal controls and improved risk management are not new as a result of Sarbanes-Oxley, recent economic events have created a climate in which the bar is being raised even higher. This article reviews several areas where emerging regulations either already have or may soon impact an organization’s revenue risk management practices and its internal control environment. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Best Practices, Revenue, Risk Management & Assessment, Initial Public Offering March 1, 2010 Designing Common Control Frameworks: A Model for Evaluating Information Technology Governance, Risk, and Compliance Control Rationalization Strategies Meeting multiple control framework requirements separately can be costly and inefficient due to the similarities between various frameworks that produce duplication of effort in the organization’s compliance initiatives. To mitigate these inefficiencies many organizations are seeking to streamline and rationalize frameworks in ways that combine overlapping control objectives into a smaller set of controls that still meet the requirements the frameworks. This article discusses strategies for such rationalizations, including the benefits and limits of specific strategies. CONTENT AREA: Articles TOPICS: Technology, Security, Network & Internet Security, Security Architecture & Models, Compliance, GRC March 1, 2010 Providing Directors the Risk Information They Need Every corporate director needs information to carry out oversight responsibilities effectively, and that information largely comes from the CEO, chief compliance officer, and other senior executives. This month, Compliance Week Columnist Richard Steinberg, explores how C-level executives can improve that flow and deliver the data that boards need. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Risk Management & Assessment, Enterprise Risk Management February 15, 2010 Case Studies of Using GAIT-R to Scope PCI DSS Compliance The PCI DSS (Payment Card Industry Data Security Standard) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. Using GAIT-R to scope PCI DSS compliance adds value, provides efficiency and effectiveness for use of resources for management, security, and audit. The article provides a working methodology to identify the appropriate combination of key controls to include in the scope of a PCI DSS compliance audit. CONTENT AREA: Articles TOPICS: Financial Services Industry, IT Controls, IT Audit, Risk Management & Assessment, Security, Compliance February 15, 2010 Getting Ready for the IFRS Ripple Effect The latest chapter of the Open Compliance & Ethics Group’s GRC Illustrated series explains how to start preparing for the transition from U.S. Generally Accepted Accounting Principles to International Financial Reporting Standards. CONTENT AREA: Articles TOPICS: Financial Reporting, Audit Committee & Board, Change Management, IFRS February 15, 2010 Healthcare Revenue Integrity Strategies – Using High Value Revenue Cycle Assessments to Protect and Improve the Bottom Line Healthcare providers know that every step counts and there is no room for error when securing revenues and reimbursements for their services. However, ensuring revenue integrity can be challenging for these organizations due to numerous industry complexities. The hot spots described within this article are areas in which hospitals are commonly at risk for losing revenue. CONTENT AREA: Articles TOPICS: Accounts Receivable, Cash & Treasury, Revenue, Healthcare & Pharmaceuticals Industry, Performance Management/Measurement February 8, 2010 State of the Pre-IPO Market – Opportunities Ahead Advice for pre-IPO companies: Run your business as if you were already public. What does that mean? This means that while developing products, increasing revenue and cutting costs remain top priorities, the underlying business and IT processes, policies and internal controls demand similar attention. CONTENT AREA: Articles TOPICS: Accounting/Finance, Audit Committee & Board, Change Management, Financial Reporting, Initial Public Offering, IT Infrastructure February 8, 2010 Ten Steps to Sarbanes-Oxley Compliance One problem with the implementation of SOX is that it tends to set a standard for compliance that may be inadequate. Meeting SOX standards does not imply that a firm or an IT department has the processes in place required to manage its business. Nor does it mean that an optimal level of control exists anymore than having a pulse signifies good health. SOX compliance is the minimum standard, not an optimum standard. Regardless of your firm’s current maturity level, you will need to demonstrate SOX compliance efficiently and honestly. This article describes the typical steps required to pass Section 404. CONTENT AREA: Articles TOPICS: IT Controls, Sarbanes-Oxley Act, Reporting/Disclosure, Section 404 - Internal Control Reporting, Compliance February 1, 2010 Monitoring Controls a Top Priority in 2010 In a complex global operating environment, continuous monitoring of data and controls can cut costs, mitigate risks, and make more informed business decisions. But going about it the right way is fraught with challenges. Experts offer some helpful advice inside. CONTENT AREA: Articles TOPICS: IT Controls, Internal Audit, Continuous Auditing, IT Audit, COSO February 1, 2010 The Current State of Internal Auditing: A Personal Perspective and Assessment Norman Marks and Jay R. Taylor have been practitioners and thought leaders in the internal auditing profession for many years. In this article they review high-level issues such as standard-setting and leadership of the profession, where internal auditing should report, and each major aspect of internal auditing from planning and risk assessment to staffing and the use of technology. The authors discuss how internal auditing has improved and where opportunities for enhanced performance can be found in each area. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Internal Audit, Audit Planning, IT Audit, Risk Management & Assessment, Sarbanes-Oxley Act, Section 404 - Internal Control Reporting January 25, 2010 Introduction to Risk Analysis Risk management is a process that provides management with the balance of meeting business objectives or missions and the need to protect the assets of the organization cost effectively. In this period of increased external scrutiny due to the countless questionable management decisions and the corresponding legislative backlash, risk management provides management with the ability to demonstrate active due diligence and how they are meeting their fiduciary duty. This chapter examines how risk analysis helps managers meet their due diligence requirement. CONTENT AREA: Articles TOPICS: Business Continuity Management, Risk Management & Assessment, Cost Management, Enterprise Risk Management, Financial and Credit Risk January 18, 2010 Cost Allocations and the Financial Close Cycle With the renewed focus on cost, organizations are refreshing their awareness of the impact of indirect costs on both margin and the bottom line. Consequently, they are developing a better understanding of the processes that support the capture, application and reporting of their indirect cost allocations. In many cases, though, the more sophisticated the allocation methodology, the greater the downstream impact on financial reporting processes. CONTENT AREA: Articles TOPICS: Close the Books, Financial Reporting, Cost Management, Performance Management/Measurement January 18, 2010 The Increasing Risk of Procurement Fraud Of all the forms of white-collar crime, procurement fraud is probably the least visible, and yet the most costly. Worse, victimized companies often choose to settle privately with alleged culprits rather than report it. Inside, Compliance Week Columnist, José Tabuena shows how to implement and maintain a strong set of internal controls to prevent your own procurement problems. CONTENT AREA: Articles TOPICS: Accounting/Finance, Materials Management & Inventory, Purchasing & Accounts Payable, Fraud January 18, 2010 The Keys to Intergenerational Harmony With multiple generations working side by side for several years now, much has been written about the key differences that affect the ability of multigenerational teams to collaborate successfully. Some organizations have taken this advice to heart and work to consciously reflect these differences when it comes to selecting and cultivating teams. Others have dismissed the advice as irrelevant, unimportant, or simply too overwhelming to do much about. CONTENT AREA: Articles TOPICS: Business Continuity Management, Human Resources, Change Management, Knowledge Management, Performance Management/Measurement January 11, 2010 Real-Time Business Intelligence: Best Practices at Continental Airlines Data management for decision support has moved through three generations, with the latest being real-time data warehousing. This latest generation is significant because of its potential for affecting tactical decision making and business processes. Continental Airlines is a leader in real-time business intelligence, and much can be learned from how they have implemented it. CONTENT AREA: Articles TOPICS: Airline Industry, Technology, Best Practices, Change Management, Outsourcing/Co-sourcing/Shared Services January 4, 2010 Study Finds Good News on Ethical Attitudes A new study of workplace attitudes about ethical behavior has found that despite the difficult economy, employees are calling out improper conduct more often. President Patricia Harned, of the Ethics Resource Center, conducted the study and says the results are surprising but are welcomed by ethics and compliance officers. Read this article to learn more. CONTENT AREA: Articles TOPICS: Corporate Governance, Whistleblower/Complaint Reporting, Ethics, Fraud January 4, 2010 The Insider Threat: A View from the Outside Most employees and contractors are trustworthy and contribute their energy everyday towards the company’s mission. However, unexpected, disappointing events can cause individuals to perform criminal acts and they are sometimes unaware of the magnitude or the consequences of their actions. To provide adequate information assurance, special attention to the insider threat should be built into our security programs. CONTENT AREA: Articles TOPICS: Technology, Risk Management & Assessment, Security, Ethics, Fraud December 21, 2009 Accounting for International Operations and Unexpected Events Unexpected events and disasters have befallen companies time and again as they increasingly expand into foreign countries with manufacturing facilities, customer support services, or to tap into new market opportunities. The range of unexpected events that could happen is extensive. This article reviews the six most significant unexpected events that accountants need to be aware of in order to help their companies adequately prepare. CONTENT AREA: Articles TOPICS: Business Continuity Management, Disaster Recovery, Accounting/Finance, Project Management December 21, 2009 Crime Prevention through Environmental Design This is an introduction to crime prevention through environmental design (CPTED), which is the "proper design and effective use of the built environment that can lead to a reduction in the fear and incidence of crime, and an improvement in the quality of life." CPTED encompasses (1) the criminal offender perspective regarding an environment and the risk of getting caught when committing a crime and (2) the social dynamics, sense of ownership of the environment, and their associated protective actions by persons who work, live, or traverse the environment en route to another destination. CONTENT AREA: Articles TOPICS: Access Control Systems, Investigations/Forensics, Physical Security, Security Architecture & Models, Fraud, Privacy December 21, 2009 When the Chief Audit Executive Serves Two Masters The Institute of Internal Auditors says CAEs should report to the board functionally, and the CEO administratively. But if the CAE reports to two bosses, how do you conduct a performance review? In the Compliance Week Remediation Center, Susan Lione, vice president at The IIA, weighs in with an answer. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Internal Audit, Internal Audit Administration December 14, 2009 An Iterative Assessment Approach to Improve Technology Adoption and Implementation Decisions by Healthcare Managers Healthcare IT managers have to navigate a host of challenges when making decisions about technology deployment and often lack data that would allow them to optimize these decisions. This article introduces the User-in-Context Iterative Assessment (UCIA) approach as a means of overcoming these common problems. The goal of this type of assessment is to provide a growing and detailed knowledgebase about users, the workflow, and the work environment as it relates to the introduction of new technology. CONTENT AREA: Articles TOPICS: Healthcare & Pharmaceuticals Industry, Technology, IT Infrastructure, Cost Management, Project Management December 14, 2009 What’s in Your Paint? Why Manufacturers and Retailers Should Care Concerns about product sourcing testing can be a sensitive area to discuss. Managers will often shy away from discussing concerns because they do not want to know the results, or they believe testing is being completed by another department. This article covers who is responsible for addressing product recalls, how to prevent recalls, and offers simple questions to test sourcing that can help determine the company’s level of compliance and management’s mindset. CONTENT AREA: Articles TOPICS: Consumer Products & Retail Industry, Compliance, Outsourcing/Co-sourcing/Shared Services, Performance Management/Measurement, Product Sourcing December 7, 2009 Best Practices for Transitioning to IFRS As convergence toward a single global set of accounting standards gains steam, U.S. companies inevitably will encounter financial reporting challenges while preparing a transition plan. Details on how to overcome them are inside. CONTENT AREA: Articles TOPICS: Financial Reporting, Change Management, IFRS, Training & Development December 7, 2009 Ten Ways to Provide Effective Training on a Limited Budget Training has been all but eliminated in organizations located in geographic areas that were most impacted by the financial meltdown, steep real estate value declines, and the automotive crisis. Even in organizations that are doing relatively well and have been less negatively impacted by the economy, investments in employee training have been significantly reduced – and it is easy to see why. This article discusses the short- and long-term consequences for failing to provide useful training and how to cost effectively fill this training lull. CONTENT AREA: Articles TOPICS: Human Resources, Internal Audit, Change Management, Performance Management/Measurement, Training & Development December 7, 2009 The Top 10 Strategic Technologies for 2010 Gartner, Inc. analysts highlighted the top 10 technologies and trends that will be strategic for most organizations in 2010. These technologies impact the organization's long-term plans, programs and initiatives. They may be strategic because they have matured to broad market use or because they enable strategic advantage from early adoption. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, IT Strategy November 30, 2009 Auditor Attestation of Internal Control Over Financial Reporting: What You Can Expect (从小型上市公司角度谈财务报告内部控制的审计师鉴证) 证交会新任主席Mary Shapiro向市场明确地表明,许多小型上市公司很快便要提交他们的首份审计师鉴证报告。她表示,“现在是让这一体系实现统一的时候了”。本白皮书将探讨小型公司在准备其首份财务报告内部控制审计师鉴证报告时应考虑的事项。 CONTENT AREA: Articles TOPICS: Sarbanes-Oxley Act, External Auditor, Internal Controls, Section 404 - Internal Control Reporting, Cost Management, China November 30, 2009 Survey: Employees Plan to Spend Nearly Two Full Work Days Shopping for the Holidays Using Work Computers Employees plan to spend nearly two full working days (14.4 hours) on average shopping online from a work computer this holiday season, according to a survey conducted on behalf of ISACA. One in 10 plans to spend at least 30 hours shopping online at work. Employees who shop online using a work computer are also likely to engage in other high-risk behaviors. This article highlights security tips for employees and businesses. CONTENT AREA: Articles TOPICS: Human Resources, Technology, Security, Network & Internet Security, Privacy November 30, 2009 Why the Financial Close Process Matters For many companies, the financial close process resides in the valley of “just getting the books closed.” Migration to the next plateau of maturity – “closing the books completely and efficiently” – is typically not an easy leap. While many companies continue to experience longer-than-necessary close cycles, inadequate analysis of results, duplication of efforts and overall process inefficiencies, few have the appetite to undertake a focused improvement effort, saying instead, “...we will focus on the close process next month…” As the economy continues to tighten, and more reporting requirements loom on the horizon, many organizations are now looking to drive greater efficiency and effectiveness into their close cycle. CONTENT AREA: Articles TOPICS: Accounting/Finance, Close the Books, Financial Reporting, Performance Management/Measurement November 23, 2009 A Multigenerational Perspective on Employee Communications At the cash register, behind the counter and on the sales floor, the 21st century retail workforce – like the general workforce, is becoming increasingly multigenerational. Thus, a retailer’s future success will depend on engaging and communicating effectively with a demographically diverse workforce. This article examines these differences to get a general sense of how attitudes toward work have formed and what motivates performance across the generations. CONTENT AREA: Articles TOPICS: Human Resources, Consumer Products & Retail Industry, Change Management, Performance Management/Measurement, Training & Development November 23, 2009 Optimized Corporate Defense Programs: A Five Step Roadmap Any comprehensive program for self-defense requires a number of related components to operate in unison in order to be successful. Eight core defensive activities that need to be managed are identified and are deemed to represent the critical components that constitute an organization’s program for self-defense. They are governance, risk, compliance, intelligence, security, resilience, controls and assurance. These defensive activities need to be managed in a coordinated and cohesive manner before it can successfully interact with the other business activities. CONTENT AREA: Articles TOPICS: Business Continuity Management, IT Infrastructure, Security, Best Practices, Enterprise Risk Management November 23, 2009 Process Scalability and the “Circle of Distrust” With the demands of today’s economy, most companies are being pressed to drive greater efficiency into their operations. Organizations in the technology, media and communications (TMC) industry are no different, and many would argue that they are feeling the pressure even more than those in other industries. Most TMC companies envision medium- to long-term improvements in their markets. Accordingly, many are focusing on efforts that drive increased efficiency and scalability into existing operations, often impacting finance and accounting processes. This article focuses on practical approaches to reducing manual effort and risk in the financial close, consolidate and reporting cycle. CONTENT AREA: Articles TOPICS: Change Management, Close the Books, Financial Reporting, Performance Management/Measurement, Spreadsheet Risk November 16, 2009 Auditing Executive Compensation Policies As public scrutiny over executive pay continues to grow, compensation committees must elevate their performance from basic oversight to a more strategic decision-making role. In this article, Compliance Week Columnist José Tabuena, discusses why internal auditors are in the best position to support those efforts, and what they can do to help. CONTENT AREA: Articles TOPICS: Compensation & Benefits, Payroll, Internal Audit, Audit Committee & Board, Entity-Level Control November 16, 2009 Utilizing Store Self-Assessments Recent economic changes have led many retailers to implement a store compliance process to monitor and identify issues and resulting remediation properly. Whether the goal is to reduce shrink or to ensure adherence with regulations, a rigorous store-level compliance process is essential for protecting and substantiating company assets. This article evaluates two options available to help protect and substantiate these assets: traditional store audits and store self-assessments. CONTENT AREA: Articles TOPICS: Consumer Products & Retail Industry, Internal Audit, Self-Assessment, Internal Controls November 16, 2009 What it Means to be World Class Because internal audit is more visible and accountable than ever, it is important to strive for world-class levels of performance. The CAE and audit committee play an essential role in this effort. No internal audit department can achieve a world-class level of performance without top-level support. In this article, Joel Kramer from the MIS Training Institute describes the chief attributes of world-class internal audit departments. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Best Practices, Performance Management/Measurement November 16, 2009 What ITIL can Teach IT-GRC In recent years, Information Technology Governance, Risk and Compliance (IT-GRC) and Information Technology Infrastructure Library (ITIL) are acronyms that are gaining more acceptance and popularity within the IT industry. This article compares the concepts of IT-GRC and ITIL, and suggests ways to create harmony between their defined purposes. CONTENT AREA: Articles TOPICS: Business Continuity Management, GRC, IT Audit, IT Infrastructure, Risk Management & Assessment, Security Architecture & Models November 9, 2009 Introduction to Computer Ethics The consideration of computer ethics fundamentally emerged with the birth of computers. There was concern right away that computers would be used inappropriately to the detriment of society, or that they would replace humans in many jobs, resulting in widespread job loss. To fully grasp the issues involved with computer ethics, it is important to consider the history. CONTENT AREA: Articles TOPICS: Technology, Sarbanes-Oxley Act, Security, Ethics, Fraud, Laws & Regulations November 9, 2009 Reconciliations – A Sustainable Approach Despite years of increased focus on internal control over financial reporting, many companies continue to face significant risks associated with the completeness, accuracy, timeliness, quality and efficiency of their account reconciliations. Striving to enhance their comfort with financial statement certifications, executives are grappling with how to obtain greater visibility into the status of this process. They are realizing that reliance on spreadsheets burdens the company with continued dependence on a manual process that is prone to error and requires significant, continued dedication of staff. CONTENT AREA: Articles TOPICS: Accounting/Finance, Close the Books, Financial Reporting, Performance Management/Measurement, Spreadsheet Risk November 2, 2009 New Models for Broken Board Governance System With such high expectations placed upon directors today, is Corporate America’s current governance model still adequate? Compliance Week Columnist Richard Steinberg explores three alternative governance models inside. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Entity-Level Control, GRC November 2, 2009 Proactive eDiscovery: The Key to Reducing Litigation Risks and Costs Companies of all sizes are facing increased litigation risks and costs today. A great way to reduce those risks and costs is to adopt a proactive eDiscovery approach. If you are not sure what "proactive" eDiscovery means, this article not only offers a good definition, but also explains the trends that make proactive eDiscovery inevitable, how to implement a proactive solution that can save you money, and how to get started now. CONTENT AREA: Articles TOPICS: IT Infrastructure, Best Practices, Cost Management, Knowledge Management, Laws & Regulations, Outsourcing/Co-sourcing/Shared Services November 2, 2009 Why Adopting the Quality Standard is Important for Internal Auditors Now, more than ever, leading organizations are recognizing the importance of maintaining an effective internal audit function. Given the extensive regulatory developments and increased liability in today’s business environment, audit committees and company management, among other stakeholders, have placed greater emphasis on the need for enhanced governance, transparency and sound internal controls within their organizations. A quality internal audit function is a critical component in achieving this goal. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Quality Assessment Review, Best Practices, Self-Assessment October 26, 2009 Changes to The IIA Standards: What Board Members Need to Know On January 1, 2009, The IIA formally released its revised International Standards for the Professional Practice of Internal Auditing. In this white paper, Protiviti provides a summary of the new and revised Standards, focusing on key areas that are believed to have the most significant impact on IA functions based on our knowledge and experience gained from working with organizations around the globe. Also provided are suggested actions on how IA functions can comply with these changes. CONTENT AREA: Articles TOPICS: Audit Committee & Board, IT Audit, Quality Assessment Review, Risk Management & Assessment, Fraud, GRC October 26, 2009 How Companies Are Coping With Social Media A recent survey of compliance and ethics professionals reveals that while the use of online social media sites such as Facebook and Twitter has exploded, the adoption of corporate policies governing how to use those tools still lags. Inside, experts offer tips on how to build a formal policy. CONTENT AREA: Articles TOPICS: Ethics, Internal Controls, Knowledge Management October 26, 2009 Testing Role-based Authorization Controls in Websites This paper describes a practical approach on how to test websites for flaws in role-based authorization controls. The first two sections discuss the importance of testing these controls and how testing is tied to the business that the Website supports. The rest of the paper outlines the general approach and some specific tools and techniques that can be used. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Software, Network & Internet Security October 19, 2009 The New ISACA Risk IT Framework and Best Practice: Filling a Gap, Making Risk Management Easier and More Effective ISACA’s Risk IT Framework, based on the COBIT® framework and best practice guidance, was recently released after 18 months of work by an international task force with members from five countries. Risk IT extends and unifies the risk management content in COBIT® and Val ITTM. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Infrastructure, Enterprise Risk Management, Best Practices, GRC October 12, 2009 7 Things You Need to Know About Development Project Estimations There are various aspects that affect project estimates, such as team skills and experience levels, available technology, use of full-time or part-time resources, project quality management, risks, iteration, development environment, requirements, and most of all, the level of commitment of all project members. Moreover, project estimations should not be too complicated. Here is a list of seven tools, methodologies, and best practices that can help project management teams, from sponsors to project managers, agree on estimates and push development efforts forward. CONTENT AREA: Articles TOPICS: Budgeting, Software, Project Management, Training & Development October 12, 2009 Improving Internal Audit Through Technology A number of studies show that internal audit functions are looking more seriously at technology as a way to improve productivity and the organization’s risk management process. The reality is that internal audit cannot successfully meet all looming expectations and perform at a new level without doing things differently and technology – or, more accurately, the very efficient and effective use of technology – is essential for internal audit to succeed in its evolving mandate. This article discusses how to start integrating technology into the audit process, sell its value proposition to executive management, and overcome the related challenges. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Internal Audit, Continuous Auditing, IT Audit, Risk Management & Assessment, GRC October 12, 2009 SEC Says IFRS Convergence Back in Play The SEC has put convergence of U.S. and international accounting standards back on the agenda, after months of speculation that the idea might be abandoned. SEC Chief Accountant James Kroeker said convergence of U.S. GAAP and International Financial Reporting Standards is “going to be a priority of the staff over the coming weeks and months.” CONTENT AREA: Articles TOPICS: Financial Reporting, PCAOB, IFRS October 5, 2009 Confronting the Challenges of Manual Journal Entries Management, regulators and investors demand better information faster, which adds pressure to already compressed timelines for closing the books. One obstacle standing in the path of financial close-process efficiency and effectiveness is the volume and complexity of manual journal entries. While there will always be a need for manual journal entries in the close process, opportunities for improvement can be found in reducing the volume of entries, increasing standardization and automating certain types of transactions. CONTENT AREA: Articles TOPICS: Accounting/Finance, Close the Books, Financial Reporting, GRC, Performance Management/Measurement, Risk Management & Assessment, Spreadsheet Risk October 5, 2009 The Crisis Management Plan The Crisis Management Plan is a documented plan detailing the actions executives want to take place when a crisis strikes the organization. It is designed to replace confusion with order. Remember that the key to successfully managing a crisis is to "Be Prepared," and sadly, a number of organizations are not prepared. CONTENT AREA: Articles TOPICS: Business Continuity Management, Disaster Recovery, Risk Management & Assessment, Enterprise Risk Management, Best Practices, Crisis Plan, Crisis Management Team, GRC September 28, 2009 Covering Risks in a Shifting Economy If you have shifting expectations and fewer internal audit resources, how do you adequately cover risk, especially the emerging risks suggested by our current economic conditions? In this article, the author encourages internal audit departments to leverage leading practices so they contribute to the organization’s ability to weather the economic storm and take advantage of opportunities in the future. Now, what internal auditor wouldn’t want to do that? CONTENT AREA: Articles TOPICS: Internal Audit, Risk Management & Assessment, Self-Assessment, Fraud, Segregation of Duties, GRC September 28, 2009 The Business Survivability Question: Is Your Data Safe? Today's workforce requires immediate access to information, applications, coworkers and customers. Both large and small enterprises are increasingly online, mobile and Web 2.0-driven. These advancements illustrate that IT is no longer just a business tool – it is business. Yet every year businesses experience the effects of data loss stemming from IT network outages – whatever the origin – and as IT systems fail, daily operations follow, and the results can be fatal. CONTENT AREA: Articles TOPICS: Business Continuity Management, Disaster Recovery, IT Infrastructure, Security, Network & Internet Security, Outsourcing/Co-sourcing/Shared Services September 21, 2009 Exclusive Report: Perks Still Common, Despite Economy A Compliance Week study of CEO perks reveals that Corporate America hasn’t curbed its urge to splurge very much, despite the bad economy. Given the tendency to link excessive pay to the financial crisis, “perks will be perceived even less favorably,” says Deborah Lifshey of consulting firm Pearl Meyer & Partners. A spreadsheet of perks at S&P 500 companies is inside. CONTENT AREA: Articles TOPICS: Payroll, Corporate Governance, Audit Committee & Board, Cost Management, GRC September 21, 2009 Magic Numbers for Successful Teamwork People often ask, "What's the ideal number of people to have on any given team to produce the best results?" My answer, "It depends." Several factors go into coming up with that magic number. This article offers ideas for optimum participant numbers, based on meeting types and objectives. While the focus here is more on virtual teams, many of the responses would be similar for co-located teams. CONTENT AREA: Articles TOPICS: Human Resources, Best Practices, Performance Management/Measurement, Training & Development September 21, 2009 Ten Ways to Tune Up Your Fraud Risk Management Approach Given the current economic climate, it is not surprising that the potential for fraud has increased. Of the 507 Certified Fraud Examiners who responded to a 2009 survey, more than half indicated that the number of frauds has increased during the past year. Despite these findings, not all organizations are stepping up their fraud assessments and risk management efforts. This article provides 10 specific action internal auditors can take. CONTENT AREA: Articles TOPICS: Internal Audit, Risk Management & Assessment, Ethics, Fraud, GRC September 14, 2009 Building Professional Relationships for Auditors Using Online Social Networks Probably not a day goes by when you do not hear or read about Facebook, MySpace, LinkedIn or Twitter. As a professional auditor, you can benefit by using one or more of these Web sites known as “social networks.” This article will provide an overview of the role of online social networks in today’s business world, a review of the leading professional-oriented social networks and why social networking is particularly useful for those in the audit profession. CONTENT AREA: Articles TOPICS: Knowledge Management September 14, 2009 Using the Private-Internet-Enterprise (PIE) Model to Examine IT Risks and Threats Due to Porous Perimeters There is a common misconception that internal IP networks (intranets) are secure and that only external networks such as the Internet and extranets are vulnerable and unsecured. The truth is that information on a network is not secure. This paper proposes a new model to identify and examine threats to information assets from private, Internet, and enterprise sources. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Security Management Practices, Access Control Systems & Methodology, Privacy September 7, 2009 Managing Internal Audit Cost, Effectiveness and Performance In Singapore, good corporate governance requires that cost is not the only consideration behind the level of internal audit resourcing. The benefits of a broad, risk-based internal audit program need to receive a fair hearing in this environment. The final part of this two-part series, addresses how to measure the effectiveness of internal audit and provides key questions that should be asked by the audit committee. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Audit Planning, Cost Management, Outsourcing/Co-sourcing/Shared Services September 7, 2009 Safe Harbor Data Privacy and Security for European Union Employee Data The problem of securing and protecting European Union (EU) employee data and meeting EU privacy guidelines is growing as U.S. corporations continue to hire employees overseas. This article examines the ability of a multinational U.S. corporation to meet data privacy and security guidelines for EU data being transferred to the United States. By examining Safe Harbor regulation, this article simplifies the process by which a corporation can meet privacy regulatory constraints over EU data. CONTENT AREA: Articles TOPICS: Human Resources, European Union, Access Control Systems & Methodology, Laws & Regulations, Privacy September 7, 2009 The Upside to IFRS for Small, Medium Entities The International Accounting Standards Board has finally issued its long-awaited IFRS for smaller companies, and standards could prove quite influential. Essentially, IFRS for SMEs is a simplified microcosm of full IFRS aimed at meeting the needs of financial reporting for private companies through a cost-benefit approach. This standard might be more important than you think. CONTENT AREA: Articles TOPICS: Financial Reporting, Audit Committee & Board, IFRS August 31, 2009 Devising a Workable IT Planning Strategy Effective decisions are elusive without good planning abilities, and good decisions about how IT should be deployed and managed are no different. If IT planning consists of all of the activities that support consistent decision-making, then the IT planning discipline has to be made up of activities performed in a process that is repeatable, has defined responsibilities, has a defined order to the activities and is auditable. As this article explains, to make quality decisions the process should provoke the right questions and supply the information that can support the decision-making. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, IT Strategy, Best Practices, Project Management August 31, 2009 Managing Internal Audit Cost, Effectiveness and Performance - Part 1 In Singapore, there is a need from a corporate governance perspective to ensure that cost is not the only focus when considering the level of internal audit resourcing. There is a need to ensure that the benefits of a broad program of risk-based internal audit receives a fair hearing in this environment. Part one of this two part series, introduces a number of optional resourcing models that directors could consider when developing the internal audit function as well as the key questions that should be asked by the audit committee. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Audit Planning, Cost Management, Outsourcing/Co-sourcing/Shared Services August 24, 2009 Are you sure about offshore? What are the opportunities and what are the extra risks? Faced with the unexpected severity of the downturn, many organizations will tend to “freeze” strategic decisions and concentrate on the immediate operational problems. However, does this mean that organizations can put all initiatives aimed at the outsourcing of internal activities on ice? By means of three questions, this article provides insight into the possibilities that outsourcing offers to relieve pain in these difficult times. CONTENT AREA: Articles TOPICS: Risk Management & Assessment, Fraud, Outsourcing/Co-sourcing/Shared Services, Performance Management/Measurement, SAS 70, GRC August 24, 2009 Key Questions Regarding Integrated GRC GRC means different things to different people. One perception is that integrated GRC is nothing more than ERM repackaged by solution providers to drive a new market. Others consider ERM and GRC as distinct subsets of each other. Upon closer review, ERM and GRC differ in terms of their moniker origins and related business practices but are similar in definition. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Risk Management & Assessment, Compliance, Enterprise Risk Management, GRC August 24, 2009 Seven Ways to Save Money with Technology In good times or bad, enterprises are constantly looking for ways to cut business expenses. While departments across the board are tightening their belts, companies can cut costs by making smart choices with technology. By using technologies such as software-as-as-service, virtualization, web conferencing and voice over IP, companies cut costs and keep them low. Here is a list of seven ways that technology can help your businesses cut expenses. They may not apply to every situation, but at least consider them for your company. CONTENT AREA: Articles TOPICS: Budgeting, Technology, IT Strategy, Cost Management, Outsourcing/Co-sourcing/Shared Services August 17, 2009 Ghost and Zombie Assets: It’s Midnight. Do You Know Where Your Assets Are? Internal controls over fixed assets are sadly lacking in many companies. Often gross fixed assets can be one third of total company assets. If fixed asset balances are material to a company, and hence should be subject to good internal controls, why are internal controls often lacking in strength? CONTENT AREA: Articles TOPICS: Financial Reporting, Fixed Assets, Sarbanes-Oxley Act, Internal Controls, Process-Level Control August 17, 2009 Operations, CIO’s, and the Big Picture Like others in executive management, CIOs are key players in the organization and increasingly face decisions to improve business performance while managing costs. This article provides insight on the concept of outsourcing, characteristics of the insightful CIO, and a panorama of computerization over the last 60 years. CONTENT AREA: Articles TOPICS: Cross Border & Non-US Issues, Technology, IT Strategy, Outsourcing/Co-sourcing/Shared Services, Training & Development August 17, 2009 Regulatory Reform: We Need Music, Not Noise Over the years, United States presidential commissions and trade associations have made countless appeals for meaningful regulatory reform, but such reform has remained elusive. This article suggests that the best way to design a meaningful plan for regulatory reform in the United States is to start with a clean sheet of paper. These simple steps offer the advice a consultant would provide to a company looking to implement effective risk management: Define your desired future state and align your strategies, people, processes and tools to achieve that state. CONTENT AREA: Articles TOPICS: Financial Services Industry, Risk Management & Assessment, Compliance, Financial and Credit Risk, GRC August 10, 2009 Capital Projects and Construction: Building in Risk Management and Project Controls For real estate owners and operators, gathering adequate and affordable financing to fund construction and development activities in this uncertain economy can be a significant challenge. Thus, it is imperative that they make every dollar count by maximizing cash flows from existing operations, minimizing financial leakage, ensuring that the capital deployed into construction and development activities is utilized efficiently, and communicating the results of their capital-saving activities to investors in a timely and effective manner. Risk management is the key to this process. CONTENT AREA: Articles TOPICS: Fixed Assets, Risk Management & Assessment, Cost Management, Enterprise Risk Management, GRC August 10, 2009 School Innovative Management Model and Strategies: The Perspective of Organizational Learning With a knowledge-based economy approaching, knowledge and innovation have been the core elements of national competitive power. This study discusses the related concepts and content of learning school and school innovative management. It also analyzes the impact factors of school organizational learning, and establishes the model of school innovative management based on organizational learning. CONTENT AREA: Articles TOPICS: Human Resources, Change Management, Knowledge Management, Performance Management/Measurement, Training & Development August 10, 2009 The Biggest Internal Audit Challenges in the Next Five Years In this current environment, internal auditors are playing - and will continue playing - a vital and growing role in monitoring and helping improve organization-wide systems, processes and controls. Interestingly, the April 2009 MIS SuperStrategies conference in Las Vegas, included a panel discussion focused on “Internal Audit and its Formidable Challenges.” One question in particular grabbed the panel’s attention, sparked lively discussion and became the basis for this article: What do you think are the greatest challenges in the next three to five years? CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Continuous Auditing, Risk Management & Assessment, Fraud, GRC August 3, 2009 Using Conflict Resolution for Sustained Organizational Change The ability to bring about sustained organizational change in the area of risk management practices is a key measure of success for any internal audit department. Effective auditors are those adept at using conflict resolution techniques to garner management support for improved internal controls and risk management practices. This article describes effective ways to deal with crucial client conversations that involve change before they become deep-seated conflicts. CONTENT AREA: Articles TOPICS: Internal Audit, Risk Management & Assessment, Change Management, Training & Development, GRC July 27, 2009 Fraud Prevention and Detection in a Manufacturing Environment The Association of Certified Fraud Examiners estimated in its 2008 Report to the Nation on Occupational Fraud and Abuse that organizations lose 7 percent of annual revenues to occupational fraud. This represents a 40 percent increase from the estimate in its 2006 report. In other words, fraud is an increasing risk in an organization’s risk portfolio that must be addressed. In light of this, what steps can a manufacturing company take to deter fraud in its organization? This article explains the principles of an effective fraud risk management program, outlines common frauds in the manufacturing environment, and provides examples of data analytics that can detect fraud. CONTENT AREA: Articles TOPICS: Continuous Auditing, Ethics, Fraud, GRC, Manufacturing & Distribution Industry, Risk Management & Assessment July 27, 2009 Managing the IT Procurement Process An IT procurement process, formal or informal, exists in every organization that acquires information technology. As users of information systems increasingly become customers of multiple technology vendors, this IT procurement process assumes greater management significance. Despite the trend to look to outside providers, to date there has been little, if any, research investigating the IT procurement process. CONTENT AREA: Articles TOPICS: Purchasing & Accounts Payable, Technology, IT Infrastructure, IT Strategy, Best Practices July 27, 2009 Value Creation in an Economic Downturn – The CFO as a Dilemma Manager Companies are being confronted with a difficult dilemma. On one hand, they need to save cost and restructure their operations due to the economic crisis. On the other hand, they need to invest and innovate to create long-term value for shareholders, clients, employees and other stakeholders. The CFO plays a key role in managing this “business split,” but how should it be done? CONTENT AREA: Articles TOPICS: Accounting/Finance, Financial Reporting, Internal Controls, Performance Management/Measurement July 20, 2009 Change Management in a Down Economy: Connecting with Employees to Increase the Odds of Success Fundamental changes to our regulatory systems, business models and management philosophies lie before us. In these challenging times, the most effective organizations will be those that are able to adapt and to respond to shifting priorities. But before this can happen, organizations need to understand how their employees are likely to deal with change and how they can be motivated to accept – and even embrace – change. CONTENT AREA: Articles TOPICS: Human Resources, Risk Management & Assessment, Change Management, Performance Management/Measurement, Training & Development, GRC July 20, 2009 Internal Audit – Adding Value, Increasing Assurance in Times of Economic Turmoil Many organizations recognize that reducing internal audit resources is risky in times of uncertainty. However, not all organizations recognize the significant value add that audit can provide. In this article, John Verver from ACL Ltd. discusses how internal audit departments can make significant quantifiable contributions to their organization’s performance through the use of technology and data analytics. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Testing, Continuous Auditing, Risk Management & Assessment, Performance Management/Measurement, GRC July 20, 2009 Predicting the ROI of Change Process Simulation Modeling (PSIM) can provide real business value to organizations that are trying to change processes. When companies use the appropriate software simulation, designed for their industry to evaluate process performance, these organizations can improve their operations and achieve higher levels of process maturity with the integration of CMMI. CONTENT AREA: Articles TOPICS: Software, Change Management, Performance Management/Measurement July 13, 2009 From the Field: A Hacker’s Story In tough economic times, it is more important than ever before to be mindful of common sense security practices. The security posture of most organization can be increased with simple, easy to remember safety tips, inexpensive security technology solutions, and by making employees aware of rising security threats and ways to mitigate these threats. Read this article to learn about some fundamental practices that can be implemented and that will dramatically increase the protection of most organization. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Strategy, Security, Access Control Systems & Methodology, Physical Security, Security Management Practices July 6, 2009 Managing Your Security Future IT organizations within most corporations are spending significant time and resources securing IT infrastructure. Read this article to gain an understanding of the security technologies and risks that exist today and in the near future. By understanding the technologies and threats, you can better manage security decisions to fulfill the needs of the business. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Infrastructure, Security, Network & Internet Security, Security Architecture & Models, Security Management Practices June 29, 2009 How to Develop and Implement a Security Master Plan An important aspect of developing and implementing a security master plan is to make sure the security strategies are linked to the strategies of the business so you can ensure the program is moving forward in unison with the business. Read this article to understand how to develop and implement a security master plan, as well as how the security operation is no longer just a business expense but it is an integral part of the business and contributes to the success of the business. CONTENT AREA: Articles TOPICS: Internal Audit, Risk Management & Assessment, Security, Access Control Systems & Methodology, Network & Internet Security, Physical Security, Security Management Practices, GRC June 22, 2009 Trends in IT Internal Auditing: Greater Use of Automation, ‘Rebalancing’ Focus Away from Sarbanes-Oxley and Toward Broader Risk Management Protiviti conducts a series of annual surveys among internal audit executives and professionals to identify key trends impacting organizations worldwide. Recent results from these studies include a number of notable trends in IT auditing. These trends focus on ISO 27000, computer-assisted audit techniques (CAATs), and IT audits not related to Sarbanes-Oxley compliance. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Strategy, Internal Audit, IT Audit June 22, 2009 Why Tomorrow Is Too Late to Think about Business Continuity Business owners and executives juggle a number of projects each day that draw on their time and resources. As a result, they tend to defer business continuity into the "solve tomorrow" column until right before (or right after) an incident. This is a critical, sometimes disastrous mistake. Read this article to learn why designing and implementing a functional continuity plan is a multi-month process, and that executives must dedicate the time to ensure business survivability. CONTENT AREA: Articles TOPICS: Business Continuity Management, Disaster Recovery June 15, 2009 Addressing Privacy, Security, and Other Pressing Healthcare Concerns In the age of on-demand information, healthcare patients are becoming more informed and increasingly concerned about issues facing the industry. Understanding where to focus time and resources is the first step to meeting this challenge. This article discusses several relevant issues facing the industry today, including the implementation of the HITECH Act, PCI Data Security Standards, and Red Flags Rules. CONTENT AREA: Articles TOPICS: Healthcare & Pharmaceuticals Industry, Technology, IT Audit, Compliance, Laws & Regulations, GRC June 15, 2009 The Methodology for Managing the Abuse of IT Systems Dealing with security breaches is becoming one of the most pressing problems in every organization whose systems are connected to the World-Wide Web. This article highlights the methodologies of dealing with security breaches supported by organizations such as SANS, NIST, CERT, and ISO. Here you will learn about these methodologies, and also understand the author’s own methodology, which takes into account selected aspects of these methodologies, with the purpose of establishing a systematic and coherent approach to the process of detecting and reacting to abuses in IT systems. CONTENT AREA: Articles TOPICS: Technology, IT Strategy, Security, Access Control Systems & Methodology, Network & Internet Security, Security Architecture & Models, Security Management Practices June 8, 2009 Justifications, Strategies, and Critical Success Factors in Successful ITIL Implementations in U.S. and Australian Companies: An Exploratory Study A growing number of organizations are implementing the ITIL “best practice” framework in an attempt to improve their IT service management processes. However, not all ITIL implementations are successful and some companies have been disappointed with the outcomes. Read this article to understand what successful strategies are used to implement ITIL, and what critical success factors they attribute to a “successful” ITIL implementation. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, IT Strategy, Security, Application Development Security, Change Management June 8, 2009 Seven Vulnerabilities in Today’s Economy: What Your Organization Can Do Recent economic events have rocked everyone from Wall Street to Main Street. While we all wait to see how the stimulus package impacts the economy, people in the risk management profession should focus on helping organizations manage emerging and existing risks. In part one of this two part series, Ann Butera, encourages people to apply what they learn from the financial crisis and think the unthinkable concerning risk events and control design. In part two, Ann focuses on the three final vulnerabilities organizations should avoid if possible, but must be prepared to address if necessary: filling the leadership void, inadequate bench strength, and diluted communications that create comas of complacency. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Enterprise Risk Management, Ethics, Fraud, GRC June 1, 2009 ERP for IT No large company today would be able to compete without a strong ERP (Enterprise Resource Planning) system that drives and integrates business processes, building and maintaining a high-quality information base for making business decisions. IT planning requires the same approach: a centralized information base that is fed by integrated processes, updated with every plan made and every decision taken. Read this article for information on how ERP brings together the relevant people, processes, tools and information to create an information-based, process-centric information platform on which to base decisions. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, IT Strategy, Best Practices June 1, 2009 The $700 Billion Scenario During September 2008, the markets declined with unprecedented volatility as investors became even more anxious about the uncertainty (i.e., risks) that lay ahead. An avoidable situation that unfolded over more than 10 years became a nightmare scenario in a matter of days. These events might suggest that it is time for leaders in each organization to challenge the status quo and champion scenario analysis. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Financial Services Industry, Risk Management & Assessment, Enterprise Risk Management, Financial and Credit Risk, GRC May 25, 2009 Building a Compliance Program in Higher Education Institutions Without Compliance Officers Since the governance structure in higher education is often decentralized, with no central person or program overseeing compliance, it can be difficult to know who is responsible for ensuring compliance for all the disparate areas throughout the university. This is an excellent rationale for the IA function to drive the establishment of an institutional compliance program. This article outlines a five-step process. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Education, Internal Audit, Risk Management & Assessment, Compliance, GRC May 25, 2009 Failure to manage post-disaster liability risk may cost you As the first decade of the 21st century has demonstrated in stark terms, the need for robust recovery and business continuity plans in the face of increasingly costly disasters, whether natural or manmade, has never been greater. However, even the most carefully crafted continuity plans may be missing a vital component: the risk of disaster-related liability actions brought on by affected parties. This article discusses how failure to plan for these events imposes great risk to the organization, and how internal audit can help manage these risks. CONTENT AREA: Articles TOPICS: Business Continuity Management, Disaster Recovery, Risk Management & Assessment, Best Practices, GRC May 25, 2009 The Key Success Factors in Aligning IT with Business The most pressing issue among CIOs, according to a 2008 survey by Society for Information Management (SIM), is the alignment -- or misalignment -- of IT with business. As IT departments need to consolidate their resources, there is a growing concern among CIOs that doing so may not be so easy. Read this article to learn about the success factors essential to a CIO’s approach to business objectives. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, IT Strategy, Internal Audit, Risk Management & Assessment, Best Practices, GRC May 18, 2009 Auditor Attestation of Internal Control Over Financial Reporting: What You Can Expect Written comments from SEC chairwoman, Mary Schapiro, virtually assure the markets that many smaller public companies will soon be subject to their first auditor attestation. Schapiro noted that “it’s time we bring uniformity to the system.” This paper explores considerations for smaller public companies as they prepare for their first external auditor attestation over ICFR. CONTENT AREA: Articles TOPICS: Sarbanes-Oxley Act, External Auditor, Internal Controls, Section 404 - Internal Control Reporting, Cost Management, China May 18, 2009 Confusion in the Ranks: IT Service Management Practice and Terminology The Information Technology Service Management (ITSM) movement is gaining adopters throughout the world, expanding from the 2005 ratification of International Standards Organization (ISO) ISO/IEC 20000. This paper provides a background on ITSM and its contributing concepts including IT Information Library (ITIL), Service Level Management (SLM), Business Service Management (BSM), and many others. Read this article to learn about the several contributing frameworks mentioned, and reports on a survey of U.S. IT managers conducted to determine the extent of understanding of these terms and frameworks. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, IT Infrastructure, IT Strategy, Internal Audit, Risk Management & Assessment, GRC May 11, 2009 25 ‘Worst Practices’ in Educating the Audit Committee: What Not to Do In these uncertain times, profits are being challenged, everyone is clamoring for more oversight, the control environment is threatened as layoffs grow, and IT has a whole new set of risks. With this backdrop, the relationship between the chief audit executive and audit committee has never been more important. The communication must be open, continual, pertinent and timely. To explain how to do this, consider first some thoughts on how not to do it. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Audit Planning, Audit Reporting, Quality Assessment Review, Risk Management & Assessment, GRC May 11, 2009 Business Process Outsourcing: What It Costs to Remain Competitive in the 21st Century Business process outsourcing (BPO) has become an increasingly popular practice among U.S. firms as a cost-cutting means of improving business operations. The most common outsourced business functions are the ones that are based on information technology and information service. Read this easy submitted by Miami University of Ohio students, Nicholas Barkman, Patrick Damo, and Eric Malo, to learn about the numerous benefits a firm can receive if it chooses to outsource a business process or if proper controls are in place to maximize the efficiency and effectiveness of an outsourcing relationship. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Strategy, Internal Controls, Outsourcing/Co-sourcing/Shared Services, SAS 70 May 11, 2009 Security Strategy: From Soup to Nuts Many government and industry regulations deal with security measures, and for that reason it’s important to secure your company’s IT infrastructure, no matter how large or small your company. Even if for some reason you’re not subject to regulations, it’s still a very good idea to secure your assets. This article provides an overview of IT security issues and a methodology for addressing them. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Security, Access Control Systems & Methodology, Network & Internet Security, Security Architecture & Models, Security Management Practices May 4, 2009 10 Big Things for Small Audit Departments (小型审计部门的十大小型审计部门的十大误区) 内部审计人员与很多商界人士一样面对相同的问题:工作量大,但缺乏足够的人力资源。这种情形在小型内部审计部门体现地尤其明显,因此,小型审计部门必须对他们所面临的问题有所了解,并更有效地利用资源来把事情做好。 CONTENT AREA: Articles TOPICS: Internal Audit, Audit Planning, Audit Reporting, Internal Audit Administration, Performance Management/Measurement, China May 4, 2009 An Integrated Approach to Managing Operational Risk – Breaking down the organizational barriers The operational audit function can be considered an extension of internal audit, where auditors focus on issues that may not have a direct impact on financial reporting such as compliance with company operating policies and procedures or safety, labor or health regulations. In decentralized organizations, communication is important to address operational audit issues and the associated risks. This article discusses how technology can help manage operational audits. CONTENT AREA: Articles TOPICS: Technology, Software, Internal Audit, Audit Testing, Risk Management & Assessment, Self-Assessment, GRC May 4, 2009 Continuous Auditing Continuous auditing is a method used to perform control and risk assessment automatically on a more frequent basis. It effectively and continuously tests controls and risks which result in timely notification of gaps and weaknesses to allow immediate follow-up and remediation. Read this essay submitted by Bradley University student, Ben Getz to learn about the history of continuous auditing, associated cost issues, continuous auditing benefits, and a success story. CONTENT AREA: Articles TOPICS: Technology, IT Strategy, Internal Audit, Audit Planning, Internal Audit Administration, Risk Management & Assessment, Best Practices, Internal Controls, Continuous Auditing, GRC May 4, 2009 Which Kind of System? The Make, Buy, or Rent Decision Having made the decision to upgrade its systems, the next step that an organization needs to take involves the classic "make or buy" question: Is the organization going to build its own system from scratch or purchase a "mature" system that tens, hundreds, or even thousands of organizations currently use? Read this article to understand the make, buy, or rent options for organizations seeking to upgrade their systems and the pros and cons of each. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, IT Strategy, Software, Cost Management April 27, 2009 Coalescing a New Team: Creating Ties That Bind Maybe you've inherited new team members from another group within your company as a result of recent reorganization. Or perhaps your company has merged with another, giving you a whole new group to manage. Whatever the reason, you need to pull a new team together, including people who have been working together all along and those who are just coming on board. Read this article to learn about some practical tips for finding the right "glue" to bring a new team together, even when working from afar. CONTENT AREA: Articles TOPICS: Human Resources, Technology, IT Audit, IT Strategy, Internal Audit, Internal Audit Administration, Best Practices, Training & Development April 27, 2009 Maturing the use of data analytics In the internal audit practice the use of data analytics as part of the audit process is usually part of a continuum. It tends to start off in ad hoc use, then move to repetitive use, and, finally, to continuous auditing and continuous monitoring. In this article, John Verver from ACL Services Ltd. examines the typical evolution in using data analytics. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, Internal Audit, Audit Testing, Continuous Auditing April 20, 2009 Identifying and Managing Risks on Healthcare Construction Projects In a challenging economic climate, contractors feel the pinch. Projects are cancelled, backlogs dry up and prices decline. To compensate for reduced projects and decreased revenues, contractors must scramble to win or save work while maintaining positive cash flow. Such circumstances demand that hospitals, looking to construct or finish a capital project in a short timeframe, pay close attention to the contractor’s progress and billings. CONTENT AREA: Articles TOPICS: Purchasing & Accounts Payable, Healthcare & Pharmaceuticals Industry, Internal Audit, Risk Management & Assessment, Cost Management, GRC April 20, 2009 Information Security Threats: A Comparative Analysis of Impact, Probability, and Preparedness Information security threats are risks that need to be managed. Based on criticality and cost, information security risk management should be taken seriously. Read this article to learn about the assessment of information security risks and what risk mitigation strategies are being used to mange and to minimize these risks. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, IT Strategy, Internal Audit, Risk Management & Assessment, Security, Security Management Practices, GRC April 20, 2009 The Regulators’ Primer on Surviving a Liquidity Crisis A recent publication from the Basel Committee noted that many banks failed to take into account basic principles of liquidity risk management before the current market turmoil began, leaving them unprepared and exposed to market uncertainties. The Basel Committee provides 17 principles for managing and supervising liquidity risks that it broadly groups into five categories: fundamental principle, governance, measurement and management, public disclosure and role of the supervisors. CONTENT AREA: Articles TOPICS: Financial Services Industry, Internal Audit, Risk Management & Assessment, Basel, Financial and Credit Risk, GRC April 13, 2009 Digital Content Management Digital content has become a critical asset in today’s information society and will continue to shape tomorrow’s world. Today’s electronic devices let consumers create, use and transfer almost any kind of content with the simple click of a button. Read this article to learn what digital content is, what risks are associated and how to identify them, as well as how digital content can be effectively managed. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Strategy, Internal Audit, Risk Management & Assessment, Best Practices, GRC April 13, 2009 Reducing Data Breaches Are you taking all the proactive steps to prevent, and not just react to, data breaches? Unfortunately, too often data protection weaknesses are only spotted after the fact. Read this article to learn how conducting security reviews could help prevent this, as well as increasing management’s confidence in the effectiveness of their security without suffering incidents. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, IT Strategy, Security, Network & Internet Security, Security Management Practices April 13, 2009 Time to clear up misunderstandings about IFRS convergence The timetable for U.S. companies to move from GAAP to IFRS is not set in stone, but such a transition is moving inexorably forward, either through conversion or convergence. While many companies have taken baby steps toward the changeover, a surprising number have yet to act. Such stasis may be due, in part, to a lot of “fuss” clouding the truth behind convergence. It is time to address those concerns and get a clear understanding of what is involved. CONTENT AREA: Articles TOPICS: Financial Reporting, Internal Audit, Audit Testing, IFRS, Project Management April 6, 2009 Ranking Risks: Rare to Certain, Negligible to Catastrophic Risks that your project or business are exposed to may be worth reviewing now more than ever before to explore which ones need more attention than others. Since risk is directly correlated to loss, it is important to be able to assess risks in one's business and to address them. Read this article to learn how inattention to risks can affect a company, and see what you can do to protect your bottom line. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, IT Strategy, Internal Audit, Risk Management & Assessment, Self-Assessment, GRC April 6, 2009 The Changing Landscape for Internal Auditors in Financial Institutions Internal auditors, like everyone in the financial services industry, are scrambling to keep pace. They must stay on top of technological, accounting, legislative and regulatory changes while protecting their institutions from liquidity, credit, valuation and concentration risks. This article emphasizes how innovative internal auditors are needed to explore new technologies, identify and help mitigate emerging risks and develop creative solutions to complex problems. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Financial Services Industry, Performance Management/Measurement, Training & Development, Continuous Auditing, GRC March 30, 2009 Effecting Change Now: Stimulating Your Organization with Green Technology The realities of the current economy are daunting. We have organizational goals to meet, and smaller budgets with which to meet them. Amidst business closures and job losses, environmental issues continue to become bigger concerns. Read this article to see how it is possible to reduce spending while improving environmental focus. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, IT Strategy, Best Practices, Cost Management March 23, 2009 Key Management: The Key to Encryption If you have been involved with compliance efforts for the Payment Card Industry Data Security Standard (PCI DSS), then you are probably aware of Requirement 3 and its provisions for protecting the Primary Account Number (PAN). This article is as an introduction to the primary aspects of key management, as well as a way to learn about additional considerations such as exercising key management processes, separation of duties, and key escrow. CONTENT AREA: Articles TOPICS: IT Controls, IT Strategy, Network & Internet Security, Security, Security Architecture & Models, Security Management Practices, Segregation of Duties, Technology March 16, 2009 A Risk-Focused Roadmap to Managing Recovery Funds and Delivering on Program Objectives The American Recovery and Reinvestment Act of 2009 (ARRA or Recovery Act) was signed into law on February 17, 2009. The legislation seeks to stimulate the economy by preserving and creating jobs, assisting the unemployed and uninsured, and providing state budget relief while making investments in infrastructure, education, science, healthcare and energy efficiency. Read this article to review key highlights and observations and learn about other keys that will allow the ARRA to succeed. CONTENT AREA: Articles TOPICS: Taxation, Government, Internal Audit, Risk Management & Assessment, Compliance, Enterprise Risk Management, Project Management, GRC March 16, 2009 Keeping the Takings Out of Charity: Protecting Against the Threat of Fraud within Not-for-Profit Organizations Benevolence, trust and compassion traditionally form the cornerstone of not-for-profit organizations and are attributes which facilitate their success. When fraud prevails, these same characteristics can contribute to the vulnerability of a charitable organization. As a result of these characteristics, not-for-profit organizations frequently do not have the basic, formal controls in place that prevent, detect and deter fraud. CONTENT AREA: Articles TOPICS: Nonprofit Industry, Ethics, Fraud March 16, 2009 The IPSec Solution Confidential and integral communications are the basis on which e-commerce and distributed solutions are based. In most environments, communications that establish the domain logon are protected, but all other communications are not secured. Read this article to learn how IPSec is used to protect some, most, or all of an organization’s network communications from beginning to end. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Strategy, Security, Access Control Systems & Methodology, Network & Internet Security, Security Architecture & Models March 9, 2009 Critical Success Factor Survivability for Engaged Information Security Professionals Today within the information security industry, more than ever before we have security frameworks, blueprints, methodologies, checklists, security management dashboard software, best practices, and ongoing academic research supported by substantial grants or budgets for engaging security implementation. But information security accidents and sensitive data spills continue at an alarming rate. Read this article to learn how a highly motivated, reliable, goal setting competent individual who remains one step ahead of anyone handling, moving, or safeguarding data can help to keep information secure. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, IT Strategy, Security, Investigations/Forensics, Security Architecture & Models, Security Management Practices, Project Management, Training & Development March 9, 2009 Customer Proprietary Network Information The protection of Customer Proprietary Network Information (CPNI) was mandated by the Federal Communications Commission (FCC) as companies strive to become compliant with the FCC Pretexting Order of 2007. It is important to understand exactly what CPNI is and is not, the importance of safeguarding this data, the rules for compliance, and how Protiviti’s framework can be practically applied to achieve ongoing compliance. CPNI is sensitive customer information that must be protected, just as credit card information and Social Security numbers are safeguarded. Taking the necessary precautions to protect this data is in the best interest not only of customers, but also of service providers whose success relies on customer confidence. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Telecommunications, Security, Access Control Systems & Methodology, Investigations/Forensics, Security Architecture & Models, Security Management Practices March 9, 2009 Developing a Sound IT Process In today’s world, IT organizations face the challenge of dealing with an array of compliance requirements. As part of such compliance, they need to deliver information requested by external and internal auditors, state regulators and a host of others. This raises an important question for IT groups: How do they create a structure that makes it easy to have one set of documentation and one set of control structures in place to satisfy all of these parties? CONTENT AREA: Articles TOPICS: Technology, IT Strategy, Sarbanes-Oxley Act, Internal Controls, IT Controls, Compliance, GRC March 2, 2009 Granular Application and System Recovery for Virtual and Physical Environments Businesses increasingly rely on application data such as Microsoft Exchange and SharePoint or data residing within virtual servers. This increased reliance has created a new demand for faster and more granular recovery of data from those systems which cannot be solved using traditional backup approaches, including snapshot capabilities provided by virtual server vendors. Read this article to learn how granular recovery allows IT administrators to recover both data and systems more quickly without additional complexity, cost, or time. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, IT Infrastructure, IT Strategy, Software, Document Retention February 23, 2009 Managing M&A in a downturn Some companies, across all industries, will emerge from this current economic downturn as leaders while others will be considerably weakened. Given the growing disparity between strong and weak players, many industries will experience substantial consolidation in the near future. Knowing there are few companies sufficiently capitalized to pursue an M&A strategy, this article outlines some of the challenges companies will face when pursuing this type of strategy in the current economic environment. CONTENT AREA: Articles TOPICS: Accounting/Finance, Financial Reporting, Compliance, Internal Controls, GRC February 23, 2009 Securing Critical IT Infrastructure By now most everyone has some form of a plan in place for the security of their infrastructure. Unfortunately, the plan may not be complete, may omit critical processes, or is based on someone’s idea of what is acceptable. Regardless of what is incorporated into the infrastructure, the plan hopefully includes a systemic and methodical process of beginning, maintaining, and changing throughout the lifecycle. No matter how you are structured, you must have management buy-in or you have nothing. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Infrastructure, IT Strategy, Security, Application Development Security, Security Architecture & Models February 16, 2009 The Cyber Threat to National Critical Infrastructures: Beyond Theory Adversary threats to critical infrastructures have always existed during times of conflict, but threat scenarios now include peacetime attacks from anonymous computer hackers. Current events, including examples from Israel and Estonia, prove that a certain level of real-world disorder can be achieved from hostile data packets alone. This article shows that as dependence on IT and the internet grow, governments should make proportional investments in network security, incident response, technical training, and international collaboration. CONTENT AREA: Articles TOPICS: Technology, IT Strategy, Security, Access Control Systems & Methodology, Investigations/Forensics, Network & Internet Security, Security Architecture & Models, Security Management Practices February 9, 2009 Achieving Records Compliance through Consistency Runaway information growth threatens to clog the arteries of today's businesses. This explosive growth translates into increased cost and risk for organizations to secure and use information while state and federal rules increase compliance requirements. This article describes how to handle information growth by developing an enterprise records management program, and then implementing systems and procedures to ensure compliance. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, IT Strategy, Software, Security, Security Architecture & Models, Fraud February 9, 2009 Critical thinking a vital component in sound, effective audit judgment Difficult economic conditions and heightened shareholder expectations are placing pressure on executive management and audit committees to improve risk management and deliver greater value. Consequently, senior managers now expect internal auditors to provide more than assurance reviews, such as: performance improvement recommendations, insights into emerging risks, and operational and regulatory compliance reviews. This article points out that critical thinking is key to satisfying executives’ expanding expectations. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Internal Audit Administration, Risk Management & Assessment, Project Management, Training & Development, GRC February 2, 2009 Separating Backup and Archiving: Securing Your Digital Information Today's companies are challenged not only with managing rapidly growing volumes of information that are spread across many technologies and geographies, but also with heightened regulatory and legal oversight on their information management. This article provides multiple options available for both backing up data and archiving data, and offers insight into what solution might work best for your company. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Infrastructure, IT Strategy, Security, Network & Internet Security, Operations Security January 26, 2009 Fraud Management in the 21st Century This article details the brief history of risk-based fraud detection programs, defines current solutions provided by the likes of SAP, Oracle, and many others, and explains the value that fraud detection software can provide to your organization. Beginning with a brief case study of initial attempts of software specific fraud detection, the article discusses how these tools have evolved to provide continuous assurance and the overall value proposition for automated fraud detection. CONTENT AREA: Articles TOPICS: Fraud, Investigations/Forensics, IT Controls, Technology January 26, 2009 The Elephant in the Room – Understanding the Audit Challenges of Project Risk The value of internal audit as a critical component of corporate governance and risk management is an undisputed fact. However, within an increasing audit universe, there is an elephant in the room that often escapes notice during the audit planning process but can have significant implications for the business if left unaddressed. Part one of this two part series, introduces this elephant: the need for oversight and monitoring of project risk. The final part of the series discusses what traps to avoid when reviewing project risk and internal audit’s growing role in this area. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Audit Planning, Risk Management & Assessment, Project Management, GRC January 19, 2009 Data Loss Prevention: An Elixir for Privacy Compliance Headache? Data Loss Prevention (DLP) is a combination of hardware and software that aims to prevent the ‘‘loss’’ or ‘‘leakage’’ of data assets out of the organization. The intent of the software is to deter accidents, promote awareness, and enforce information security and privacy policies by prompting the insider to exercise good information security and privacy practices. This article highlights related compliance requirements, security and privacy risk profiles, incident management processes, policies, and standards. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, IT Strategy, Security, Network & Internet Security, Security Management Practices, Fraud January 12, 2009 Is Software Development Risk Costing You Money? Software development projects are plagued with risk and impending failure. According to The Standish Group, only about one-third of the researched software development projects undertaken in the previous two years were considered "successful" – that is, they met all requirements and were completed on time and within budget. This article describes the most frequently cited factors that contribute to the challenge of software development and provides common steps to overcome these challenges. CONTENT AREA: Articles TOPICS: IT Audit, IT Strategy, Software, Risk Management & Assessment, Application Development Security, Project Management, GRC January 12, 2009 Preparing for 'Crunch Time' in the Transition to IFRS For many companies significant changes in their accounting practices are appearing on the horizon, given impetus by proposals from the SEC. That agency is calling for a migration from U.S. GAAP to IFRS. Such a convergence seems inevitable, and smart companies will want to prepare sooner, rather than later. In this two part series, Protiviti’s Steve Hobbs, shares his insights on what topics executives should address for a smooth transition to IFRS in a series of questions and answers. CONTENT AREA: Articles TOPICS: Change Management, Compliance, Financial Reporting, Laws & Regulations, Project Management, IFRS, GRC January 5, 2009 Top Security Trends of 2008 and What to Watch for in 2009 Symantec has taken a look back at the top security trends of 2008, and has used that information to predict what the top threats are for 2009. Security threats for 2009 are related to advanced web threats, the economic crisis and social networks. CONTENT AREA: Articles TOPICS: Technology, Security, Investigations/Forensics, Network & Internet Security, Security Architecture & Models December 22, 2008 Continuous Monitoring and Auditing: What is the difference? Both continuous auditing and continuous monitoring can be cornerstones in helping internal audit respond effectively to the increased expectations that are placed upon them. They can also help organizations operate more efficiently and more profitably. In part one of this two-part series, John Verver, from ACL Services Ltd., poses the question: Are these two separate concepts or merely variations of a theme? In part two, John closes his discussion by focusing on the benefits of continuous auditing and monitoring, and related best practices. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Technology, IT Audit, IT Controls, Software, Internal Audit, Audit Testing, Continuous Auditing, GRC December 22, 2008 The Role of Auditors in Network Security (Shooting Fish in a Barrel) Whether you are in government or the private sector, the last headline you want to see is your organization identified with flaws in your network systems that allow hackers to obtain personal information. This article discusses how it has become crucial for managers to understand how to guard against hackers, outsiders, and even disgruntled employees who threaten their information security, integrity and daily business operations. Auditors should play an important role in assessing network security efforts to help protect the organization from harm. CONTENT AREA: Articles TOPICS: IT Audit, Network & Internet Security December 15, 2008 Performance/Risk Integration Management Model – PRIM2: The Convergence of Enterprise Performance Management and Risk Management Whether a company is rapidly growing, focused on establishing sustainable competitive advantage or both, it must consider how an integrated approach and discipline to deploy strategy while also managing the associated risks, will improve its probability of achieving strategic objectives. This white paper provides a framework for integrating strategy, risk and performance management. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Risk Management & Assessment, Entity-Level Control, Financial and Credit Risk, Performance Management/Measurement, GRC December 15, 2008 Social Tension and Separation of Duties The focus of this article is the intentional introduction of social tension into the workplace as a way to achieve effective separation of duties. Social tension in the workplace is ordinarily considered something to be avoided. However, this article treats this tension as a means of reducing the risk of collusion and enforcing internal security measures. CONTENT AREA: Articles TOPICS: Segregation of Duties December 8, 2008 What to Expect When Expecting a Disaster A growing number of today’s small companies are establishing and implementing a disaster recovery strategy. With best practices in place to guard against data loss and system downtime, these organizations protect business continuity and ensure rapid recovery from system crashes and other potentially disastrous events. This article outlines several tips to help small businesses prepare for potential disasters. CONTENT AREA: Articles TOPICS: Business Continuity Management, Disaster Recovery, Technology, IT Controls, IT Infrastructure, IT Strategy, Internal Audit, Risk Management & Assessment, Best Practices, GRC December 1, 2008 IT-as-a-Service: Save Money on IT Costs While Improving Quality and Service In today's economy, companies are feeling increased pressure to reduce costs without sacrificing the level of quality and services provided by their IT departments. Although technology is a significant expense for most businesses, it has also been proven to increase productivity, reduce other costs and ultimately improve a company's bottom line. With more and more companies - small to medium businesses included - facing the challenges of finding a simple, cost-effective IT solution, this article outlines various “IT-as-a-Service” options. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, IT Strategy, Internal Audit, Risk Management & Assessment, Cost Management, Outsourcing/Co-sourcing/Shared Services, GRC December 1, 2008 Using technology to cut off in-house fraud at the pass Last September a former CFO at Tommy Hilfiger Handbags and Small Leather Goods Inc., pleaded guilty to stealing $19 million from the company over nearly seven years. Among other crimes, the CFO admitted to secretly increasing his salary and bonuses; submitting and receiving payments for phony expenses; and adding one of his sons to the payroll for two years and paying him $225,000 without the son ever doing any work. In this article, Patrick Taylor, CEO of Oversight Systems, discusses how this CFO managed to get away with these scams for so long. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Internal Audit, IT Audit, Ethics, Fraud, Process-Level Control, Continuous Auditing, GRC November 24, 2008 Computer Printouts as Legal Evidence Advances in computer technology have changed the ways courts evaluate and accept the value of evidence. This article discusses computer-based information and its uses as evidence in legal proceedings. It explains the rules of evidence and their effect on an organization’s management of its databases and describes methods of handling requests for production of computerized data. CONTENT AREA: Articles TOPICS: Technology, IT Audit, Sarbanes-Oxley Act, Document Retention, Reporting/Disclosure, Security, Investigations/Forensics, Fraud, Laws & Regulations November 24, 2008 Stepping up to the Plate on Fraud Risk Assessment Fraud risk is company wide and needs to be on every employee’s radar, top to bottom. A fraud risk assessment can help any organization improve its education around fraud risk. In this two-part series, Gene Agee from Sprint, and Tom Andreesen from Protiviti, provide insight into Sprint’s fraud risk assessment process, the importance of executive sponsorship, and the power that open dialogue brings to the end result. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Whistleblower/Complaint Reporting, Communications Industry, Sarbanes-Oxley Act, Internal Controls, Entity-Level Control, Ethics, Fraud, GRC November 17, 2008 Complementary Effects of Information Technology Investment on Firm Profitability: The Functional Forms of the Complementarities This article focuses on developing economic theory on the interrelation between IT investment components. Three functional forms to model the joint effects between components of investment on firm accounting profitability are identified and empirically tested. The results suggest that the complementarities between components of IT investment can be best modeled by using the multiplicative functional forms, providing a framework to model the joint effects of different factors that impact firm profitability. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, IT Infrastructure, IT Strategy, Software November 10, 2008 A Broader Array of Skills After years of narrowly focused compliance work, many audit departments are seeing a shift in priorities and a new set of skills requirements. CAEs and managers are now able to step back and clearly see the effect that the prolonged, almost exclusive focus on financial reporting has had on the orientation of their departments. What they are finding is that the often narrow, mechanical nature of SOX has created a skills gap – particularly with new internal audit staff members whose professional experience has consisted largely of SOX-related work. CONTENT AREA: Articles TOPICS: Internal Audit, Internal Audit Administration, Risk Management & Assessment, Sarbanes-Oxley Act, COSO, Training & Development, GRC November 10, 2008 Compliance Frameworks Compliance frameworks connect regulatory mandates and software practices. This article outlines compliance frameworks and best practices in order to help companies assess their own competencies. Specifically, this article defines identity standards which allow for better tracking and governance of identity-related information. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Strategy, Software, Compliance, Self-Assessment, GRC November 10, 2008 Executive Presence: Increase audit effectiveness, build leadership potential While choosing the right suit can help build a person’s confidence, it takes more than that to build credibility, authority, and trust – all qualities vital to effective internal auditors. It demands a combination of external and internal qualities that can be characterized as "executive presence." In this article, Ann Butera, from The Whole Person Project, Inc., describes the qualities that increase executive presence and its lasting value. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Internal Audit Administration, Change Management, Performance Management/Measurement, Training & Development November 3, 2008 What Is Enterprise Architecture? Enterprise architecture is the fundamental organization of a system, embodied by its components, their relationships to each other and the environment, and the principles governing its design and evolution. This article further defines what enterprise architecture means to an organization, outlines the four basic domains most frameworks contain, and explains how practitioners should take a pragmatic approach when applying this concept to their organization. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Infrastructure, IT Strategy, Security, Security Architecture & Models, Security Management Practices October 27, 2008 10 Big Things for Small Audit Departments Internal auditors face a problem common to many others in the business world: bigger responsibilities–but not-so-big resources. This is especially true in smaller internal audit departments, where resources are already sparse and growing responsibilities can stretch them dangerously thin. In this article, Joel Kramer, from the MIS Training Institute, discusses common mistakes made by small audit shops and provides suggestions on how they can do things right, using resources more efficiently. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Planning, Audit Reporting, Internal Audit Administration, Performance Management/Measurement October 27, 2008 Divided by a Common Language: The Story of Requirements Triage Information Systems and its companion fields Computer Science and Software Engineering have many differences in respect to vocabulary. For example, in Information Systems the word “implementation” is about putting a newly-built system into production usage, whereas in Computer Science and Software Engineering it is about building (coding, in fact) the system. That is a significant difference and an excellent example of how these fields are divided by a common language. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Infrastructure, IT Strategy, Software, Security, Application Development Security, Change Management October 27, 2008 The Employee Communications Revolution: Embracing the Lessons Learned from Advertising Parallels are often drawn between the worlds of advertising and employee communications. This is only natural, of course, as both can be classified under the fine art of persuasion. Employees must be persuaded to buy into the company’s vision and execute its basic promise to customers. This article describes how corporate communication can be improved using creative approaches from the advertising industry. CONTENT AREA: Articles TOPICS: Human Resources, Sales Process & Marketing, Internal Audit, Risk Management & Assessment, Self-Assessment, Best Practices, GRC October 20, 2008 General Misconceptions about Information Security Lead to an Insecure World It is becoming clear that the underground hacking industry as a whole (not just individual hackers) is continually gaining ground – despite the best efforts of the information security industry. It seems the latter should have an overwhelming advantage, as a multibillion dollar industry staffed with hundreds of thousands of security professionals. However, the efforts of the information security industry are almost always reactive, and in most cases amount to losing ground on the defensive. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Strategy, Security, Network & Internet Security, Security Architecture & Models, Security Management Practices October 20, 2008 Payment Card Industry – Data Security Standards (PCI DSS) Credit card breaches happen regularly to unprepared merchants. This article provides an overview of what auditors need to know about Payment Card Industry Data Security Standards (PCI DSS) and why PCI compliance should be an important initiative for internal audit. It spells out the steps you should take to protect your firm’s interests. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, Security, Network & Internet Security, Security Management Practices, Compliance, GRC October 13, 2008 Moving Your Company towards Role-Based Access Security Controls Société Générale stunned the financial world when it announced it lost $7.2 billion due to the unauthorized trading transactions of a single mid-level rogue trader. In this article, Cary Haggard, Protiviti and Brian Smith, Black & Decker, discuss how this incident is a wake-up call for organizations to reevaluate their access security controls. Haggard and Smith suggest that today’s best security practices for managing access to computer systems reside in the concept of role-based access controls. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Security, Access Control Systems & Methodology, Security Management Practices, Process-Level Control, Segregation of Duties October 13, 2008 Plugging the Leaks: Best Practices for Securing Data in Endpoints In today's business environment, information needs to be mobile. This need for mobility has brought with it a host of security risks with data leakage topping the list. Enterprises are in the midst of a data leakage epidemic. Since 2005, more than 230 million records have been lost or stolen, and according to the Privacy Rights Clearinghouse, many of them were stored on portable devices. CONTENT AREA: Articles TOPICS: Technology, IT Strategy, Security, Network & Internet Security, Security Management Practices, Best Practices October 6, 2008 Could CFO defaults trigger the next round in the credit crisis? The credit crisis triggered by US sub-prime mortgage defaults is nearly a year old, and the private equity industry is considered to be one of its victims. Some believe this industry can no longer rely on cheap debt. Besides being a victim, private equity funds could become an unintended instigator of the next round in the credit crisis. CONTENT AREA: Articles TOPICS: Accounting/Finance, Credit & Collections, Financial Services Industry, Internal Controls October 6, 2008 Customer Data and Reputational Risk in the Pharmaceutical Industry Organizations of all types, from banks to government agencies to healthcare providers, are taking steps to protect themselves against the potentially catastrophic loss of sensitive data, intellectual property and business intelligence. In this environment, pharmaceutical companies are becoming more aware of the distinct data-related risks they face. This article addresses data security questions, methods to mitigate and limit data risk, and the importance of vendor management. CONTENT AREA: Articles TOPICS: Healthcare & Pharmaceuticals Industry, Technology, IT Controls, Security, Network & Internet Security, Security Management Practices, Intellectual Property, Internal Controls, Outsourcing/Co-sourcing/Shared Services October 6, 2008 Don't Become the Next Headline or Statistic!: More on Passwords and Insider Threats Over the past few years, there has been an endless stream of stats about the insider threat and yet the vast majority of IT security officers appear to be oblivious to them. So here's a stat that’s guaranteed to be undisputed. Right now there is a 100 percent chance that some organization is the victim of either malicious activity by a member of their IT staff or the stupidity of one from this elite group. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Security, Access Control Systems & Methodology, Network & Internet Security, Security Management Practices September 29, 2008 Best Practices for the Use of Data Analysis in Audit Over the past 20 years, data analysis has become an essential part of the audit process for the vast majority of audit organizations. Using data analysis in an audit (generally referred to as “audit analytics”) has already provided significant benefits for audit organizations of all sizes across a broad range of industries, but there is still much progress that can be made by optimizing the audit analytics process. In this publication, ACL describes how to successfully use audit analytics. CONTENT AREA: Articles TOPICS: Audit Testing, Internal Audit, IT Audit, IT Controls, Technology, Training & Development, Continuous Auditing September 29, 2008 Solving the Identity Management Challenge: A Holistic Approach Many companies feel confident about their identity management security, largely because they have protected the perimeter of their organization. However, they are only partly right. About half of the threats facing today's businesses are internal. In fact, insiders with access to privileged accounts pose a greater risk. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, IT Strategy, Security, Access Control Systems & Methodology, Security Management Practices September 22, 2008 Delivering the Message: Complete that Audit Effectively The work isn’t finished until the paperwork is completed; an often heard observation typically accepted as the simple truth. But is it the whole truth? If the paperwork isn’t completed (and properly submitted), most auditing jobs are probably not finished, but are they always finished once the paperwork is completed (and properly submitted)? Over the 35+ years since Charles T. Carroll completed his initial education and entered the working world, he has been on both ends of audits; in government and commercial environments. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Planning, Audit Reporting, Internal Audit Administration, Best Practices September 22, 2008 SOX Costs are Dropping – Companies Improve Compliance and Operational Efficiencies According to a recent survey by Financial Executives International, Sarbanes-Oxley Act (SOX) compliance costs have fallen by more than half since 2005. In this article, Patrick Taylor, CEO of Oversight Systems Inc., attributes greater awareness of risks and processes that need to be audited, and more use of automation, as big reasons for the lower expenses. Taylor also reminds companies to be aware of the Foreign Corrupt Practices Act, in addition to focusing on SOX compliance. CONTENT AREA: Articles TOPICS: Sarbanes-Oxley Act, Risk Management & Assessment, Section 404 - Internal Control Reporting, Cost Management, Fraud, GRC September 15, 2008 A Common Sense Way to Make A Business Case for Software Assurance The aim of this article is to demonstrate how a common valuation model can be used to make a dollars and cents business case for software assurance. CONTENT AREA: Articles TOPICS: Technology, IT Strategy, Software, Security, Application Development Security September 15, 2008 Société Générale: History Repeats Itself Although the scale of the Société Générale loss is staggering, the circumstances are all too common. Many of them have been attributed to the actions of a rogue trader—a lone individual whose seemingly reckless actions expose a company to high risk and significant losses. In light of the Société Générale event, boards of directors, executive management and risk managers are asking themselves once again, “How did this happen, and could it happen at my company?” CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Entity-Level Control, Ethics, Fraud, GRC September 8, 2008 Expanding the Auditor’s Role in Spend Management In these weak economic times, markets turn bearish, boards of directors, senior management and stakeholders often demand that organizations take measures to maintain performance and improve profitability. Surprisingly, procurement process enhancement is often an overlooked area of opportunity and can be a key driver of cost savings and working capital improvement. In this article, Protiviti’s Miron Marcotte, Amy Flynn, and Todd Boza discuss how auditors can create a “high value audit” that reveals numerous ways to reduce expenditures and improve cost efficiencies. CONTENT AREA: Articles TOPICS: Purchasing & Accounts Payable, Internal Audit, Audit Testing, IT Audit, Cost Management September 8, 2008 Software Security Total Risk Management: Blueprint for Effective Program Development Current challenges of the financial services sector aside, risk management has a long and venerable tradition of practical success in the world of insurance premiums and credit card interest rates. In the world of IT, however, the successful application of risk management techniques has been more elusive. This problem has been no more apparent than in IT application and software development. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Software, Internal Audit, Risk Management & Assessment, GRC September 1, 2008 Innovative Use of Business Process Management Can Benefit IT, Too We have all heard stories of innovative business process management (BPM). There are many articles concerning innovative uses of process solutions for saving money and time. While most organizations are discovering the monetary and time saving rewards of BPM, there are a growing number of organizations that are using BPM to innovate processes. Process innovation does deliver hard benefits, but it also adds a dimension of "out-of-the-box thinking" and some "cool" softer benefits. CONTENT AREA: Articles TOPICS: Technology, IT Strategy, Performance Management/Measurement, Project Management, Process-Level Control September 1, 2008 The Art of Assessing IT Controls To help internal audit departments manage ongoing challenges, a panel of experts convened for the May 2008, IIA webcast, “The Art of Assessing IT Controls.” The webcast participants shared their views on this topic in a three part article series. Part one of this series focuses on how The IIA’s GAIT methodology can be especially valuable when assessing IT General Controls. Part two focuses on why GAIT inroads are slow in coming, the importance of taking a top-down approach, and how to keep the big picture in sight. The final, part three of the series focuses on how companies can apply GAIT to Sarbanes-Oxley Section 404 compliance, IT General Control deficiency assessments, and business and IT risk identification. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Planning, Audit Testing, IT Audit, Risk Management & Assessment, Sarbanes-Oxley Act, IT Controls, GRC August 25, 2008 Visible Ops Security: Achieving Common Security and its Operations Objectives in Four Practical Steps Wouldn’t it be great if effective and sustainable information security practices could be achieved merely by executive mandate? Or better yet, if security threats had an end date like Y2K? Whether we like it or not, information security challenges are here to stay. Using technology and products certainly helps to reduce risk. But to effectively prepare for, prevent, and respond to security threats, IT must integrate sustainable information security practices into the processes used to develop and maintain business-critical systems. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, Security, Operations Security August 18, 2008 Auditing the Requirements Process: Making Projects Worthwhile What you don't know about requirements may hurt you; or may even waste your organization's resources. Requirements are the bedrock of automated systems development and of continuous, stable organizational growth and improvement. As such, their development and management are an appropriate topic for EDP auditors. Auditors should understand their general nature to promote efficient use of developmental and end-user resources and to preclude journeys of technical delight that may not contribute sufficiently (or at all) to the bottom line. CONTENT AREA: Articles TOPICS: Project Management, IT Audit, Technology, IT Controls, IT Infrastructure August 11, 2008 Communications Data Retention: A Pandora’s Box for Rights and Liberties? This chapter discusses the retention of communications data as a security measure, which interferes with the right to privacy. Privacy is perceived not as merely a right possessed by individuals, but as a prerequisite for making autonomous decisions, freely communicating with other persons, and being included in a participation society. CONTENT AREA: Articles TOPICS: Security, Investigations/Forensics, Security Management Practices, Document Retention, Privacy August 4, 2008 Categorizing Requirements Gathering and documenting requirements can be a difficult task. Knowing how to create a structure that enhances comprehension and makes it easier to divide and conquer the analysis phase can be useful and is actually critical for success on large and complex undertakings. There are many approaches to categorizing requirements. In this article, the International Institute of Business Analysis (IIBA) approach to classification is reviewed, along with other, equally good approaches. CONTENT AREA: Articles TOPICS: Corporate Governance, Technology, IT Audit, IT Infrastructure, IT Strategy, Project Management, GRC August 4, 2008 Internal audit leaders: Is HR in your audit plan? Many companies completely overlook the total, true cost of each employee when developing their audit plan. They may conduct payroll audits, but they often fail to look at HR costs from a comprehensive perspective, which is essential to understanding true employee costs. In this article, Protiviti’s Lisa Donoho, describes why it is important for internal audit leaders to consider HR risk when developing their annual audit plan. CONTENT AREA: Articles TOPICS: Human Resources, Internal Audit, Audit Committee & Board, Audit Planning, Risk Management & Assessment, GRC July 28, 2008 Innovative Practices for IT Projects Based on 57 interviews with senior IT project managers in the UK, Canada, USA and New Zealand, this article presents innovative practices these mangers have developed during difficult projects. From the respondents’ perspective, traditional project management techniques are only a starting point. Through their quotes, the project managers show how one has to be creative and entrepreneurial to lead projects successfully. CONTENT AREA: Articles TOPICS: Technology, IT Strategy, Audit Planning, Project Management July 21, 2008 Data Governance: Supporting data-centric risk management Maintaining complete, accurate and available data is crucial to business organizations. Unfortunately, many organizations do not realize that the volume of data they create and use is increasing at an exponential rate, and the methods used to manage this data in the past may no longer be fit for purpose. In this article, Protiviti’s Aaron Weller describes the concept of data governance, its impact on the financial services industry, and relevant considerations when implementing a data governance program. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Infrastructure, IT Strategy, Security, Security Architecture & Models, Document Retention July 21, 2008 Latest Ways to Identify and Lower Enterprise Risks Organizations often use a top-down approach to risk management. While this approach to risk management has become a familiar term, measuring specific risks often requires bottom-up information. In this article, Protiviti’s Mark Cory discusses how organizations can benefit from an enterprise risk management approach that relies on both a top-down structure and bottom-up information, and the synergies this powerful combination creates. CONTENT AREA: Articles TOPICS: Internal Audit, Risk Management & Assessment, Enterprise Risk Management, Entity-Level Control, Internal Controls, Performance Management/Measurement, GRC July 14, 2008 Building Sustainable IP Protection against Hacking Reverse engineering--a tool to understand competitors' technologies, improving one's products, and defeating the competition--is rampant. Protecting software-based intellectual property is critical to maintaining competitive positioning, protecting R&D investments, and preserving product line profitability. Hardening applications to tampering, piracy and reverse-engineering is indispensable to maximizing software-powered businesses. Here are some key considerations in developing a sustainable IP protection solution. CONTENT AREA: Articles TOPICS: Technology, Risk Management & Assessment, Security, Access Control Systems & Methodology, Security Management Practices, GRC July 14, 2008 SAP Security Remediation: Three Steps for Success Using SAP GRC All companies need strong application security environments as part of a successful overall risk management strategy. Strong risk-oriented security environments rely on internal application security features, drawing upon entity and process controls only as a last resort when mitigating security risk exposures. Many companies have turned to governance, risk and compliance (GRC) software to help them remediate and manage their complex security environments. This paper discusses one such endeavor using SAP’s GRC Access Control suite. CONTENT AREA: Articles TOPICS: Corporate Governance, Technology, IT Controls, Software, Risk Management & Assessment, Compliance, GRC July 14, 2008 Transforming the Finance Function from Underperformer to Strategic Partner Within any organization, the finance function is one of the most critical components to company operations. However, when handicapped by process inefficiencies or actual deficiencies in operations, the finance function may become a drain on operational effectiveness and a liability to strategic planning. This article discusses how transforming the finance function into a more effective resource is an objective that takes on even greater urgency when the rest of the organization is undergoing reengineering and transformation initiatives. CONTENT AREA: Articles TOPICS: Accounting/Finance, Accounts Receivable, Financial Reporting, Revenue, Internal Controls, Performance Management/Measurement, Close the Books July 7, 2008 Building a Culture of Audit Bench Strength Takes Time and Commitment – The Payoffs are Well Worth the Effort The concept of building bench strength is one that really resonates when you are talking about the internal audit function. At a time when organizations are focusing, more than ever before, on managing resources effectively, internal audit directors know only too well that every one of the positions allocated to them has to count. To successfully manage these resources, you need a strategy and conscious commitment to build bench strength: a team of people with the skill levels and experience that will empower them to step up to whatever challenges may come. CONTENT AREA: Articles TOPICS: Human Resources, Internal Audit, Internal Audit Administration, Performance Management/Measurement, Project Management, Training & Development July 7, 2008 Protecting Customer Privacy Information The media regularly reveals exposure and misuse of customer or employee privacy information. However, an organization can reduce or mitigate the likelihood of abusive access to privacy information by implementing appropriate security controls that are directive, preventative and detective. Protecting privacy information is best accomplished when it is pursued with the appropriate security controls, as described in this article. CONTENT AREA: Articles TOPICS: IT Controls, Security, Internal Controls, Privacy July 7, 2008 Subprime Mortgage Lending: New and Evolving Risks, Regulatory Requirements In the late 1990s, then Federal Reserve Board Chairman Alan Greenspan famously questioned the "irrational exuberance" of the stock market. In his speech to the American Enterprise Institute for Public Policy Research, Mr. Greenspan warned that "we should not underestimate or become complacent about the complexity of the interactions of asset markets and the economy." Though his remarks were aimed primarily at the equities markets, which at the time were in the midst of the dot.com craze, and predate the recent boom in U.S. housing values, these remarks are relevant to the current decreases of residential real estate values and the related mortgage lending meltdown. CONTENT AREA: Articles TOPICS: Laws & Regulations, Risk Management & Assessment, Financial Services Industry, Credit & Collections, GRC June 30, 2008 Assimilating Governance into your ERM Process
(将公司治理纳入企业风险管理) 在这个风险激增的世界,风险管理的法则正超越技术层面稳步发展,企业组织纷纷重新审视企业风险管理(ERM),并探讨如何最有效地将公司治理融入企业风险管理流程。整合治理和企业风险管理已是老生常谈。事实上,这两个程序在概念上的关系早已是千丝万缕,虽然在实际作业中的情况不一定如是。董事会和执行管理层都有兴趣了解和管理由他们领导的组织中的关键风险,这就是为什么他们需要找寻一些方法来将企业风险管理纳入现有的管理流程。另一方法是将企业风险管理仅仅视为一个附属部份。由于整合对企业风险管理的成功至关重要,本文的焦点将会是如何将公司治理融入企业风险管理流程。 CONTENT AREA: Articles TOPICS: Corporate Governance, Sarbanes-Oxley Act, Risk Management & Assessment, Best Practices, COSO, Enterprise Risk Management, China, GRC June 30, 2008 Current Trends in Fraud and its Detection This article discusses the basic nature of fraud, including the major accounting scandals of the last decade, and the role of auditors. The article also examines recent standards, rules, and acts, and discusses whether they will have an impact to deter financial statement frauds from occurring in the future. CONTENT AREA: Articles TOPICS: Accounting/Finance, Financial Reporting, Internal Audit, Fraud June 30, 2008 Effective Quality Assessment Review: Getting More Bang for the Buck In a “coffee-talk” session held at The Institute of Internal Auditor’s General Audit Management Conference March 2008, participants discussed the how’s and why’s of conducting an effective Quality Assessment (QA) review. Nearly 80 participating chief audit executives brought their own experiences to the table and collaboratively developed ways to make the QA process more valuable. This article is a two part series and outlines the innovative ideas generated from this discussion. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Audit Planning, Audit Reporting, Quality Assessment Review, Process-Level Control June 30, 2008 Environmental Sustainability - The Head of Internal Audit’s Responsibility Environmental sustainability is an increasingly important issue for organisations and a growing area of both risk and opportunity. The independent assurance that internal audit (IA) provides can add value to an organisation’s efforts to manage environmental risks and seize the opportunities. However, this is not an area in which IA has traditionally operated. This white paper makes the case for IA involvement in environmental sustainability and suggests some of the actions that heads of IA might consider as a way of developing an IA role in this area. CONTENT AREA: Articles TOPICS: Internal Audit, Risk Management & Assessment, GRC June 23, 2008 Applying Security within a Service-Oriented Architecture Service-Oriented Architecture (SOA) looks at the business problem of harvesting the information as a set of needs and utilizing the distributed nature of the systems that provide the information as a set of capabilities. The business value of SOA is that it provides a framework to match the needs with the capabilities. The challenge for security professionals is “enabling” the business value without “disabling” the availability of the information. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, Security June 23, 2008 Structuring the Loss Prevention (LP) Function: Generating a Strong ROI through People, Benchmarks and Training Despite the potential benefit of loss prevention (LP), many retail organizations are investing less in the function. The decline in LP spending at many retail organizations can be attributed to a downward trend in shrinkage, as well as budget-trimming measures by company management – which tends to view LP as a business expense rather than a cost center – in response to lagging sales and profits. Thus, “do more with less” has become the mantra of LP. CONTENT AREA: Articles TOPICS: Materials Management & Inventory, Consumer Products & Retail Industry, Risk Management & Assessment, GRC June 16, 2008 Outsourcing: Single Source vs. Best of Breed In the business world we always seem to want to find that one supplier who can do everything for us. Once the supplier is on board either we start asking the team to do other things for us, or the team starts looking for other things to do to expand their "web of influence," or both. It doesn't take long before we've strayed far from their core area of expertise and are now settling for less than optimum solutions - often merely for the sake of convenience. CONTENT AREA: Articles TOPICS: Outsourcing/Co-sourcing/Shared Services June 16, 2008 U.S. Subprime Crisis: Risk Management’s Next Steps The financial industry is hard at work trying to move beyond the U.S. subprime problems that surfaced in 2007. As part of the recovery effort, financial institutions are reconsidering their credit practices, quantitative models, governance structures and risk management activities. Each of these areas will experience change as banks and their boards and executives adapt to the current economic and credit environment. CONTENT AREA: Articles TOPICS: Accounting/Finance, Credit & Collections, Financial Reporting, Financial Services Industry, Compliance, Financial and Credit Risk, GRC June 9, 2008 Assessing and Developing Internal Auditors’ Skills at Raytheon Co. Today’s corporations and organizations confront the critical challenge of ensuring that internal auditors maintain knowledge and skills in the face of constant and rapid change. Auditors must explore new technologies, identify and help mitigate emerging risks, and develop solutions to complex business challenges in a global business environment. In part one of this article series, Larry Harrington, vice president of internal auditing, and Kathryn Bingham, a Six Sigma Master Expert and Raytheon Learning Champion, highlight the practices Raytheon Co. uses to develop an effective internal audit training and development program. The discussion concludes in part two with Harrington and Bingham describing how an external capabilities and needs assessment benefited the internal audit training program. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Planning, Internal Audit Administration, Benchmarking, Change Management, Performance Management/Measurement, Training & Development June 9, 2008 E-mail Management Managing e-mails is a comprehensive topic, worthy of a book on its own. However, this chapter from Implementing Electronic Document and Record Management Systems by Azad Adam discusses the fundamental aspects of e-mail management and how it fits into document and records management. CONTENT AREA: Articles TOPICS: Best Practices, Document Retention, IT Strategy, Security, Technology June 2, 2008 High Value Audits: An Update on Information Technology Auditing Recently, Protiviti conducted a survey in which it asked chief audit executives, internal audit directors, managers, and other professionals, to determine how they perceive their departments’ capabilities concerning internal auditing, where they currently see a need for improvement, and how they prioritize those needs. Respondents rated auditing skill sets around IT change management, security, computer operations, program development and business continuity lowest. CONTENT AREA: Articles TOPICS: Internal Audit, IT Audit June 2, 2008 Social Engineering Techniques, Risks, and Controls This article describes typical social engineering threat sources and techniques, analyzes the associated information security risks, and outlines a range of preventive, detective, and corrective controls to minimize social engineering risks. CONTENT AREA: Articles TOPICS: Security, Access Control Systems & Methodology, Security Management Practices, Fraud, Privacy May 26, 2008 Cutting to the Core: Managing Internal Audit Challenges To help internal audit departments manage ongoing challenges, a panel of experts convened for the February 2008, IIA webcast, “Cutting to the Core: Managing Internal Audit Challenges.” In part one of this article, webcast participants shared their views as to why it is important for internal audit to keep pace with the changing business environment to meet stakeholders’ needs. The discussion concludes in part two with the panel encouraging auditors to develop a strategic plan, manage change through an integrated soft audit, and align top priorities with the organization. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, IT Audit, Risk Management & Assessment, Change Management, Project Management, GRC May 26, 2008 Database Access, Security, and Auditing for PCI Compliance Database management affects a lot more than SOX and PCI compliance. Depending on whether your industry or company must comply with FFIEC, GLBA, HIPPA, ISO, CA SB 1386, or other requirements, the auditor may choose to perform a limited scope compliance audit for a specific set of requirements. CONTENT AREA: Articles TOPICS: Technology, Software, IT Audit, Security, Compliance, GRC May 19, 2008 Millennial Workforce: IT Risk or Benefit? Millennial workers have differing attitudes regarding technology use and adoption in a work environment, when compared to their older colleagues. Trying to implement IT risk management policies with a millennial workforce – one that has been labeled as risk takers – is very problematic. A recent study reveals there is potential for huge risk exposure: data loss, compliance issues, legal implications, and other problems. CONTENT AREA: Articles TOPICS: Human Resources, Risk Management & Assessment, GRC May 12, 2008 Data Loss Prevention: Where Do We Go From Here? Data Loss Prevention (DLP) is quickly becoming one of the most overused, yet misunderstood acronyms in an industry known for its cryptic abbreviations. ‘DLP’ is appearing on a puzzling variety of security products, adding to the confusion and hype. This article explains what DLP is, why it is important, and how it works. CONTENT AREA: Articles TOPICS: Technology, Security, Network & Internet Security May 12, 2008 The Virtual Auditor and the Human Element To properly fight fraud it is not enough to use leading technology solutions without hiring knowledgeable auditors. According to Patrick Taylor, CEO of Oversight Systems, it is necessary to use both. In this article, Taylor discusses the pros and cons associated with involving humans and technology in fraud audits and how teaming the two improves the end result. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Infrastructure, Software, Ethics, Fraud, Continuous Auditing May 12, 2008 Transforming Trade Promotion Management (TPM) Trade promotion spend has tripled during the last 20 years. However, executives see few benefits from this large spend. This article shows how TPM is often a cumbersome, manual process with few controls, and highlights some of the key “pain points” companies often experience. CONTENT AREA: Articles TOPICS: Sales Process & Marketing, Consumer Products & Retail Industry, Section 404 - Internal Control Reporting May 5, 2008 From Expense to Asset: A Reexamination of BCM Plans and Their Value Each year, organizations spend considerable amounts of money developing business continuity management (BCM) plans, on the assumption that they need to prepare for a wide range of disasters. In this article, Protiviti’s Aaron Miller poses the following questions: Should organizations perceive their BCM plan as an asset rather than an expense? Does an effective BCM plan provide long-term value to the organization? If and when the plan is used, does having a well-prepared plan help the organization generate income and save money? CONTENT AREA: Articles TOPICS: Business Continuity Management, Disaster Recovery, Internal Controls, Performance Management/Measurement May 5, 2008 Managing Contract Risks: Third-Party Contract Audits As outsourcing becomes more prevalent, management’s expectations of service providers will rise – going beyond simply requiring reliable operations to demanding a true business partner who provides a competitive advantage. Utilizing stringent contract management and detailed contract audit procedures can help deliver the value management expects from outsourced arrangements. CONTENT AREA: Articles TOPICS: Risk Management & Assessment, Outsourcing/Co-sourcing/Shared Services, GRC May 5, 2008 The State of Information Security Law: A Focus on the Key Legal Trends Four legal trends in the United States are rapidly shaping the information security landscape for most companies. Increasingly, these trends are having a significant impact on the development of international law as well. Although the law is still in developing, and is often applied only in selective areas, these trends are posing significant new challenges for most businesses. This article will examine new developments as they relate to these trends. CONTENT AREA: Articles TOPICS: Cross Border & Non-US Issues, European Union, Technology, Security, Laws & Regulations April 28, 2008 Corporate Sustainability Initiatives: The Next TQM? As standards surrounding corporate sustainability initiatives evolve, companies are beginning to weave sustainability capabilities more deeply into their organizational processes and culture. These early adopters are poised to profit from corporate sustainability on more than one front. The purpose of this white paper is threefold: to apply the TQM learnings to corporate sustainability initiatives; to present leading practices harvested from analysis of sustainability initiatives among companies within a broad range of industries; and to identify talent management benefits that early sustainability programs have yielded. CONTENT AREA: Articles TOPICS: Sarbanes-Oxley Act, Internal Controls, Risk Management & Assessment, Compliance, Cost Management, Performance Management/Measurement, GRC April 28, 2008 Corruption and Fraud Detection by Public Sector Auditors This article examines the fraud and corruption issues confronting public sector auditors in Canada and around the world. It offers some strategies and ideas for improving internal and external audit performance in detecting fraud and corruption. CONTENT AREA: Articles TOPICS: Internal Audit, Fraud April 28, 2008 Discovery Risk Management: Why Chief Audit Executives need to ensure Management and the Board care Lawsuits and governmental investigations have been a reality in corporate America for a very long time. However, the changing legal landscape has dramatically raised the stakes for companies. Given these new regulations and their implications, it is important for chief audit executives to understand the new requirements, and ensure that management and the board consider appropriate measures to address them. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Document Retention April 28, 2008 Hotelier Discovers Security Blind Spots Are hotel properties prepared to address threats ranging from employee theft to terrorist intrusions? In this article, Protiviti’s Chris Gillen offers his experience while conducting a detailed vulnerability assessment for a hotel chain. Gillen describes why it is important to take a closer look at potential threats ranging from employee theft, to terrorist intrusions, to help protect the company’s brand image and profitability. CONTENT AREA: Articles TOPICS: Hospitality/Gaming Industry, Security, Physical Security, Security Management Practices, Change Management April 21, 2008 Mobile Devices and Centralized Computing Redefine the Desktop Hardly a day goes by without a new mobile or smartphone device hitting the retail shelves, with upgraded capabilities and compelling new functionality. Due to the ubiquity of the next generation mobile device, it is becoming an increasingly common and imminently practical means of access into the corporate network. While this development presents tremendous potential and flexibility for knowledge workers and mobile professionals, it also raises a lot of challenges for corporate IT management. CONTENT AREA: Articles TOPICS: Technology, Telecommunications, Wireless April 21, 2008 Risk and Reward: How to manage both sides of the coin Globalization of the investment process and the exponential growth in assets under management demonstrate the need to standardize the calculation and presentation of the risk/reward ratio. CONTENT AREA: Articles TOPICS: Investments & Foreign Exchange, Financial Services Industry, Risk Management & Assessment, GRC April 21, 2008 Taking a Balanced Approach to Risk Management The importance of integrating risk management into daily business activities ties in nicely with internal audit’s risk management responsibilities set out in the International Standards for the Professional Practice of Internal Auditing (Standards). In this two part series, Protiviti's Marc Weinberg discusses internal audit’s ERM role (Part I) and walks through a specific example of how this group can assist with risk management (Part II). CONTENT AREA: Articles TOPICS: Internal Audit, Risk Management & Assessment, COSO, Enterprise Risk Management, Fraud, Project Management, GRC April 14, 2008 Building the IT Consulting Competency IT consulting groups are springing up all over. Some work well, but many do not. What accounts for the differences? This article focuses on the critical success factors (CSFs) necessary to improve IT performance through internal consulting initiatives. CONTENT AREA: Articles TOPICS: Technology, Project Management April 7, 2008 Addressing Internal Audit Staffing Challenges The Sarbanes-Oxley Act of 2002 (SOX) had a significant impact on annual audit costs during the initial years of implementation and also caused a significant increase in the demand for both internal and external auditors. This article identifies various methods organizations may use to recruit, evaluate, and develop staff to maintain an effective audit activity. CONTENT AREA: Articles TOPICS: Human Resources, Internal Audit, IT Audit March 31, 2008 Guest Auditors Fill Department Needs, Expand Work Experience The lack of internal audit resources often becomes especially acute when particular audits require special subject-matter expertise. Some companies are addressing this specialized resource need by inviting guest auditors to work with their audit teams and leverage their expertise on specific audits. In this article, internal audit leaders from Estee Lauder, Kimball International, and Brunswick Corporation provide insight into the guest auditor programs at their organizations. CONTENT AREA: Articles TOPICS: Human Resources, Internal Audit, Audit Testing, Internal Audit Administration, Training & Development March 31, 2008 Loss Prevention: Bringing Executive and Management Perspectives into Alignment In the third quarter of 2007 Protiviti conducted separate surveys of senior level retail executives and loss prevention management, to provide benchmarks by which loss prevention departments can measure their current skills and knowledge and identify gaps to be addressed. This white paper provides a high-level overview of some of the key findings from this survey. CONTENT AREA: Articles TOPICS: Materials Management & Inventory, Consumer Products & Retail Industry, Risk Management & Assessment, GRC March 31, 2008 Security Functional Components for Building a Secure Network Computing Environment It is difficult to define reliable security policy components that should be applied to validate a secure computing environment. This paper demonstrates how we can overcome the difficulties of defining reliable security components by using evaluation criteria to derive the security functional components for a multipolicy-based network computing environment. CONTENT AREA: Articles TOPICS: Technology, Security March 24, 2008 Anti-Money-Laundering Compliance: Elements of a Successful Program More than six years after the enactment of the USA Patriot Act, the financial services industry in the United States still appears to be struggling with meeting regulators’ expectations for effective anti–money-laundering (AML) compliance programs. Enforcement actions are being issued at unprecedented levels, and accompanying financial penalties are on the rise. Nevertheless, the vast majority of financial institutions do have AML compliance programs deemed acceptable by their regulators, leading one to question what the compliant institutions know or did that was missed by some of their competitors. CONTENT AREA: Articles TOPICS: Financial Services Industry, Technology, IT Controls, Compliance, Fraud, Laws & Regulations, GRC March 24, 2008 Four Steps to Ensure Adoption of Project Management Software The way businesses manage projects is changing rapidly and in some cases dramatically. Businesses can help ensure adoption of project management software by considering the four steps described in this article that will promote buy-in from staff and higher productivity by instilling more efficiency throughout the organization. CONTENT AREA: Articles TOPICS: Technology, Software, Project Management March 24, 2008 Is a Leadership Deficit Looming in Internal Audit? Are internal audit organizations facing an imminent crisis in leadership? While "crisis" may be too strong a word, internal audit departments are facing increased oversight and governance expectations at a time when the pool of future leadership talent is not growing apace. In this article, Ann Butera, president of The Whole Person Project, Inc., outlines a number of factors responsible for this growing deficit and how to challenge this trend in your organization. CONTENT AREA: Articles TOPICS: Human Resources, Internal Audit, Internal Audit Administration, Accounting Organizations, Training & Development March 17, 2008 A Call for Input on IPPF Changes As internal audit’s role has grown and evolved in recent years, so have the guiding principles, standards and terminologies defining the profession embodied within the International Professional Practices Framework (IPPF). To match the latest changes to the profession, the IPPF is currently undergoing change itself, with proposed revisions to the internal audit standards and other components of the Framework. This article provides an overview of the proposed changes and intended positive impact on the internal audit profession. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Audit Planning, Risk Management & Assessment, Accounting Organizations, Best Practices, GRC March 17, 2008 Information Technology Configuration Management: Enabling IT Services and Assets Configuration and asset management are two core IT practices that have high potential for significantly improving the performance of most IT organizations. This article offers insights into the ways configuration and asset management can transform IT operations into a foundation for stability and innovation. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Change Management March 17, 2008 Why Flexibility Is Key to a Successful Data Migration Data migration is almost universally dreaded by IT professionals undertaking complex, application-level consolidation or renewal projects. What makes one migration work where another fails to get out of the box? CONTENT AREA: Articles TOPICS: Technology March 10, 2008 Addressing Internal Controls In Your ERP Implementation As “Y2K” era systems near the end of their useful lives, many companies are now launching new ERP implementation projects and conducting major upgrades to keep up with the rapid pace of technology and business change. This article describes how the knowledge gaps in internal controls may lead to budget issues, project delays and compliance risks, which further complicate an ERP implementation project. It also explores the implications of the significant ERP project risk and provides useful guidance to ensure compliance issues are addressed throughout. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Infrastructure, IT Strategy, Internal Audit, Audit Planning, IT Audit, Process-Level Control March 10, 2008 Transborder Data Flow-Intruding on Privacy? Outsourcers have a responsibility to protect client data regardless of where it flows or is stored - as is certainly highlighted by a barrage of client data security breaches of late. The task of obtaining the consent of all affected customers may be the only suitable baseline for Transborder data flow, but it is most certainly going to be cheaper to do up front rather than post facto. Therein lies the role for security practitioners, auditors, and legal staff to forewarn their clients so that these issues can be part of the planning process. CONTENT AREA: Articles TOPICS: Cross Border & Non-US Issues, Canada, European Union, Privacy March 3, 2008 Application Control Considerations - Why Companies Should Care A successful risk management strategy requires a strong internal control environment. These strong and risk-oriented internal control environments are often optimized with automated controls. In this article, Protiviti’s Cary Haggard discusses why it is important that companies care whether they have automated the right internal controls to achieve process and cost efficiencies. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Infrastructure, Internal Audit, Audit Testing, Sarbanes-Oxley Act, Internal Controls, Performance Management/Measurement, Process-Level Control March 3, 2008 End-to-End Security Across Wired-Wireless Networks for Mobile Users This paper focuses on the challenge of providing secure end-to-end network transmissions to wireless mobile users, as well as the design and implementation of an approach based on the well-known Internet Protocol Security (IPSec) standard. CONTENT AREA: Articles TOPICS: Technology, Telecommunications, Wireless, Security, Network & Internet Security February 25, 2008 Enhancing Audit Efficiencies: Maximizing the Use of Technology To help internal audit departments assess their options for enhancing audit efficiencies, a panel of experts convened for the September 2007 IIA webcast “Enhancing Auditing Efficiencies: Maximizing the Use of Technology”. In part one of this article, several of the webcast participants shared their views on the risks associated with internal audit ignoring technology, obtaining appropriate internal support, and the current climate pushing for this change. The discussion concludes in part two with the panel considering how technology benefits the internal audit process and how companies can move in the direction of effectively using technology for data analytics and continuous monitoring efforts. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Internal Audit, Audit Testing, IT Audit, Segregation of Duties, Continuous Auditing February 25, 2008 When Do I Turn on Project Management? To be effective, an organization needs to invest in project management at the very beginning of the project life cycle. The choice is to spend the time upfront at a much lower investment and with a smaller team, or spend a lot of time and money doing rework at the end at a much greater cost and with a much larger team. CONTENT AREA: Articles TOPICS: Project Management February 18, 2008 Ten Tips for Successful IT Disaster Recovery Planning According to one research group, almost 60% of North American businesses do not have a disaster recovery plan in place to resume IT services in case of crisis - a recipe for possible business failure. Here are 10 tips for Disaster Recovery Planning. CONTENT AREA: Articles TOPICS: Disaster Recovery, Cross Border & Non-US Issues, Technology February 11, 2008 Regulatory Compliance - the Wonderful World of FISMA The Federal Information Security Management Act of 2002 (FISMA) was enacted into U.S. law by the 107th Congress on December 17, 2002, as part of the E-Government Act. This article details many of the challenges and shortcomings in the FISMA program, while proposing solutions where appropriate and possible. CONTENT AREA: Articles TOPICS: Technology, Security, Laws & Regulations February 4, 2008 Data Leakage: Affordable Data Leakage Risk Management As an organization processes and/or maintains more Personally Identifiable Information (PII), the more at-risk it becomes for incidents of data leakage. Data leakage refers to situations in which sensitive or otherwise confidential data escapes organizational infrastructures, making that data vulnerable to potential unauthorized disclosure or malicious use. Mitigating the risks of handling such data and leakage can be an expensive undertaking. CONTENT AREA: Articles TOPICS: Financial Services Industry, Healthcare & Pharmaceuticals Industry, Risk Management & Assessment, Security, Security Management Practices, Compliance, Laws & Regulations, Privacy, GRC February 4, 2008 Information Security Policy Development and Implementation Development of the information security policy is a critical activity. Credibility of the entire information security program of an organization depends upon a well-drafted information security policy. Most of the stakeholders do not have the time or inclination to wade through a lengthy policy document. This article tries to formulate an approach to the information security policy development that will make the policy document capture the essentials of information security as applicable to a business. CONTENT AREA: Articles TOPICS: Technology, Security February 4, 2008 Risk Quantification Management of business risks has become an increasingly important issue. In this article, Protiviti’s Dr. Gabriel Kuhn presents background information on risk measurement and estimation and shows several quantification methods for the four main risk types: credit, market, liquidity and operational risk. CONTENT AREA: Articles TOPICS: Financial Services Industry, Internal Audit, Risk Management & Assessment, Basel, Enterprise Risk Management, Financial and Credit Risk, GRC January 28, 2008 Project Portfolio Management Megatrends Project Portfolio Management (PPM) is no longer a specialty discipline. PPM changes how organizations approve, plan and deliver projects. From a bottom line perspective, PPM enables organizations to improve their return on project investments. This article looks at the next trends in PPM. CONTENT AREA: Articles TOPICS: Project Management January 28, 2008 Technology’s edge in the fight against fraud While fraud is not new, there are new techniques and technologies to fight it, such as continuous fraud monitoring. In this article, Patrick Taylor, CEO of Oversight Systems discusses how continuous fraud monitoring technology helps companies take a top-down view of risk. This technology allows companies the opportunity to properly cover the biggest and most important risks. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Internal Audit, Audit Testing, Sarbanes-Oxley Act, IT Controls, Fraud, Continuous Auditing, GRC January 21, 2008 7 Key Steps to Accelerate Performance of Your New Virtual Team Like any other team that's starting up, a virtual team will undoubtedly move through the phases of forming, norming, storming, and performing. This article shows how some of the essential activities for building any high-performing team can be applied to project teams who must work virtually to get the job done. CONTENT AREA: Articles TOPICS: Cross Border & Non-US Issues, Project Management January 14, 2008 Managing IT Procurement Risks Managing procurement calls for just the right skills and experience. Risks abound, and rote controls may actually cause more harm than good. With the new SOX-compliance rules in the PCAOB's Auditing Standard 5, this is the right time to re-evaluate internal control management of procurement for the benefit of the entire organization. CONTENT AREA: Articles TOPICS: Supply Chain, Technology, Risk Management & Assessment, GRC January 14, 2008 Project Risk Management: Are you asking, “What can go wrong?” Even with all the advances in project management software, weekly status reporting and constant updating of issues logs, why is it that projects do not deliver what is expected, within budget and within the expected time frame? In this article, Protiviti’s Marc Weinberg discusses how a critical ingredient appears to be lacking: proactive risk management. Risk management should not be reactionary but perpetually in place to identify possible outcomes for the project’s duration. CONTENT AREA: Articles TOPICS: Technology, IT Strategy, Internal Audit, Risk Management & Assessment, Performance Management/Measurement, Project Management, GRC January 14, 2008 The practical challenges of enterprise risk management Enterprise risk management (ERM) is currently front of mind for many senior executives and board members. Many companies have been challenged to implement ERM in a practical manner that meets the requirements of its board while not introducing unnecessary administration and costs on management and staff. This is not an easy balance to strike. So, what works in practice? CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Cross Border & Non-US Issues, Australia, Internal Audit, Risk Management & Assessment, Enterprise Risk Management, Project Management, GRC January 7, 2008 Commentary: Legal Effect of Revealing Private Information in the US and Abroad The US government is taking steps to better protect personal data and improve the regulations surrounding information disclosure. Today the European Union (EU) is leading the way on privacy regulations. With EU data protection standards setting the bar, the US faces the implications of such protections on international trade. CONTENT AREA: Articles TOPICS: Cross Border & Non-US Issues, European Union, Consumer Products & Retail Industry, Security, Privacy January 7, 2008 Guidelines for Reviewing the Appropriateness of User Access The media is full of high-profile stories publicizing organizations that have recently experienced a security breach, leaving important data in the hands of the culprits. However, it is important to remember that these situations are preventable, or can be minimized, if companies regularly review the security of their IT systems, especially the appropriateness of user access. This article outlines general risks, control objectives and best practices to consider when evaluating the user access security privileges. CONTENT AREA: Articles TOPICS: Technology, IT Audit, IT Controls, IT Strategy, Security, Network & Internet Security, Security Management Practices, Internal Controls, Segregation of Duties December 24, 2007 How to Use Recognition and Incentives to Shape a Risk-Conscious Culture The ability of retailers to prevent—or at least, significantly reduce—the amount of loss related to safety or shrink issues relies greatly on their ability to positively influence the personal decisions and habits of their associates. Most retailers will find greater success connecting with and educating associates by designing programs that foster a sense of excitement about achieving safety and shrink initiatives. They also must determine what incentives will engage associates in the learning process, and how to keep them focused on key objectives for the long term. CONTENT AREA: Articles TOPICS: Human Resources, Consumer Products & Retail Industry, Internal Controls, Training & Development December 24, 2007 Implementing ERM Enterprise-wide in the Pharmaceutical Industry Mismanaging risk can be very costly, especially in a highly regulated industry such as pharmaceutical manufacturing. Avoiding all risk is not an option; besides, without risk, there is no reward. The only solution, as described here, is effective risk management. CONTENT AREA: Articles TOPICS: Healthcare & Pharmaceuticals Industry, Risk Management & Assessment, Enterprise Risk Management, GRC December 17, 2007 Best Practices under Audit Standard 5 There are several changes in Auditing Standard No. 5 (AS5) that help make Sarbanes-Oxley (SOX) compliance more effective. AS5 adopts a more risk-based approach that allows companies to evaluate where to place their emphasis on internal control even when it comes to protecting against fraud. This publication focuses on how to incorporate a risk-based approach when assessing fraud controls from a SOX perspective. CONTENT AREA: Articles TOPICS: Sarbanes-Oxley Act, Internal Controls, Section 404 - Internal Control Reporting, Entity-Level Control, Fraud December 17, 2007 Hackers Are Not the Biggest Threat to Data: Employees Are While there are numerous technical methods for preventing access to data from outside an organization, it is equally as important to control access from within. Even more important is controlling what employees do with that data. There is a simple explanation for this problem, but not a simple solution to completely stop it. This article offers some methods to help. CONTENT AREA: Articles TOPICS: Security, Operations Security December 10, 2007 A Perspective on Mergers and Acquisitions - Integration is Key Companies continue to pursue merger and acquisition (M&A) activity as they react to market conditions. However, the opportunity for an M&A to fail is greatest after the deal is closed, especially if the combined businesses are expected to operate as a cohesive organization with little preparation for integration. Planning for all of the details involved with an M&A (strategic, financial, and operational) during the pre-close phases helps avoid post-deal integration disaster. This article details five key pieces of the pre-close integration planning process. CONTENT AREA: Articles TOPICS: Accounting/Finance, Corporate Governance, Audit Committee & Board, Sarbanes-Oxley Act, Internal Controls, GRC December 10, 2007 An Information Security Governance Framework This article evaluates four information security governance frameworks (ISO 17799; PROTECT; the Capability Maturity Model; and the Information Security Architecture (ISA)) in order to construct a new comprehensive Information Security Governance framework. The proposed governance framework can be used by organizations to ensure they are governing information security from a holistic perspective. CONTENT AREA: Articles TOPICS: Technology, Security, Security Architecture & Models December 3, 2007 Assimilating Governance into your ERM Process In an increasingly risky world, the discipline of risk management is moving steadily beyond the tactical level as organizations take a fresh look at enterprise risk management (ERM) and explore how best to assimilate governance into their ERM process. Integrating governance and ERM is not a new idea. The two processes have long been intertwined conceptually. Since integration is so vital to the success of ERM, this article focuses on assimilating governance into the ERM process. CONTENT AREA: Articles TOPICS: Corporate Governance, Sarbanes-Oxley Act, Risk Management & Assessment, Best Practices, COSO, Enterprise Risk Management, GRC December 3, 2007 The State of IT Auditing in 2007 This article examines the state of IT auditing today, looking at issues such as pressures on the profession, characteristics of modern IT auditors plus the tools and techniques available to them, and ends by gazing into the crystal ball to see what might be coming next. CONTENT AREA: Articles TOPICS: Technology, IT Audit, Compliance, COSO, GRC November 26, 2007 Adding up the key benefits of comprehensive monitoring Comprehensive monitoring technology can help diminish the big bad problem of fraud. This technology provides companies the ability to detect fraud early, usually while there is time to stop it from doing serious harm to an organization’s finances, reputation, or both. In this article, Patrick Taylor, Oversight Systems founder and CEO, discusses the concept of comprehensive monitoring and how to leverage technology to catch fraudsters in the act. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Sarbanes-Oxley Act, Internal Controls, COSO, Entity-Level Control, Fraud November 26, 2007 Convenience over Security: Creating Effective Mobile Security Policies Mobile devices provide a positive productivity enhancement, but without proper management and security controls, they can also expose organizations to security breaches and compliance issues. This article examines policies and best practices that companies are employing to protect and control access to sensitive data found on mobile devices. CONTENT AREA: Articles TOPICS: Technology, Security, Physical Security, Security Management Practices November 26, 2007 How the New SEC Guidance Impacts Eight Key Decisions Driving a Cost-Effective Section 404 Assessment Process (证交会新指引将如何影响对404条款评估流程起决定作用的八个关键决策) 2007年5月证交会颁布了其有关实施《2002年萨班斯-奥克斯利法案》(简称《萨班斯法案》)404条款的管理层诠释性指引。紧接着,上市公司会计监管委员会也发表了针对外部审计师的准则,对富争议的《第2号审计准则》进行了修订。本白皮书就404条款合规流程中管理层需考虑的八个关键决策进行了阐释和探究,旨在统一公司和审计师对自上而下、以风险为基础的方法的使用,并实现该流程的成本效益最大化。
CONTENT AREA: Articles TOPICS: Audit Committee & Board, China, Corporate Governance, Entity-Level Control, External Auditor, Internal Controls, Risk Management & Assessment, Sarbanes-Oxley Act, Section 404 - Internal Control Reporting, GRC November 19, 2007 Content Management: Improving Performance and Profit Today’s connected consumer demands that information and entertainment be available anywhere, anytime and in any format. Content providers are working overtime to produce compelling content to meet the changing trends of consumer behavior. As described here, an efficient, effective content management system can help companies improve online performance and profit. CONTENT AREA: Articles TOPICS: Knowledge Management November 19, 2007 Project Management: Developing a Risk-Accommodating Culture Today, risk thinking is a part of software project life and is a basic step for project survival. Modernism in management manifests as “failure thinking,” or predating failure probabilities in endeavors, and a freedom to communicate potential failures to stakeholders, without fear of being misread. This new culture, as described in this chapter from Applied Software Risk Management: A Guide for Software Project Managers, accommodates risk thinking. CONTENT AREA: Articles TOPICS: Risk Management & Assessment, Project Management, GRC November 19, 2007 When Internal Audit Co-sourcing Relationships Work Best As companies globalize, it is becoming more challenging to have an in-house department employing the skills needed to address all internal audit needs. Experts acknowledge that a variety of resource models are available to satisfy different department needs and the importance of considering risk management strategies when making this decision. This article provides a global perspective on how to resource an internal audit department. CONTENT AREA: Articles TOPICS: Cross Border & Non-US Issues, Canada, Japan, United Kingdom, Internal Audit, Outsourcing/Co-sourcing/Shared Services November 12, 2007 Can Internal Audit be too Compliance-Focused? Contrary to popular belief (or perhaps practice), SOX is not the Holy Grail for internal audit (IA). Is it possible IA has become too focused on SOX? More specifically, is too much attention being paid to internal control over financial reporting, or reliability of financial reporting under the COSO model? In this publication, Protiviti’s Bob Hirth explores a number of questions to gain a perspective on what IA’s role should be when it comes to compliance. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Sarbanes-Oxley Act, Internal Controls, Compliance, COSO, Enterprise Risk Management, GRC November 12, 2007 IS Strategic Planning for Operational Efficiency This article argues that, despite the constant economic upheaval and incessant technological changes, strategic planning for information systems is still a useful and critically important exercise for all organizations. The paper also introduces the notion of exploitation and exploration strategies. CONTENT AREA: Articles TOPICS: Technology, IT Strategy November 12, 2007 Risk-Based Performance Improvement Performance management and risk management can complement each other and can result in improved company performance and the creation of shareholder value. However, reality shows that performance management initiatives and risk management activities are frequently not harmonized.This article describes the principle of Risk-Based Performance Improvement (RPI) and its associated benefits to companies. CONTENT AREA: Articles TOPICS: Internal Audit, Risk Management & Assessment, Best Practices, Enterprise Risk Management, Internal Controls, Performance Management/Measurement, GRC November 5, 2007 Managing and Monitoring Healthcare Construction Programs There is a building boom taking place in the healthcare industry. In this article, Protiviti’s Paul Pettit reports that in order to properly manage and monitor healthcare construction programs, companies need to look at high-risk contract areas while also reviewing high-risk processes. Pettit emphasizes that it is also important to review how the healthcare organization monitors and controls these high-risk processes. CONTENT AREA: Articles TOPICS: Budgeting, Fixed Assets, Purchasing & Accounts Payable, Healthcare & Pharmaceuticals Industry, Internal Audit, Audit Testing, Risk Management & Assessment, Cost Management, Process-Level Control, GRC November 5, 2007 Managing the Lifecycle of Electronically Stored Information This article discusses the December 2006 amendments to the U.S. Federal Rules of Civil Procedure governing the handling of electronically stored information (ESI), how failure to manage ESI properly can lead to catastrophic results, and how to manage the lifecycle of ESI. CONTENT AREA: Articles TOPICS: Technology, Software, Document Retention, Laws & Regulations October 29, 2007 Behavioral Genotype Technology: A New Approach to Proactive Detection of New Malware This article discusses behavioral genotype technology, a new approach to detecting malware. It uses pre-execution scanning to determine the function of an application and what behavior it is likely to exhibit, without allowing the program to run. Static characteristics can also be determined to reinforce the identification of malicious behavior. CONTENT AREA: Articles TOPICS: Technology, Security, Investigations/Forensics October 29, 2007 How much does IT cost - Really? What services should IT provide? How much should we budget for IT? How should we allocate and account for the actual costs incurred for services provided by the IT to the business? These and other questions on budgeting and accounting for IT services are addressed in this article. CONTENT AREA: Articles TOPICS: Accounting/Finance, Budgeting, Technology October 29, 2007 Understanding the Basics of Computer Forensics Computer forensics is the process of acquiring, analyzing and reporting digital evidence. While exciting, computer forensics is based on sound scientific principles and follows a clearly defined path. In this article, Protiviti’s Paul Lewis discusses the many aspects of computer forensics and how to follow proper standards when using this method of information detection. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Strategy, Security, Investigations/Forensics, Security Management Practices October 22, 2007 Managing Supply Disruptions All organizations have internal and external supply chains that deliver goods or services to customers, and regardless of the type of company, these supply chains all face the risk of a supply interruption, impacting both the organization’s and the customers’ businesses. This whitepaper outlines the process of supply risk management to combat these disruptions. CONTENT AREA: Articles TOPICS: Supply Chain, Risk Management & Assessment, GRC October 22, 2007 Segregation of Duties: Establishing a policy and framework for ongoing success Segregation of duties is an important part of a strong internal control framework. In this Bulletin, the authors share their experience in establishing a segregation of duties policy and framework, which are the pillars of governance, risk, and compliance (GRC). They also define concepts and practices for implementing and monitoring policy compliance within applications. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Corporate Governance, COSO, Internal Audit, IT Controls, Risk Management & Assessment, Sarbanes-Oxley Act, France, Segregation of Duties, GRC October 22, 2007 Seven Potentially Fatal Pitfalls on Major IT Projects Studies continue to find a high percentage of major enterprise IT projects end up costing much more than estimated, taking much longer than expected or never delivering promised benefits. Here are seven of the factors that can be potentially fatal on a major IT project. CONTENT AREA: Articles TOPICS: Technology, Project Management October 15, 2007 Challenges and Benefits of Operational Risk Indicators Many financial institutions have tried to implement operational risk indicators, but with generally limited success. In many cases the implementations were too ambitious and did not allow sufficiently for the cultural and management philosophy change that is required. As described by David Farmer in this article, successfully implementing operational risk indicators is a long-term journey. CONTENT AREA: Articles TOPICS: Financial Services Industry, Risk Management & Assessment, GRC October 15, 2007 IT Governance Frameworks Help Align Business and IT Interests and Objectives In order for the CIO and his/her IT organization to move forward in today’s challenging environment, IT governance is a must. Strong governance helps define and implement IT strategies, business strategies, and set priorities. In this article, Protiviti’s Przemek Tomczak provides readers with a framework for designing a successful IT governance program. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Corporate Governance, Technology, Internal Audit, IT Audit, IT Controls, Risk Management & Assessment, GRC October 15, 2007 Wireless Handheld Devices Become Trusted Network Devices With wireless access becoming the norm, networks are expanding past the traditional wired networks by adding wireless access points (APs). These give customers the flexibility they require but leave a net threat vector to the network. This paper documents the enrollment of a security certificate on a Windows mobile device, thereby securing the device from physical attacks. CONTENT AREA: Articles TOPICS: Technology, Network & Internet Security, Security, Telecommunications, Wireless October 8, 2007 Hospitality Risk Management: Balancing Supply Rationalization and Supply Interruption Hotel guests, and business travelers, in particular, are notoriously fickle about their preferences for accommodations, goods and services. Companies lacking critical products and services can see a decrease in customer satisfaction and an increase in reputation risk. This article describes how managing risk is paramount to maintaining brand awareness and loyalty, while using cost as a competitive advantage. CONTENT AREA: Articles TOPICS: Hospitality/Gaming Industry, Materials Management & Inventory, Risk Management & Assessment, Supply Chain, GRC October 8, 2007 Importance of Monitoring Senior management and boards of directors have started asking internal audit departments to help them gain a better understanding of how the organization manages risk, but rarely do they explicitly ask auditors to help them assess how they measure risks that could impair progress toward their objectives. This is an area ripe with opportunity for internal audit shops that are looking for new ways to add value to their organization. This article outlines several key questions auditors need to ask when initiating risk monitoring projects. CONTENT AREA: Articles TOPICS: Audit Committee & Board, COSO, Internal Audit, Risk Management & Assessment, Self-Assessment, Entity-Level Control, GRC October 8, 2007 Managing the Road Ahead: Automating the Fleet Monitoring Process Operating a fleet is a complex business activity that can significantly impact your bottom line, as well as your customers. Transportation organizations face an ever-changing array of risks, and mismanaging these risks can be costly. This article describes a method of monitoring risks in real time through audit programs and self-assessments. CONTENT AREA: Articles TOPICS: Internal Audit, Materials Management & Inventory, Self-Assessment, Software, Supply Chain, Manufacturing & Distribution Industry October 8, 2007 Security for Enterprise Resource Planning Systems Enterprise Resource Planning (ERP) is the technology that provides the unified business function to the organization by integrating core processes. This paper provides an overview of ERP technology and the security issues for an ERP system, in particular the evolution of ERP, its key components, the status of vendor products, and what has been done with respect to security. CONTENT AREA: Articles TOPICS: Accounting/Finance, Application Development Security, Human Resources, Technology, Materials Management & Inventory, Project Management, Security, Supply Chain October 1, 2007 Enterprise Risk Management — Risk Intelligence and Anti-Fraud Controls In today's environment of intense scrutiny by regulators and stakeholders, investment in risk management is more important than ever. At Foley’s sixth annual National Directors Institute on March 8, 2007 in Chicago, Illinois, the topic of enterprise risk management’s (ERM) relationship with risk intelligence and anti-fraud controls was the focus of a dedicated session. This discussion included case studies where companies incorporated ERM into their day-to-day operations. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Internal Audit, Risk Management & Assessment, Best Practices, Enterprise Risk Management, Fraud, GRC October 1, 2007 Rethink the way you manage legislative BPO risk: Based on insights and best practices during various shared service and outsource assignments, Protiviti has developed a Business Process Outsource (BPO) methodology to create a fit-for-the-job risk management process. The aim of this white paper is to help you create an effective and efficient outsource control framework matching the risk appetite of your company. CONTENT AREA: Articles TOPICS: Basel, Cross Border & Non-US Issues, European Union, Outsourcing/Co-sourcing/Shared Services, Risk Management & Assessment, SAS 70, Financial and Credit Risk, GRC September 24, 2007 Get and Give What You Bargained for with Clear Agreements That Make Sense This article explores how teams can build greater trust, save time and get better work done, by ensuring that agreements are clear, realistic and acted upon. This ability is particularly important when team members work from a distance and need agreements to be more explicit at the outset. CONTENT AREA: Articles TOPICS: Project Management September 24, 2007 Private Company Board Governance Private companies are increasingly under pressure to adopt or enhance corporate governance practices; however, the task of identifying and implementing corporate governance best practices is particularly challenging for private company boards because of the variety of private companies that exists. At Foley’s sixth annual National Directors Institute on March 8, 2007 in Chicago, the topic of corporate governance at private companies was focused upon during a dedicated session. Consistent with a “one size does not fit all” approach to corporate governance, the session offered insights on various approaches to corporate governance as implemented by a variety of private companies. CONTENT AREA: Articles TOPICS: Corporate Governance, Sarbanes-Oxley Act, GRC September 24, 2007 Technology Investment: Achieving Balance Between Business Requirements and Regulatory Compliance Today, with most enterprises having achieved initial compliance, the effort is shifting toward a critical phase: Companies now strive to maintain ongoing compliance while working to drive down cost and improve overall business performance. The effective CIO must now strive to balance aspects of IT growth, business alignment, risk mitigation, operational efficiency and compliance. CONTENT AREA: Articles TOPICS: Corporate Governance, Technology, Risk Management & Assessment, Compliance, GRC September 17, 2007 The Value of Continuous Auditing Is there value in Continuous Auditing? Companies do not wish to incur the potential pain in changing a properly functioning process unless there are clear benefits. This article not only describes the value derived from Continuous Auditing, but also an approach to introduction and implementation. CONTENT AREA: Articles TOPICS: Internal Audit, Continuous Auditing September 10, 2007 Building Supply Chain Capabilities in the Retail Industry To be successful, retailers must have the right product, for the right customer, at the right place, time and price. A rigorous supply chain capabilities assessment can provide management with the information necessary to focus on identifying and resolving issues. The added control and improved information flow can increase a company’s competitive edge and cut costs. CONTENT AREA: Articles TOPICS: Supply Chain, Consumer Products & Retail Industry September 10, 2007 Compensation and Other Sensitive Boardroom Tax As regulatory and compliance burdens increase for many companies, the role of — and the need for the board to rely on — the in-house tax function in meeting the company’s regulatory and compliance obligations is increasing. At Foley’s sixth annual National Directors Institute on March 8, 2007 in Chicago, participants shared their views on how board of directors should address compensation and other sensitive boardroom tax issues. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Compensation & Benefits, Corporate Governance, Human Resources, Payroll, Taxation, GRC September 3, 2007 How to Audit Compliance in the Financial Services Industry: A Primer Anyone who has been involved in compliance management for the financial services industry over the last decade or more has seen expectations regarding the role and responsibilities of the Compliance function continue to evolve with increased responsibility. As the requirements and expectations for compliance management have changed, so too have the expectations for how Compliance should be audited. Any discussion about how to audit Compliance should begin with the premise that Compliance is, or should be, an auditable area. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Whistleblower/Complaint Reporting, Financial Services Industry, Internal Audit, Audit Testing, Risk Management & Assessment, Compliance, GRC September 3, 2007 One-Up, One-Back ERM in the Food Supply Chain Concerns about biological agents contaminating food or beverages led to the U.S. Bioterrorism Act of 2002. This Act requires those in the food supply chain to identify the immediate previous source ("one-back") of all food received and the immediate subsequent recipient ("one-up") of all food released. This article examines the role of radio frequency identification (RFID) in electronic record management (ERM) to improve supply chain operations and responses to public health crises. CONTENT AREA: Articles TOPICS: Supply Chain, China, Consumer Products & Retail Industry, Enterprise Risk Management, GRC September 3, 2007 What Private Equity Firm Directors Need to Know Private equity firms are playing an increasingly important role in the American capital markets. This shift has been spurred by both businesses and investors, largely because of SOX. At Foley’s sixth annual National Directors Institute on March 8, 2007 in Chicago, participants shared their views on what they thought private equity firms need to know. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Best Practices, Corporate Governance, Ethics, GRC, Initial Public Offering, Internal Audit, Risk Management & Assessment, Sarbanes-Oxley Act August 27, 2007 SAS 112: Are You Ready? External financial statement auditors are required to evaluate all internal control deficiencies they find during the course of their work, and report to the audit committee (or other designated governing body) any deficiencies deemed to be significant or a material weakness under the new Statement on Auditing Standard (SAS) 112. This article asks: Are you ready for SAS 112? CONTENT AREA: Articles TOPICS: Financial Reporting, Internal Audit, Compliance, Segregation of Duties, GRC August 27, 2007 Security for Content Distribution Networks: Concepts, Systems and Research Issues This chapter from ‘Security in Distributed, Grid, Mobile, and Pervasive Computing’ begins with a review of the security concepts related to Content Distribution Networks (CDNs) and then presents several systems, focusing on how they enforce content security. The chapter concludes with a discussion of the other challenges in CDNs. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, Security, Access Control Systems & Methodology, Network & Internet Security August 20, 2007 Mitigating IT Risks with Security Education and Training IT risk management is a practice for balancing the costs of developing robust and secure IT infrastructure against the likelihood and potential damage to the organization should an incident occur. The effectiveness of even the best technology and processes is frequently undermined if employees do not understand both the value of the organization's information assets and their role in securing these assets. CONTENT AREA: Articles TOPICS: Technology, Risk Management & Assessment, Security, Security Management Practices, Training & Development, GRC August 20, 2007 Transaction monitoring represents vast, untapped potential for internal audit effectiveness Since the internal audit profession began, periodic, representative sampling has been used to verify the effectiveness of controls or to uncover issues that need to be addressed. The key word is "periodic." In this article, Protiviti’s John Harrison describes how having the means to monitor specific processes on a continuous basis has long been the vision of academics and many progressive internal auditors. This concept of “transaction monitoring” is now a reality for auditors. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Sarbanes-Oxley Act, Internal Audit, Internal Controls, Security, Investigations/Forensics, Fraud, Continuous Auditing August 13, 2007 Board Oversight of Corporate Culture Because a corporate culture significantly influences a company’s long-term financial performance, a board of directors should consider oversight of corporate culture as one of its duties. At the Foley & Lardner LLP sixth annual National Directors Institute on March 8, 2007 in Chicago, “Board Oversight of Corporate Culture” was a featured session where participants discussed their perspectives on how corporate culture impacts the performance of an organization. CONTENT AREA: Articles TOPICS: Human Resources, Corporate Governance, Audit Committee & Board, Whistleblower/Complaint Reporting, Ethics, GRC August 13, 2007 Implicit Trust Can Lead to Data Loss Organizations that hold sensitive data such as credit card numbers, social security numbers, and invaluable intellectual property are being held responsible for breaches. Despite this, and despite tightening government regulations and heavy media coverage, many organizations continue to simply accept the risks, relying on the implicit trust that characterizes the security posture of so many organizations today. CONTENT AREA: Articles TOPICS: Security, Security Management Practices, Privacy August 13, 2007 Mitigating Risk in the Airline Industry with an ERM Approach The introduction of new security provisions, combined with escalating fuel costs, consumer uncertainty, and static labor and aircraft costs, are forcing radical adjustments in the airline industry. The solution is effective risk management. Traditional risk management focuses on managing uncertainties around physical and financial assets. In comparison, with Enterprise Risk Management, the objective is not only to protect, but also to create, enterprise value. CONTENT AREA: Articles TOPICS: Airline Industry, Enterprise Risk Management, GRC August 6, 2007 Do Information Security Professionals and Business Managers View Information Security Issues Differently? Organizations today know that information technology is essential not only for daily operations but also for gaining strategic advantage in the marketplace. The importance of information technology means that information security has also become important. Breaches in information security can result in litigation, financial losses, damage to brands, loss of customer confidence, loss of business partner confidence, and can even cause the organization to go out of business. CONTENT AREA: Articles TOPICS: Technology, Security, Security Management Practices August 6, 2007 Internal Audit’s Role in Business Continuity Without well-thought-out plans for recovering from a disaster and restoring vital business functions, an organization exposes itself to the risk that it may not be able to survive a major disaster. Aftershocks of the September 11, 2001 terrorist attacks on the World Trade Center and Hurricane Katrina, for example, have led to heightened awareness of the vulnerability of business operations. This article features the panelists from a March 6, 2007 IIA web cast who share their experiences with involving internal audit in the business continuity process. CONTENT AREA: Articles TOPICS: Business Continuity Management, Internal Audit, Audit Testing, Risk Management & Assessment, Audit Planning, GRC August 6, 2007 Overcoming Biases in Operational Risk Scenario Analysis As traditional forecasting and planning no longer fully serve business needs, many financial organizations are using scenario analysis to evaluate the impact and likelihood of extreme but plausible risk events. In this article, David Shu explains how, if successfully executed, scenario analysis can be the most valuable element in an organization’s operational risk management framework. CONTENT AREA: Articles TOPICS: Financial Services Industry, Internal Audit, Risk Management & Assessment, Basel, Benchmarking, GRC July 30, 2007 Building a Successful Information Technology Risk Management Program The need for effective IT risk management within financial services organizations has recently been spotlighted by highly publicized identity theft incidents, other security breaches and legislation targeting risk exposures among large financial institutions. This article guides managers through the development of an IT risk management program. CONTENT AREA: Articles TOPICS: Technology, Risk Management & Assessment, GRC July 30, 2007 Expanding Diversity in the Boardroom Corporate governance circles are becoming increasingly aware that diversity in the boardroom is good for business. Data indicates that diversity in top management and on the board has a positive correlation to greater profitability. At the Foley & Lardner LLP sixth annual National Directors Institute on March 8, 2007 in Chicago, “Expanding Diversity in the Boardroom” was a featured session where participants discussed their thoughts on this topic. CONTENT AREA: Articles TOPICS: Human Resources, Corporate Governance, Audit Committee & Board, Best Practices, Training & Development, GRC July 30, 2007 Preventing Information Leaks There is a good chance that some of your organization’s sensitive information is likely to have leaked into the outside world by the time you finish reading this article. In this article, Protiviti’s Aaron Weller poses questions such as: Should that concern you? Can you identify the information that is important to your organization? If so, are appropriate controls in place to protect it? CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Infrastructure, Security, Network & Internet Security, Security Management Practices, Best Practices July 23, 2007 Executive and Board Compensation Trends Executive and director compensation has been one of the hottest topics in board governance during the past year. The new SEC disclosure rules have significantly altered the executive compensation disclosure landscape. At the Foley & Lardner LLP sixth annual National Directors Institute on March 8, 2007 in Chicago, participants in the “Executive and Director Compensation Trends” session discussed their experiences with and thoughts on the new reporting requirements. CONTENT AREA: Articles TOPICS: Compensation & Benefits, Financial Reporting, Human Resources, Payroll, Corporate Governance, Audit Committee & Board, GRC July 23, 2007 Mitigating Store Risks through Store Audits Retailers have pressing concerns surrounding risk management. Whether it is to comply with the Sarbanes-Oxley Act or to reduce shrinkage, a rigorous store-level audit process can protect and substantiate company assets and reporting processes, while also providing management with the real-time information necessary to focus on identifying and resolving issues. As described in this Protiviti Point of View article, such added control and improved information flow can increase a company’s competitive edge and provide greater returns to stakeholders. CONTENT AREA: Articles TOPICS: Consumer Products & Retail Industry, Risk Management & Assessment, Self-Assessment, Compliance, GRC July 23, 2007 SOX: Inspired by Toxic Business Practices, Is It the Key to Better Business? Because most information, financial and otherwise, is now electronic, SOX provides a metaphoric "kick in the pants," and encourages companies to take a fresh look at all of their data assets. How can awareness of the need to protect and leverage data transition into operational realities? SOX compliance isn't a bad place to start. CONTENT AREA: Articles TOPICS: Sarbanes-Oxley Act, IT Controls, Section 404 - Internal Control Reporting, Security, Access Control Systems & Methodology, Compliance, COSO, GRC July 23, 2007 The Keys to Expediting Audit Report Delivery - Auditors are increasingly pressured to bring current and relevant issues to the attention of decision makers, placing a greater premium on accelerating audit report issuance. In this article, Ann Butera, President of The Whole Person Project, addresses how auditors can successfully merge the need to deliver reliable audit reviews and analyses with the increasing “need for speed.” In addition, Butera highlights how following simple principles can help internal auditors consistently achieve these dual goals. CONTENT AREA: Articles TOPICS: Internal Audit, Internal Audit Administration, Audit Reporting, Audit Testing, Training & Development July 16, 2007 A case study in IT audit’s program risk management role on a large-scale system implementation Overhauling technology application systems is not for the faint of heart. With the careful guidance of internal audit, this fearsome task can be an opportunity for positive change. In this case study, Protiviti’s Scott Kamenick shares the experience of a system overhaul, working with project teams consisting of different people, different approaches, and different personalities. The take-home lessons from this experience can be applied to nearly any organization looking to overhaul its systems and related business processes. CONTENT AREA: Articles TOPICS: Financial Services Industry, Technology, IT Infrastructure, IT Strategy, Internal Audit, Audit Committee & Board, IT Audit, Project Management July 16, 2007 Effective Board Evaluations Board evaluations are a formal method designed to facilitate board development and foster communication among directors and between the board and management on issues such as corporate strategy, board composition, board processes and the appropriate role of the board of directors in a company’s overall management scheme. At the Foley& Lardner LLP sixth annual National Directors Institute on March 8, 2007 in Chicago, “Effective Board Evaluations” was a featured session where participants discussed the pros and cons of this evaluation process. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Best Practices, Compliance, Training & Development, GRC July 9, 2007 Important Dialogue between CAEs and Audit Committee Chairs There is plenty to talk about when CAEs and audit committee chairs get together—but they rarely have the opportunity to do so. In this article, Protiviti’s Greg Hedges summarizes the key themes resulting from such dialogue at a 2007 CAE and audit committee roundtable. The participants discussed topics such as ERM and the role of internal audit; project-to-process initiatives; rebalancing internal audit priorities; and completing QARs. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Quality Assessment Review, Risk Management & Assessment, Sarbanes-Oxley Act, Section 404 - Internal Control Reporting, Enterprise Risk Management, GRC July 9, 2007 The New Era of Governance for Nonprofits Governance is not something that can be addressed quickly or easily. Boards are constantly being challenged to find synergy between management and governance, especially in the nonprofit sector. This article describes how nonprofit board and management can develop an effective framework to mitigate the risks to their individual and organizations’ reputations. CONTENT AREA: Articles TOPICS: Corporate Governance, Nonprofit Industry, Risk Management & Assessment, GRC July 2, 2007 Following Fundamentals Detects Fraud Executing the fundamentals of auditing – performing basic audit steps and following up on “loose ends” – can be the key to uncovering fraud. In this case study, Protiviti’s Kyle Furtis and Eileen Galager share a story of when an audit committee’s fraud suspicions were well warranted. CONTENT AREA: Articles TOPICS: Accounting/Finance, Internal Audit, Audit Committee & Board, Audit Testing, Ethics, Fraud July 2, 2007 Model Audit Rule Best Practices for the Insurance Industry The Model Audit Rule is an annual assessment requiring executive certification. To comply with the Model Audit Rule requirements, management needs a comprehensive internal controls evaluation approach. This article describes a COSO-based mechanism for complying with the rule. CONTENT AREA: Articles TOPICS: Financial Reporting, Financial Services Industry, Internal Controls, Risk Management & Assessment, GRC June 25, 2007 How the New SEC Guidance Impacts Eight Key Decisions Driving a Cost-Effective Section 404 Assessment Process In May, the SEC approved its interpretive guidance to management on implementing Section 404. Immediately, thereafter, the PCAOB issued a companion standard directed to external auditors that revised the controversial Auditing Standard No. 2. In this white paper, Protiviti’s Jim DeLoach explores eight key decisions along the Section 404 compliance process which management needs to consider with the objective of aligning the company’s and auditor’s application of a top-down, risk-based approach and maximizing the cost-effectiveness of the process. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Sarbanes-Oxley Act, External Auditor, Internal Controls, Risk Management & Assessment, Section 404 - Internal Control Reporting, Entity-Level Control, GRC June 25, 2007 The E-Discovery Challenge Moves to the C-Suite The effects of the recently amended Federal Rules of Civil Procedure on how an organization manages its electronically stored information could be more far-reaching than other regulations such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act. Companies could previously plead ignorance as to the loss of discoverable information, but now they have to preserve any information that may be considered relevant evidence in a potential lawsuit. As described in this article, viewing e-discovery from a risk-based, process-enabled perspective – rather than reactively – is the first step toward developing and maintaining an effective discovery risk management program. CONTENT AREA: Articles TOPICS: Risk Management & Assessment, Document Retention, Laws & Regulations, GRC June 18, 2007 Board Oversight of Data Privacy and Security The seemingly simple obligation to keep confidential information from becoming public is a growing concern for businesses and their customers. At the Foley & Lardner LLP sixth annual National Directors Institute on March 8, 2007 in Chicago, “Board Oversight of Data Privacy and Security” was a featured session where participants discussed the importance of data security and privacy and the board’s oversight role in this area. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Technology, IT Controls, IT Strategy, Security, Network & Internet Security, Privacy, GRC June 18, 2007 Ensuring and Evaluating Controls on Projects Completing a project successfully is one of the hardest challenges in any industry. Despite the dismal record, projects can attain success if project managers determine the goals and objectives to achieve; identify and implement controls to ensure their achievement; and use key performance indicators to assess control effectiveness. CONTENT AREA: Articles TOPICS: Risk Management & Assessment, Internal Controls, Project Management, GRC June 18, 2007 Planning – Don’t Start the Physical Inventory Process Without It Though sometimes seen by employees as a tedious project, the physical inventory process is critical to a company’s operational and financial health. It impacts customer service, financial statements, and heavily reviewed financial performance ratios. In this article, Protiviti’s Jon Rydberg lays out critical items to consider when planning your next inventory count. CONTENT AREA: Articles TOPICS: Materials Management & Inventory, Consumer Products & Retail Industry, Internal Audit, Audit Testing June 11, 2007 Asset Lifecycle Management: A Mandate for the Wireless Communications Industry In today’s rapidly expanding communications industry environment, companies must effectively manage network assets in order to maintain a competitive edge. An effective Asset Lifecycle Management (ALM) program involves systems, processes, and controls that enable companies to analyze, standardize, and automate asset management processes. CONTENT AREA: Articles TOPICS: Fixed Assets, Wireless, Asset Management, Communications Industry June 11, 2007 Characteristics of Effective Security Governance This article builds on established definitions of enterprise governance and IT governance. It then extends and interprets these to explain governance of enterprise security programs (ESP) that protect digital assets and business operations. CONTENT AREA: Articles TOPICS: Security, Security Management Practices, Best Practices, Segregation of Duties June 4, 2007 Audit Committee Overload Recent developments have resulted in an increase of the workload borne by the public company audit committee who is finding itself filling a litany of new roles. At the sixth annual Foley & Lardner LLP National Directors Institute held on March 8, 2007 in Chicago, Illinois, “Audit Committee Overload” was featured and participants examined ways in which audit committees can effectively manage new and growing responsibilities. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Internal Audit, Internal Audit Administration, Risk Management & Assessment, Sarbanes-Oxley Act, External Auditor, Compliance, Fraud, GRC June 4, 2007 Enterprise Risk Management and Controls-Monitoring Automation Can Reduce Compliance Costs Banks and other financial institutions must continually enhance their risk management strategies, and account for multi-dimensional facets of risk, including those related to privacy, information technology, reputation and operations. How does a company sift through the details and focus on the most important risks? CONTENT AREA: Articles TOPICS: Financial Services Industry, Sarbanes-Oxley Act, COSO, Enterprise Risk Management, Process-Level Control, GRC June 4, 2007 Selecting an automated IA work paper tool Many Internal Audit departments facing the process of selecting an automated work paper tool are asking, “How do we go about it?” In this article, experts from Protiviti, PwC, and IAD Solutions walk through the tool selection process. In addition, they discuss which key stakeholders to involve throughout and how to avoid common pitfalls. CONTENT AREA: Articles TOPICS: Technology, Software, Internal Audit, Audit Reporting, Audit Testing, Internal Audit Administration, Sarbanes-Oxley Act June 4, 2007 Stopping Spam Before It Stops You The volume and sophistication of attacks that threaten business email networks and systems are growing at exponential rates. Recently a new solution has emerged that places an additional message security layer at the network edge, effectively stopping spam before it can get to your users. CONTENT AREA: Articles TOPICS: Software, Security, Network & Internet Security May 28, 2007 An Overview of Continuous Data Protection Organizations struggle with shrinking or non-existent backup windows. Backing up to tape is no longer adequate, lacking the speed, reliability, flexibility, and simplicity to meet compliance or regulatory guidelines and stringent SLAs. This article discusses continuous data protection (CDP) and its role in beating these problems. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, Security, Operations Security May 28, 2007 Building Revenue Management Capabilities at Software Companies Complex accounting rules governing the recognition of revenues for software and technology products and services complicate the revenue cycle. Weak systems, processes, and controls pose a significant financial reporting risk. This article explains that by focusing on strengthening the entire revenue cycle and enhancing overall revenue process management capabilities, companies can significantly reduce the inherent risk related to revenue recognition. CONTENT AREA: Articles TOPICS: Revenue, Technology, Software May 28, 2007 Getting Started with GAIT Although some excellent IT control and audit frameworks have emerged from various countries, there has been no common language or universal guidance to fill the gaps regarding IT general controls and financial reporting. The IIA hopes that GAIT will help fill the gap. This article highlights the panelists from a January IIA web cast who offer practical tips and techniques when using GAIT to scope IT controls for SOX compliance and how to effectively implement GAIT. CONTENT AREA: Articles TOPICS: Internal Audit, IT Audit, Sarbanes-Oxley Act, IT Controls, Risk Management & Assessment, Section 404 - Internal Control Reporting, Compliance, GRC May 21, 2007 Canada’s Evolving Internal Control Reporting Requirements On March 30, 2007, Canadian Securities Administrators issued a revised National Instrument 52-109 Certification of Disclosure in Issuers’ Interim and Annual Filings. Protiviti’s Carmen Rossiter and Hubert Huang summarize the requirements of this new regulation and its ties to Sarbanes-Oxley. In addition, Rossiter and Huang encourage companies impacted by the regulation to act now. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Cross Border & Non-US Issues, Canada, Sarbanes-Oxley Act, Internal Controls, Section 404 - Internal Control Reporting, Compliance, GRC May 21, 2007 Maximizing Compliance and Content Protection Ensuring regulatory compliance, safeguarding sensitive information and preventing IP theft requires more than monitoring network traffic for potential violations. There are simple practices that can easily be implemented by any organization, regardless of size, helping them to proactively combat the detrimental financial, IP, and brand affects of a security breach. CONTENT AREA: Articles TOPICS: Technology, Security, Security Management Practices, Knowledge Management May 21, 2007 Revenue Processes at Pre-IPO Companies A strong revenue recognition process is beneficial for all companies, and especially critical to pre-IPO companies. Protiviti’s Ed Scheuer and Fiona McLaren layout how companies can assess the strength of the revenue recognition process, and explain that when assessing the process, using a framework such as the Six Elements of Infrastructure can help a company assess and build a revenue management infrastructure. CONTENT AREA: Articles TOPICS: Accounting/Finance, Benchmarking, Best Practices, Initial Public Offering, Internal Controls, Performance Management/Measurement, Revenue May 21, 2007 Tracking and Monitoring Spending on Healthcare Professionals and Organizations Several states have passed or proposed legislation that requires pharmaceutical manufacturers to report all expenditures related to selling or marketing to healthcare professionals. The risk of noncompliance is increasing steadily, and to minimize this risk an integrated solution is necessary to track and monitor applicable expenditures. CONTENT AREA: Articles TOPICS: Expense Reporting, Healthcare & Pharmaceuticals Industry, Laws & Regulations May 14, 2007 Implementing Information Lifecycle Security (ILS) Information security is currently reaching a crisis point that makes it one of the biggest problems facing companies today. This article takes a detailed look at what it takes to implement the elements of ILS that need to be addressed for full data security. CONTENT AREA: Articles TOPICS: Technology, Security, Knowledge Management May 14, 2007 Trade Promotion: Reducing the Risk The risk of poor trade promotion practices and processes has a significant impact on your organization. Protiviti’s Jim Gibson and Linda Peel encourage companies to evaluate the significance of this risk to their operations. In addition, the authors detail what can happen if this risk is not managed well and how companies can go about effectively managing this risk. CONTENT AREA: Articles TOPICS: Sales Process & Marketing, Supply Chain, Internal Audit, Risk Management & Assessment, Consumer Products & Retail Industry, GRC May 7, 2007 Making Section 404 Compliance Cost-Effective While Improving Quality and Sustainability As companies take stock of their focus on "pass/fail" compliance with Section 404 of the Sarbanes-Oxley Act, it is time to reflect on the objectives and costs of the effort. While the SEC's new guidance to management and the PCAOB's revamping of AS2 will help improve the cost-effectiveness, senior management has a more important opportunity to focus on quality and sustainability. This article asserts that every organization should take a step back to evaluate how to transition from the narrow focus on pass/fail compliance to a cost effective, sustainable and value-added process. CONTENT AREA: Articles TOPICS: Sarbanes-Oxley Act, Section 404 - Internal Control Reporting, Financial Reporting, Self-Assessment, Best Practices, External Auditor, PCAOB, Entity-Level Control May 7, 2007 Managing Enterprise Risk in Today's World of Sophisticated Threats: A Framework for Developing Broad-Based, Cost-Effective Information Security Programs Public and private sector enterprises today are almost completely dependent on their information technology infrastructures to accomplish their critical missions and carry out their corporate business strategies. In order to effectively compete in a fast-paced, highly complex, global economy, organizations are employing new, more powerful information technologies at an unprecedented rate, and in most instances, either ignoring or not fully understanding the increased exposure of their enterprise operations and assets due to the aggressive use of that technology. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, Risk Management & Assessment, Security, Security Management Practices, GRC May 7, 2007 New approach to entity-wide controls assessment adds value The concept of entity-wide controls has been around since COSO introduced its Internal Control Framework in 1992. Yet, there continues to be confusion about the definition of “entity-wide controls” and about how to evaluate and test these controls. This article provides suggested definitions and guidance for assessing and testing internal controls. CONTENT AREA: Articles TOPICS: Internal Audit, Internal Audit Administration, Risk Management & Assessment, Sarbanes-Oxley Act, Internal Controls, COSO, Entity-Level Control, Audit Planning, GRC April 30, 2007 Avoiding the Commitment Dip: Seven Ways to Keep Your Employees Focused on and Committed to Change Each year companies spend millions of dollars to make change initiatives a success, and yet the results are frequently dismal. The changes fail to achieve their objectives and leaders are left wondering what went wrong. A recent survey shows the real source of the problem: Maintaining high levels of employee support and commitment. Here are guidelines on how to avoid the "commitment dip," and implement successful changes at your company. CONTENT AREA: Articles TOPICS: Project Management, Change Management April 30, 2007 Commodity Hedging: How To Achieve Stability in the Midst of Volatile Commodity Prices Fluctuating commodity prices create both opportunities and hazards in the marketplace. The opposing desires of producers and consumers create a dynamic marketplace for commodities, resulting in questions for both producers and consumers, and hard decisions companies must make every day. As this article describes, an effective hedging program begins with understanding the objectives and strategy toward commodity prices. CONTENT AREA: Articles TOPICS: Accounting/Finance, Energy & Utilities Industry April 23, 2007 Implementing ERM Enterprise-wide in the Banking Industry The banking industry is among the more advanced in implementing the enterprise risk management (ERM) concept. Yet, very few companies have implemented a truly enterprise-wide approach across all of their operations. The purpose of this publication is to revisit the importance of risk management and discuss how the Protiviti Risk Model is designed to help banking management move beyond traditional risk to ERM. In addition, Protiviti provides its point of view on effective ERM implementation. CONTENT AREA: Articles TOPICS: Corporate Governance, Audit Committee & Board, Financial Services Industry, Basel, Compliance, Enterprise Risk Management, Financial and Credit Risk, GRC April 23, 2007 The IT Compliance Equation: Understanding the Elements When all sides of the IT compliance equation - Security, Audit and IT Operations - are not working together smoothly a number of problems can arise. While all parties have an idea of which direction they wish the controls infrastructure to go, getting there is another issue. The root cause of these problems comes from the linked, but different, objectives of the three main protagonists. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Audit, Security, Compliance, Process-Level Control, GRC April 16, 2007 How can internal audit do more with COSO? Using a recognized internal control framework, such as COSO, is now required for SOX compliance. This article explains why some companies do not believe they are getting an adequate return on their investment from using a control framework. Protiviti's Jill Benson addresses these concerns by outlining the role internal audit can take to successfully embed COSO into an organization’s culture and operations. CONTENT AREA: Articles TOPICS: Internal Audit, Internal Audit Administration, Risk Management & Assessment, Audit Testing, Sarbanes-Oxley Act, Internal Controls, COSO, GRC April 16, 2007 Research Analyst Views of Corporate Governance Is corporate governance a non-factor for analysts? Or is it, in fact, an issue that analysts take into consideration, specifically when dealing with long-term investors? This publication summarizes business leaders’ thoughts on the role of and importance that corporate governance plays in a research analyst's mind. CONTENT AREA: Articles TOPICS: Financial Reporting, Corporate Governance, Audit Committee & Board, Sarbanes-Oxley Act, Internal Controls, Compliance, GRC April 16, 2007 Selecting an IT Control Framework Companies have now weathered several years of scrutiny under regulatory requirements with the inception of HIPAA, Sarbanes-Oxley, and other industry regulations. To meet these compliance challenges, many companies have looked to different frameworks to help build controls structures within the organization. For IT organizations, this has required a shift in mindset to adopt a "controls oriented" approach while keeping up with the technology needs of the business. CONTENT AREA: Articles TOPICS: Technology, IT Controls, IT Infrastructure, Security, Compliance, GRC April 9, 2007 Enhancing ALLL: Moving Beyond Accounting Mechanics How much reserve is enough in calculating your Allowance for Loans and Lease Losses (ALLL)? What if current charge-off rates are close to zero? What is the value proposition of an effective ALLL process? This article addresses common challenges and provides tactical ideas for enhancing ALLL. CONTENT AREA: Articles TOPICS: Credit & Collections, Financial Services Industry, Financial and Credit Risk April 9, 2007 SOX Monday Morning Quarterback – Lessons Learned and a Look Forward With two years experience, it is now clear where companies should make changes to their SOX compliance plan. This publication provides practical advice and five key lessons for improving the SOX compliance effort, specifically focusing on moving from a manual (project-based) audit approach to an automated (process-based) approach. It also discusses how companies are using Continuous Controls Monitoring (CCM) to reduce their overall compliance cost. CONTENT AREA: Articles TOPICS: Sarbanes-Oxley Act, IT Controls, External Auditor, Risk Management & Assessment, Section 404 - Internal Control Reporting, Cost Management, Entity-Level Control, GRC April 9, 2007 Technology Solutions for Improving Accuracy and Availability of Healthcare Records In order for healthcare providers to make decisions that lead to successful medical treatments, they need access to the data in patient healthcare records. This article summarizes the data accuracy and data availability problems that exist in managing healthcare records, and then describes various technology solutions that could be designed to address specific data problems. CONTENT AREA: Articles TOPICS: Healthcare & Pharmaceuticals Industry, Technology, Privacy April 2, 2007 Learning from Fraudsters: Reinforcing the Message As a follow-up to the original “Learning from Fraudsters” report, this publication provides 10 additional interviews that provide further insight into how these people committed fraudulent acts. The interviews have been written up as case studies telling the offenders’ stories -- where possible, using their own words. (Note: The report contains language some people may find objectionable.) CONTENT AREA: Articles TOPICS: Accounting/Finance, Audit Testing, Ethics, Fraud, Internal Audit, Laws & Regulations March 26, 2007 Common problems in QARs can be fixed, avoided Quality assessment reviews (QAR) of internal audit departments are designed to find and fix problems related to compliance with IIA Standards. In helping many IA functions with compliance, Protiviti has identified 10 common problem areas where many IA functions can improve. This article provides suggestions on how each of these issues can be addressed with the goal of moving toward leading practices. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Best Practices, Internal Audit, Internal Audit Administration, Quality Assessment Review March 26, 2007 Secure, Searchable Archiving Today, organizations recognize the importance of unstructured business content held within e-mail, file systems, and collaborative environments. E-mail is particularly critical; by some estimates, as much as 75 percent of a company's intellectual property is contained in e-mail. Because this content is highly sensitive, it must be protected from unauthorized access and use. This is often accomplished through encryption and rights management. At the same time, organizations must preserve this critical content for future search and disclosure, most often via archiving. But this has been easier said than done, driving organizations to choose one or the other: either security or accessibility. CONTENT AREA: Articles TOPICS: Compliance, Technology, Knowledge Management, Security, GRC March 19, 2007 Information Protection Extends Beyond the Network In today's mobile IT environment, each endpoint represents a potential entry point for those intent upon compromising sensitive information for financial gain. Consequently, information protection is no longer about protecting the network, it is about protecting information wherever it resides. This article discusses the idea of protecting information at the endpoint. It discusses the most effective tools for protecting managed endpoints, including antivirus, personal firewall, and intrusion protection technologies, among others, and also about the important role people play in ensuring data protection. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, Security, Security Management Practices March 19, 2007 Measuring the Success of Large Application Development Projects It is not unusual for company application development efforts to languish, run far over budget, be scrapped, or simply fail. In this article, Protiviti’s Tom Andreesen points out that, even in cases where these projects are completed, many companies are not measuring whether their efforts were successful. With the recent publication of Val IT, companies now have a conceptual framework for aligning IT projects with business objectives, as well as for monitoring progress and measuring results. CONTENT AREA: Articles TOPICS: Technology, IT Strategy, Internal Audit, Benchmarking, Cost Management, Performance Management/Measurement March 12, 2007 Company Secretary and internal auditor: joint guardians of governance, risk management and control The internal auditor within any organisation is an important ally and supporter of the Company Secretary. Separately, they represent the two primary organisational managers who focus entirely on governance and risk. Together, they can represent a real force in terms of changing behaviour and driving improvement in governance, risk management and control. In this article, Protiviti’s Mark Harrison discusses interactions between these two roles and how the Company Secretary can utilize internal audit most effectively. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Australia, Corporate Governance, Cross Border & Non-US Issues, Internal Audit, Internal Audit Administration, Internal Controls, Risk Management & Assessment, GRC March 12, 2007 Corporate governance: A case study The governance process must be applied in a strategy setting and across the enterprise to be effective. At CA (formerly Computer Associates), where one of the authors of this article now works, failure to properly apply corporate governance nearly sank the company. Many of the problems discovered at CA exist in varying degrees at many, and perhaps most, other companies. The approaches now taken by CA to strengthen corporate governance can be a model for other companies to follow. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Corporate Governance, Fraud, Internal Audit, Internal Audit Administration, IT Audit, Risk Management & Assessment, GRC March 12, 2007 Magnifying the Value of Identity Management Technology Typical identity management software facilitates access control, authentication, and creation of user names and passwords. Network Behavior Analysis (NBA) tools maximize this investment by collecting, monitoring and reporting on this data in the context of overall network activity. Recently many companies have found that this approach is more effective, easier to manage and less expensive than traditional, perimeter-based security solutions. CONTENT AREA: Articles TOPICS: Access Control Systems & Methodology, Security March 5, 2007 Stock Compensation – A Perspective on Historical and Current Financial Controls The 2007 proxy season ushers in significant new challenges for companies that grant stock options, restricted stock and other equity-based compensation awards. In addition to SOX compliance, the new and changing accounting rules for equity-based awards also have specific implications for executive compensation disclosures. To assist companies in addressing the challenges posed by the new requirements, this article provides two conceptual frameworks and leading trends to shed light on the elements and integrated activities of a well-controlled stock compensation process. CONTENT AREA: Articles TOPICS: Compensation & Benefits, Compliance, Financial Reporting, Internal Controls, Sarbanes-Oxley Act, GRC March 5, 2007 The Evolution of Managed Security Services: A Virtual Reality This article discusses how the costs and complexity of security are causing more firms to consider outsourcing. It looks at different levels of outsourcing commitment, "security-in-the-cloud" offerings, and fully virtualized security. CONTENT AREA: Articles TOPICS: Outsourcing/Co-sourcing/Shared Services, Security, Security Management Practices February 26, 2007 Darknets: Security's Bright Future What makes a darknet a powerful security tool is that, after initial tuning, any traffic entering it from any source is most likely hostile. With the use of darknets, security administrators can spot scanning activity without using complicated analysis technology. Darknets offer organizations a powerful complement to traditional security solutions. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, Network & Internet Security, Security February 26, 2007 The Shift to Behavioral Monitoring: A New Paradigm for Exception-Based Reporting In the past 10 years, exception-based reporting (EBR) has become a widespread tool for loss prevention in retail organizations. However, most organizations are not taking advantage of the capabilities of their EBR solutions to change the behavior of sales associates. This white paper explains why shifting to a so-called “behavioral monitoring” approach to EBR allows retailers to reduce the opportunities for fraud. CONTENT AREA: Articles TOPICS: Fraud, Consumer Products & Retail Industry February 12, 2007 Controls, Compliance and the Role of Continuous Monitoring The lack of automated controls has contributed to the high cost of compliance. Companies are struggling to find an efficient, cost-effective method of attaining this goal. Continuous monitoring can play a major role in developing a sustainable, long-term compliance plan to minimizing cost, strengthening the control environment, ensuring financial reporting accuracy and adding value to the organization. This article from Oversight Systems discusses solutions for automated continuous monitoring. CONTENT AREA: Articles TOPICS: Audit Testing, Internal Audit, IT Audit, IT Controls, Risk Management & Assessment, Sarbanes-Oxley Act, Segregation of Duties, Continuous Auditing, GRC February 12, 2007 Risk Management for Collaborative Software Development This article presents a framework that can be used to manage collaborative software development projects based on an extended set of risk management principles. Three risk factors — trust, culture, and collaborative communication — are discussed in depth. CONTENT AREA: Articles TOPICS: Technology, Risk Management & Assessment, Software, GRC February 12, 2007 Visa PCI – Complying with Payment Card Industry Standards Any merchant that handles transactions by credit card is required to meet security standards established two years ago by the payment card industry (PCI). A picture has begun to emerge of some best practices and common pitfalls organizations encounter on the road to compliance with the 204 controls required by the Data Security Standard (DSS). CONTENT AREA: Articles TOPICS: Compliance, Network & Internet Security, Privacy, Security, Security Management Practices, GRC February 5, 2007 What the manager needs to know about planning a penetration test or vulnerability assessment This article provides planning and project management recommendations for conducting a successful penetration test or vulnerability assessment. It includes practical advice about choosing a tester, setting a clear scope, managing the various risks of testing, and the role of internal audit. CONTENT AREA: Articles TOPICS: Audit Testing, Technology, Internal Audit, IT Audit, IT Controls, IT Infrastructure, IT Strategy January 29, 2007 Improving Channel Processes for Sarbanes-Oxley Also Can Improve the Bottom Line Increased scrutiny of financial processes has uncovered areas of financial vulnerability for many companies. For manufacturers that sell through distribution channels, SOX has helped expose the poor inventory and sales data they receive from their channel partners (distributors, retailers and resellers). This article discusses the risks of bad data, the benefits of receiving cleaner data from partners, and several options available for improving partner-reported data. CONTENT AREA: Articles TOPICS: Compliance, GRC, Internal Controls, IT Controls, Manufacturing & Distribution Industry, Materials Management & Inventory, Sarbanes-Oxley Act, Supply Chain, Technology January 22, 2007 Taking a Closer Look at SAS 70s To some observers, a SAS 70 is a useful and flexible tool for outsource service providers and their clients, while others discount its value tremendously. However, it remains the industry standard for assessing and communicating control effectiveness. In this article, representatives from Accenture and Metavante offer their perspectives on the SAS 70 debate and recommend how companies can make a SAS 70 report fit their unique control needs. CONTENT AREA: Articles TOPICS: Internal Controls, IT Controls, Sarbanes-Oxley Act, SAS 70, Section 404 - Internal Control Reporting January 22, 2007 The Insider's Guide to Outsourcing Risks and Rewards Many hazards exist in offshore outsourcing. This book is about making responsible managers aware of what can go wrong and what steps could be considered to mitigate these risks. This introductory chapter includes sections about best practices, myths, and risks, along with a checklist and a section with a definition of terms. CONTENT AREA: Articles TOPICS: Cross Border & Non-US Issues, Outsourcing/Co-sourcing/Shared Services January 15, 2007 SAS 70 reports continue to grow in demand and utility for Sarbanes-Oxley compliance It has become apparent to those with outsourced business processes that external service providers are a significant component of the company’s financial reporting process. This article discusses how the outsourcing trend is increasing the public interest in SAS 70s. In addition, Service Corporation International shares its experience in utilizing SAS 70 reports and how the quality and timeliness of these reports can be a service differentiator. CONTENT AREA: Articles TOPICS: Audit Testing, External Auditor, Internal Audit, IT Controls, Sarbanes-Oxley Act, SAS 70, Section 404 - Internal Control Reporting January 15, 2007 The New Return on Integrity (ROI) Calculation for Desktop and Network Applications Security When it comes to investments in computing security infrastructure, senior executives ask: "Will this advance my company's position in the marketplace?" while the IT executives ask: "Will this deliver improved productivity?" The simple answers are "Probably not," and "No." So, are security solutions being delayed, deferred, discounted, or derailed because they don't fit neatly into an ROI formula? Absolutely. But at what cost? That's the question. CONTENT AREA: Articles TOPICS: Security, Security Management Practices January 8, 2007 Information Security Tradeoffs: The User Perspective Data that is being “protected” has to remain available to legitimate users. How can security professionals determine if they have pushed too far and users are having problems? Have companies reached the point where they have made systems too hard to use, in effect limiting user access? This article discusses the trade-offs involved in determining how much security to impose.
CONTENT AREA: Articles TOPICS: Security January 1, 2007 Choosing the Right Authentication Authentication as a method of restricting access to sensitive information to privileged users is gaining a renewed interest. The choice of the right authentication technology, however, is not trivial and a successful deployment requires considerations beyond security. CONTENT AREA: Articles TOPICS: Access Control Systems & Methodology, Technology, IT Controls, Security January 1, 2007 What the Amendments to the Federal Rules of Civil Procedure Mean to Your Company The Supreme Court recently approved amendments to the Federal Rules of Civil Procedure, which took effect on December 1, 2006. These amendments provide guidance on the handling of electronically stored information in litigation. With the publication of these amendments, a legal framework now exists from which we can analyze and build policies and process for litigation preparedness; even if some of the amendments have left room for interpretation. CONTENT AREA: Articles TOPICS: Document Retention, Fraud, Investigations/Forensics, Laws & Regulations, Sarbanes-Oxley Act, Security December 18, 2006 Proper reconciliations speed closings, improve accuracy, cut costs Tightened SEC filing deadlines and month-end close requirements have created the need for companies to reconcile accounts, close the books and file financial reports more quickly. Unfortunately, a large percentage of companies are struggling with this process. This article focuses how to automate the reconciliation process and shares Accenture’s experience in automating this process for thousands of ledger accounts. CONTENT AREA: Articles TOPICS: Accounting/Finance, Cost Management, Financial Reporting, Technology, Internal Controls, Performance Management/Measurement, Sarbanes-Oxley Act, Software, Close the Books December 18, 2006 Social Engineering: Concepts and Solutions Securing hardware, software, and firmware is relatively easy; it is the ‘wetware’ (human being attached to a computer system) that causes the biggest headache. Since the 1970s security has eluded us because the silicon-based products have to interface with carbon-based units. The goal of social engineers is to trick people into giving them what they want. What scares most companies is that truly successful social engineers receive what they are looking for without raising any suspicion. CONTENT AREA: Articles TOPICS: Access Control Systems & Methodology, Fraud, Technology, Security December 11, 2006 Whistleblower Hotlines: A Look at Best Practices, Current Trends It may be worthwhile for all organizations to examine current best practices and new technologies supporting whistleblower hotlines mandated by Sarbanes-Oxley Section 301.4. Since the law did not specify how to comply, many audit committees have had to improvise when documenting and following-up on complaints from their compliance hotline systems. This article discusses key points to consider. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Compliance, Corporate Governance, Ethics, Sarbanes-Oxley Act, Whistleblower/Complaint Reporting, GRC December 4, 2006 Information and Physical Security: Can They Live Together? Companies are starting to merge the two culturally and technologically disparate worlds of building access and network access. This article discusses the state of security convergence and what it means for everyone involved—from the guard working the lobby desk to the IT manager responsible for making sure no one misuses resources. CONTENT AREA: Articles TOPICS: Access Control Systems & Methodology, Technology, Physical Security, Security December 4, 2006 Maturing Information Security Using International Standards All organizations need to secure their data and intellectual property. How can you gain assurance that this important part of your business is appropriately protected? What tools and techniques can you use to gain that assurance? This article details how to use international security standards to help protect valuable company information. CONTENT AREA: Articles TOPICS: Compliance, Cross Border & Non-US Issues, Technology, IT Controls, IT Strategy, Sarbanes-Oxley Act, Security, Security Management Practices, GRC November 27, 2006 Securing Global Supply Chains: Seven Reasons Why "Getting It Done" Is So Hard We all know that a company's global supply chain is a potent strategic weapon, economically speaking. Unfortunately, it can also be a potentially fatal area of vulnerability. Companies have two often-conflicting objectives: first, to get stuff through their supply chain faster and faster, and second, to do so in a way that is ever more secure. CONTENT AREA: Articles TOPICS: Cross Border & Non-US Issues, Physical Security, Security, Supply Chain November 27, 2006 The question of SOX certification As business processes grow more complex, executives are faced with dozens of choices for training and certifications for their employees. The Sarbanes-Oxley Act (SOX) is spawning its own array of independent training and certification programs for professionals in IT, audit and other corporate specialties. One question for executives is whether these programs are worth the investment now or if it makes sense to wait until SOX practices mature. CONTENT AREA: Articles TOPICS: Internal Controls, Project Management, Sarbanes-Oxley Act, Training & Development November 20, 2006 Early Warning Signs of IT Project Failure: The Dominant Dozen The postmortem examination of failed IT projects reveals that long before the failure there were significant symptoms or “early warning signs.” This article describes the top twelve people and project-related IT project risks, based on data collected from a panel of experts and a survey of IT project managers. CONTENT AREA: Articles TOPICS: Technology, Project Management, Risk Management & Assessment, GRC November 20, 2006 Implementing and Managing Automated ERP Controls As companies acquire more experience with SOX compliance, they are seeking more efficient and effective ways of documenting and testing their controls. Many organizations are beginning to look within the complex functions and features of their Enterprise Resource Planning (ERP) software for opportunities to automate their internal controls. CONTENT AREA: Articles TOPICS: Access Control Systems & Methodology, External Auditor, Fraud, IT Controls, Sarbanes-Oxley Act, Security, Software November 20, 2006 Understanding Data Forensics What should a company do if it finds itself in litigation and ordered to produce electronic data? The golden rule is “do nothing”—at least not without expert advice. CONTENT AREA: Articles TOPICS: Technology, Security November 13, 2006 The Five Myths of Wireless Security It is imperative that information security professionals not take security trends and myths at face value, but instead thoroughly investigate every statement to make an informed decision about the veracity of individual security ideas. CONTENT AREA: Articles TOPICS: Technology, Security, Network & Internet Security, Wireless November 6, 2006 Risk Management, Loss Prevention and
Internal Audit: Due to the increased emphasis on internal control, many retailers have developed a store compliance process to monitor, quickly identify and remediate potential risks. An effective store compliance process benefits from the sharing of resources and informatio) among the three most influential departments in loss control: risk management, loss prevention and internal audit. CONTENT AREA: Articles TOPICS: Compliance, Internal Audit, Internal Controls, Laws & Regulations, Sarbanes-Oxley Act, Consumer Products & Retail Industry, GRC November 6, 2006 The Top Information Security Issues Facing Organizations: This article presents the results of two related surveys in which CISSPs were asked to identify their most critical information security issues. It provides the rankings of the most critical information security issues and a summary of the governmental actions recommended by the survey participants. CONTENT AREA: Articles TOPICS: Security, Security Management Practices November 6, 2006 Using technology to make SOX a less costly, more reliable process Many organizations have spent millions of dollars and tens of thousands of man-hours to complete the documentation, testing and reporting required by SOX. In retrospect, many organizations documented too many controls, which primarily consisted of manual rather than automated controls. This article discusses the role technology plays in moving SOX compliance to an ongoing, sustainable process and the importance of active maintenance when building a strong control environment. CONTENT AREA: Articles TOPICS: Enterprise Risk Management, Technology, IT Controls, IT Infrastructure, Sarbanes-Oxley Act, Software, GRC October 30, 2006 Distributed Data: The New Security Frontier Today's business climate has created a highly complex data protection custody chain. Companies must replicate more and more sensitive data in order to protect it, but there's a catch. The more data a company replicates copies and backs up, the more data it must secure and the more vulnerable that data becomes. Add to this the fact that most companies create and use mission-critical data on remote servers, desktops and laptops, and the security challenge becomes even more pronounced. To meet it, companies must rethink the controls, reporting mechanisms and staff skill sets needed to manage, monitor and police distributed data. CONTENT AREA: Articles TOPICS: Access Control Systems & Methodology, Compliance, Technology, Laws & Regulations, Operations Security, SAS 70, Security, GRC October 30, 2006 Sharing Best Practices for a World-Class Audit Function Internal audit professionals are increasingly sharing best practices and innovative ideas to help lighten the burden of their many responsibilities. This article highlights four panelists from an August IIA Webcast who speak about a common quest among internal auditors seeking greater audit efficiency, a higher level of risk awareness throughout the organization, and more effective communication with audit committees and management. In addition, they speak of the importance of continuous auditing in a real-time world. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Audit Reporting, Audit Testing, Best Practices, Internal Audit, Risk Management & Assessment, Continuous Auditing, GRC October 23, 2006 Securing RFID Applications: Issues, Methods, and Controls This article provides an introduction to radio frequency identification (RFID), highlights common security issues, and introduces corresponding countermeasures, controls, and security metrics. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, Physical Security, Privacy, Security, Consumer Products & Retail Industry October 23, 2006 The Retail Store Audit: Using Technology to Optimize the Audit Process The traditional method of conducting store audits would benefit from an innovative use of technology, but is an automated solution really worth your investment? This article provides details of three key benefits: enhanced audit productivity, increased operational effectiveness, and improved reporting capabilities. CONTENT AREA: Articles TOPICS: Technology, Internal Audit, Self-Assessment, Software, Consumer Products & Retail Industry October 16, 2006 Linking IT Controls to Business Objectives While driving change in an organization is a challenge, the task of linking IT controls to business goals is made easier once a common language and methodology are employed. This article highlights four panelists from a July IIA webcast who speak about linking IT business controls to business objectives using a top-down approach and how GAIT relates to this process. In addition, two of the panelists detail how their companies addressed this process. CONTENT AREA: Articles TOPICS: Technology, Internal Audit, IT Audit, IT Controls, IT Strategy, Sarbanes-Oxley Act October 16, 2006 Secure Data-Archiving: How to Protect and Store Your Data Can your data be recovered quickly when it needs to be? Ever changing government regulations and a highly litigious society make quick and thorough access to years of stored data a necessity, not an option. The good news is that safe data-archiving technologies are now available at reasonable costs. They can make worrying about data being misplaced or not being available at a moment's notice a thing of the past. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, Operations Security, Security October 9, 2006 Controls Intelligence: An Examination of How Robust Controls Analytics Can Improve Business Processes and Streamline Compliance Corporations find themselves straddling the horns of a very expensive dilemma: On the one hand, the cost of regulatory compliance is extremely steep; on the other, the risks associated with security intrusion – fraud, theft, loss of reputation and the consequences of noncompliance – are unacceptably high. One major reason that compliance costs are so high is that most corporate environments still rely heavily on manual controls for their data, and this is expensive. This white paper describes how technology can be redeployed to improve the control environment, lower compliance costs and streamline operations. CONTENT AREA: Articles TOPICS: Compliance, Internal Controls, Laws & Regulations, GRC October 9, 2006 Electronic Data Speaks - What Does It Say About Your Organization? The most common approach to dealing with fraud today is a 'reactive' approach. However, companies are beginning to embrace measures to help pinpoint indicators of fraud before the act is carried to fruition. One of the most effective ways to monitor fraud and misconduct risk is through a combination of data analysis and data mining. CONTENT AREA: Articles TOPICS: Fraud, IT Controls, Technology, Internal Audit, IT Audit, Security, Investigations/Forensics October 9, 2006 Improving Bluetooth Security: What IT Managers and Mobile Device Users Can Do The emergence of a variety of mobile threats has heightened mobile users' and enterprises' concerns regarding Bluetooth's overall lack of comprehensive security. Although some risks may be due to current implementations or the protocol design, steps can be taken to reduce risk. CONTENT AREA: Articles TOPICS: Technology, Network & Internet Security, Wireless, Security October 2, 2006 Securing Against Insider Attacks Since the very first IT survey on cyber-attacks, one fact has remained almost constant: Roughly twice the number of attacks come from the inside as from the outside. However a reluctance to deal with the implications of this has lead to an emphasis on preventing outside attacks. This article addresses these habits, and how the new regulatory environment is forcing us to move outside our ‘comfort zone’ and to look at how individuals in our own ‘tribe’ can hurt us. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, Security, Laws & Regulations, Security Management Practices September 25, 2006 A realistic scope for SOX IT compliance Three years into SOX, IT efforts remain far from optimal. Those overseeing the compliance efforts are dependent on business dictates; as a result, all applications are treated equal and appear to require the same level of control. As this article explains, all IT risk is not created equal and it is time for a better solution. CONTENT AREA: Articles TOPICS: Technology, Sarbanes-Oxley Act, IT Controls, Compliance, GRC September 25, 2006 Effective Operational Security Metrics Security professionals are constantly being asked to justify every security project. Security risks and projects can often be difficult to measure and even more difficult to understand by people outside the department. The key to demonstrating improvement and value is to present appropriate security metrics in business terms. This article will help move from presenting information security as tactical and reactive to showing that it is managed and measured. CONTENT AREA: Articles TOPICS: Operations Security, Technology, IT Infrastructure, Security September 18, 2006 Defending the Corporate Crown Jewels From the Dangers That Lurk Within: The risk of damaging cyber-attacks to corporate networks has never been higher. Enterprise networks contain the most precious assets of a corporation. Essentially, everything a company creates or does manifests itself within the corporate network. This article looks at network behavior analysis (NBA), a new approach to addressing internal network security. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, Security, Network & Internet Security September 11, 2006 Confessions of a Configurer: Managing Risk in the SAP Environment: Controlling Postings to Closed Accounting Periods (Part 3) This is the third in a series of articles whose goal is to explain the potential risk areas within SAP, how to test for them, and how to ask more pointed questions to ensure that risks are adequately managed around that configuration. This article discusses how to restrict the ability to post to a ‘closed’ accounting period to just a select few. CONTENT AREA: Articles TOPICS: Technology, Risk Management & Assessment, Accounting/Finance, Financial Reporting, Software, Segregation of Duties, GRC September 11, 2006 Implementing Security Metrics Initiatives Security metrics are shrouded in mystery and are considered “too hard” to do — with the end result being that this necessary and effective management tool has yet to be implemented at many organizations, and in the organizations where it has been launched, it has yet to be automated to ease management and reduce resource costs. CONTENT AREA: Articles TOPICS: Security, Security Management Practices September 11, 2006 Stock Option Accounting’s Impact on SOX Compliance The business news wires buzz with stories about investigations of how companies have granted stock options and other equity awards to their executives – and how they have accounted for those grants. Backdating has attracted most of the headlines, but recent changes in accounting practices and disclosure rules also have thrust this issue into the spotlight. These changes have added complexity for companies striving to meet the requirements of the new accounting standards and to maintain the related internal controls mandated by SOX. This article discusses the complexity of stock option accounting, the range of dating behaviors, future control requirements, and the four key areas of activity with respect to stock option grants. CONTENT AREA: Articles TOPICS: Accounting/Finance, Compensation & Benefits, Compliance, Corporate Governance, Sarbanes-Oxley Act, GRC September 4, 2006 From Logs to Logic: Best Practices for Security Information Management The news is filled with stories about corporate networks being terrorized by worms, viruses, hackers, and identity thieves. Now, more than ever, companies need to pay strict attention to network security, not only to defend against attacks and protect customer data, but also to satisfy a growing list of government regulations. This article takes the reader through best practices for turning technical data points into business-relevant information. CONTENT AREA: Articles TOPICS: Security, Security Management Practices, Best Practices August 28, 2006 High-Shrink Store Programs: Why Focusing Your Resources on the Worst Performing Stores Will Reap the Most Benefits Retailers are used to managing a certain amount of shrink in the business – it’s a fact of life. However, that doesn’t mean that executives should accept that shrink can’t be substantially reduced. This articles describes high-shrink store programs, a key tactic in driving down shrink at outlets with the highest loss rates. CONTENT AREA: Articles TOPICS: Materials Management & Inventory, Security, Physical Security, Risk Management & Assessment, Consumer Products & Retail Industry, GRC August 28, 2006 Mitigating Malware in Userland Kevin Mitnick has authored a new white paper to help corporate customers minimize the risks associated with sophisticated computer security threats. It provides detailed insights into a typical computer hacker's mindset and provides real-life examples of IT security breaches at various corporations. CONTENT AREA: Articles TOPICS: Access Control Systems & Methodology, Communications Industry, Network & Internet Security, Security, Software, Technology, Telecommunications August 21, 2006 Most Disk Overwriting Software May Compromise Data Security Large volumes of confidential data are stored on PCs, posing a significant security threat. A single improperly discarded hard drive or PC could have severe consequences if proper measures are not taken to prevent the unauthorized disclosure of confidential corporate data. Widely available disk overwriting software is one of the main reasons why data leaks continue to occur. This article identifies drawbacks in these tools which could compromise an organization's security. CONTENT AREA: Articles TOPICS: Technology, Operations Security, Security, Software August 14, 2006 Investigations and the Foreign Corrupt Practices Act Compliance with the Foreign Corrupt Practices Act (FCPA) is once again in the regulatory spotlight. As growing numbers of U.S. companies pursue opportunities in the global marketplace, many have encountered ethical situations that have given rise to government investigations of potential violation of the FCPA. In this article Ken Yormark outlines FCPA's requirements and discusses red flags, risk assessment techniques, and multi-method approaches to the delivery of employee education and awareness programs. CONTENT AREA: Articles TOPICS: Fraud, Laws & Regulations, Compliance, Ethics, Cross Border & Non-US Issues, GRC August 7, 2006 Remotely Safeguarding the Enterprise Help desk resolution, troubleshooting, system configuration, software installation, end-user training, and disaster recovery are just a few of the ways that IT professionals leverage remote control solutions to facilitate and improve the services they provide to their remote customers. However, being able to consistently discover and connect to all of the remote hosts that an IT professional supports can be a difficult and sometimes frustrating challenge. CONTENT AREA: Articles TOPICS: Technology, Security, IT Infrastructure, Operations Security, Software August 7, 2006 Tactics to rebalance your internal audit function Now that the initial burden of Sarbanes-Oxley compliance is lightening for many companies, Chief Audit Executives are feeling pressure from all sides to “rebalance” their internal audit activity. While few will argue with the goal of rebalancing, most internal audit groups find it challenging to translate this goal into tactical business plans. This article highlights specific steps companies can take to rebalance their IA activities. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Internal Audit, Internal Audit Administration, Internal Controls, Sarbanes-Oxley Act, Continuous Auditing August 3, 2006 The Operational Store Auditor as Cultural Influencer The operational store audit is fast moving away from its traditional origins and assuming a new role in shaping organizational culture. This article examines the more educational role for auditors, and discusses the implications for the audit team. CONTENT AREA: Articles TOPICS: Consumer Products & Retail Industry, Internal Audit, Materials Management & Inventory, Software, Supply Chain July 31, 2006 Mitigating Risk Through Targeted Communications Requires Understanding Organizational Culture For corporations, an effective communications program is a primary management tool for reducing certain types of risk, such as internal loss due to employee theft. However, as this article describes, you can’t communicate with people in an organization if you don’t understand their culture or speak their language. CONTENT AREA: Articles TOPICS: Knowledge Management, Risk Management & Assessment, GRC July 31, 2006 No definitive answer on proper level of assurance Internal auditing is an objective assurance activity conducted to provide an independent assessment regarding a process, sub-process, system, or other issue of interest to a company. This raises a key question: What level of assurance should internal audit provide? This article summarizes the perspectives of 80 participants on this topic discussed at the 17th Annual MIS SuperStrategies Audit Best Practices Conference. CONTENT AREA: Articles TOPICS: COSO, Internal Audit, Audit Committee & Board, Audit Reporting July 24, 2006 IT Project Pain? Take 10 Tips and Call Me in the Morning When undertaking major IT initiatives, a carefully defined and planned effort will yield the most value every time. Protiviti’s Ed Hau identifies 10 principles that should be applied with rigor and discipline throughout IT initiatives. Hau believes the root of all problems encountered during these IT efforts can be traced to lack of attention to one or more of these 10 factors. CONTENT AREA: Articles TOPICS: Technology, Risk Management & Assessment, IT Audit, IT Infrastructure, IT Strategy, GRC July 17, 2006 Penetration testing vs. vulnerability assessment: Which should you consider? In order for businesses to adequately protect their internal data and customer’s data, they must understand the risks and vulnerabilities affecting their systems. Penetration testing and vulnerability assessment are two paths to understanding these risks. Protiviti’s Michael Richardson helps us understand the differences between these two types of security reviews and associated risks to consider. CONTENT AREA: Articles TOPICS: Technology, Security, IT Infrastructure, Physical Security, Security Architecture & Models, Security Management Practices July 17, 2006 Why Leading Enterprises are Issuing Employee Smart Cards According to a recent survey of enterprises, smart card security solutions not only increase the protection of both physical and logical access to the organization but can also result in savings of more than $2 million for every 2,000 employees. The survey measured the return on investment of 53 organizations with smart card deployments. It also explored current authentication practices and the potential benefits of converging logical and physical access solutions. CONTENT AREA: Articles TOPICS: Technology, Security, Access Control Systems & Methodology, IT Infrastructure July 10, 2006 SEC adds to pressure to shorten close process The SEC has compressed the time companies have to file their annual and quarterly reports, adding the pressure to speed-up the financial close process. The companies first impacted by these new reporting timelines are “large accelerated filers,” a group newly defined by the SEC. Protiviti’s Tom Batina outlines the new rules and provides a number of recommendations to help companies accelerate and improve their financial close process. CONTENT AREA: Articles TOPICS: Accounting/Finance, Financial Reporting, Internal Controls, Section 404 - Internal Control Reporting, External Auditor, Sarbanes-Oxley Act July 3, 2006 Advancing Risk Management Capability Using ORM and ERM Frameworks Faced with an unprecedented number of compliance mandates, financial institutions are puzzled with how they can best address new, complex and overlapping regulatory expectations. Protiviti’s Devon Brooks points out how the structured approaches offered by enterprise risk management (ERM) and operational risk management (ORM) frameworks provide a foundation on which managers can build an enterprise-wide infrastructure to best meet regulatory mandates. CONTENT AREA: Articles TOPICS: Compliance, Corporate Governance, Risk Management & Assessment, Sarbanes-Oxley Act, Enterprise Risk Management, Financial Services Industry, Basel, GRC July 3, 2006 Label-Printing and RFID This article provides a snapshot of RFID technology today, and how a converter and end-user collaborated to create an item-level tagging solution. CONTENT AREA: Articles TOPICS: Asset Management, Consumer Products & Retail Industry, Healthcare & Pharmaceuticals Industry, Technology, Supply Chain, Wireless June 19, 2006 Network Peripherals: A Weak Link in Security and an Open Gateway for Attackers One of the most common and overlooked threats to a company's assets and trade secrets is the networked peripheral device. Companies must realize that from a network perspective these devices look no different than other powerful computer nodes - and if not properly managed they can be a weak link in security and an open gateway for attackers. CONTENT AREA: Articles TOPICS: Technology, Security, IT Infrastructure, Operations Security, Physical Security June 19, 2006 Secrets to developing and auditing a corporate privacy plan Privacy of personal information stored electronically has become a major concern. Because there is so much at stake if this information is stolen, there is a clear need for organizations to create privacy programs and audit the performance of privacy programs. In this article, Protiviti’s Jeff Sanchez offers a step-by-step approach to building an effective privacy program and describes how to assess the privacy process. CONTENT AREA: Articles TOPICS: Fraud, Technology, Laws & Regulations, Privacy, IT Controls, IT Strategy June 12, 2006 Recovering revenue through royalty audits Many companies now earn or enhance their revenue through licensing their intellectual property. However, it is proving increasingly difficult to ensure that this revenue potential is being fully realized. Protiviti’s Graham Urey discusses how these agreements have become increasingly complex, and once straight-forward royalty calculations are now based on variable data from numerous sources, leaving some companies wondering whether they are actually collecting what they are owed. CONTENT AREA: Articles TOPICS: Internal Audit, Accounts Receivable, Audit Testing June 5, 2006 Achieving Cost Savings and Compliance through Enterprise Contract Management From the beginning, the Sarbanes-Oxley Act (SOX) made it abundantly clear that companies need to understand, control and manage the risks within their four walls. As companies continue to streamline their SOX compliance efforts, they are turning their attention to contract management, an often overlooked area that presents significant risks if not correctly managed. This article points to enterprise contract management solutions as key to addressing these risks. CONTENT AREA: Articles TOPICS: Risk Management & Assessment, Sarbanes-Oxley Act, Internal Controls, IT Controls, Supply Chain, GRC June 5, 2006 Guide to Optimal Operational Risk and Basel II The Guide to Optimal Operational Risk and Basel II presents the key aspects of operational risk management that are also aligned with the Basel II requirements. Chapter 9 provides guidance on when and how banking organizations should plan and schedule their actions and policies used in designing the framework of operational risk management. CONTENT AREA: Articles TOPICS: Cross Border & Non-US Issues, Risk Management & Assessment, Financial Services Industry, Basel, Financial and Credit Risk, GRC June 5, 2006 Spreadsheets: friend or foe? This chapter from part 6 (Containing Financial Risks and Safeguarding Systems and Knowledge) of the third edition of Managing Business Risk focuses on spreadsheet risk. Protiviti’s Jonathan Wyatt and Scott Bolderson discuss how, despite their ease of use, we tend to place undue trust in the integrity of spreadsheet analysis. When analyzing spreadsheet risk, we should be asking ourselves what is our exposure, when should we be using spreadsheets, and how do we use them more wisely. CONTENT AREA: Articles TOPICS: GRC, Internal Controls, IT Controls, Risk Management & Assessment, Sarbanes-Oxley Act, Spreadsheet Risk, Technology May 29, 2006 Employee fraud – The Unexpected Risk “The world is becoming a riskier place for business managers as each year passes." This chapter from the third edition of Managing Business Risk, focuses on combating employee fraud. Protiviti's Mike Adlem discusses how the responsibility for managing the fraud risk must lie with the board and senior management must actively support an anti-fraud programme that involves all business processes, business units and divisions. CONTENT AREA: Articles TOPICS: Corporate Governance, Ethics, Fraud, Risk Management & Assessment, Enterprise Risk Management, GRC May 29, 2006 The Truth about Global Outsourcing Business advisors Ralph Welborn and Vince Kasten have gotten a firsthand look at the problems outsourcers face. Here's the gist: Once the work leaves your organizational walls, you lose visibility - and some say control - over what gets done how and by whom. Outsourcers run into the "execution gap" - the difference between what needs to get done and what actually does get done. In this article, the authors shine light on the execution gap by identifying 10 lessons they've learned about the challenges and difficulties of global outsourcing. CONTENT AREA: Articles TOPICS: Cross Border & Non-US Issues, Outsourcing/Co-sourcing/Shared Services May 22, 2006 Guide to Optimal Operational Risk and Basel II The Guide to Optimal Operational Risk and Basel II presents the key aspects of operational risk management that are also aligned with the Basel II requirements. Chapter 2 provides detailed guidance for the design and implementation of an efficient operational risk management system. It contains all elements of assessment, including operational risk identification, measurement, modeling, and monitoring analysis, along with evaluation analysis and the estimation of capital requirements. CONTENT AREA: Articles TOPICS: Cross Border & Non-US Issues, Risk Management & Assessment, Financial Services Industry, Basel, Financial and Credit Risk, GRC May 22, 2006 What every auditor needs to know about RFID Internal audit professionals should be involved in both the evaluation and implementation of Radio Frequency Identification (RFID). However, for internal auditors to be accepted around the planning table, a thorough knowledge of RFID and some of the issues surrounding RFID implementation is crucial. CONTENT AREA: Articles TOPICS: Asset Management, Compliance, Consumer Products & Retail Industry, Healthcare & Pharmaceuticals Industry, Internal Audit, Materials Management & Inventory, Supply Chain, GRC May 15, 2006 Confessions of a Configurer: Managing Risk in the SAP Environment: Critical Considerations for using Sets in SAP (Part 2) This is the second in a series of articles whose goal is to explain the potential risk areas within SAP, how to test for them, and how to ask more pointed questions to ensure that risks are adequately managed around that configuration. This article asks: What are Sets, where are they used, and why you should be losing sleep if you don’t know? CONTENT AREA: Articles TOPICS: Technology, Risk Management & Assessment, Accounting/Finance, Financial Reporting, Software, Segregation of Duties, GRC May 15, 2006 Practical advice in meeting the Quality Assessment deadline For some companies, there are still many hurdles to clear as they hasten to comply with The IIA’s Standard 1312 requiring an independent quality assessment (QA). In this article, Protiviti’s Basil Woller discusses common misunderstandings about this Standard and company trends in picking a QA option. Woller also offers advice in how to better prepare for the reality of a quality assessment. CONTENT AREA: Articles TOPICS: Internal Audit, Audit Committee & Board, Quality Assessment Review May 15, 2006 Should Your Board Have A Compliance Committee? In the current regulatory environment where corporate governance is on everyone’s mind, some companies are deciding that they might benefit from more focused attention to compliance issues. These companies are forming board-level committees that are primarily and solely charged with overseeing compliance and legal matters. This column explores the relationship between compliance and corporate governance, the reasons for establishing a board-level compliance committee, the mandate and membership of such a committee, some challenges that a compliance committee may face and the potential benefit to a company of having a board-level compliance committee. CONTENT AREA: Articles TOPICS: Compliance, Corporate Governance, Internal Audit, Audit Committee & Board, Financial Services Industry, GRC May 15, 2006 The Brave New World of Distributed IT Security The economic benefits of the Distributed Work Revolution are strong and compelling for enterprises. But the security challenges for corporate IT administrators as they attempt to support this atomized model are formidable. This article discusses those challenges, and recommends solutions to them. CONTENT AREA: Articles TOPICS: Technology, Security, IT Infrastructure, Operations Security, Security Management Practices, Software, Telecommunications, Network & Internet Security, Communications Industry May 1, 2006 Cyber-Warfare Threatens Corporations Expansion into Commercial Environments This article presents trends demonstrating the transformation of information warfare from primarily a military issue into a major commercial issue as well. Corporate IT managers need to understand the growing cyber-war threats and implement appropriate strategies to mitigate risk. CONTENT AREA: Articles TOPICS: Technology, Security, IT Infrastructure, Telecommunications, Network & Internet Security, Communications Industry May 1, 2006 Which comes first – managing risk or strategy-setting? Both! Because the operating environment is constantly changing, strategy-setting is a dynamic process that never ends. Ultimately, management should never set strategy without evaluating risk. In this article, Protiviti’s Everett Gibbs and Jim DeLoach emphasize that by effectively integrating risk management with the strategy-setting process, management is able to sharpen the focus on improving expected returns, or alternatively holding the expect returns constant and favorably altering the organization’s risk characteristics. CONTENT AREA: Articles TOPICS: Corporate Governance, Enterprise Risk Management, Internal Audit, Risk Management & Assessment, Audit Committee & Board, GRC April 24, 2006 Critical Success Factors for Managing Systems Integration System integration is a complex technological task, and an infrastructure decision that seems right today might well be obsolete tomorrow. This article proposes a framework of critical success factors that can be used to manage IS integration projects, according to a firm’s current stage of IT integration maturity and other IS infrastructure characteristics. CONTENT AREA: Articles TOPICS: Best Practices, Technology, Performance Management/Measurement, Software April 24, 2006 New Pharmaceutical Compliance Controls Go Beyond Detection As publicity about drug marketing misconduct became more pervasive, the FDA increased its regulations on pharmaceutical manufacturers. By choice or by decree, many companies are now trying to get a handle on their vendors, their marketing, and their internal controls to comply with the complex web of regulations. Protiviti’s Larry Lake and Beth Richardson discuss a Risk Control Matrix auditing process that incorporates a preventive controls approach to problem solving and provides companies with assurance that marketing activities executed through vendors are within legal regulations. CONTENT AREA: Articles TOPICS: COSO, Internal Audit, Sarbanes-Oxley Act, Audit Testing, Healthcare & Pharmaceuticals Industry, Internal Controls, Risk Management & Assessment, GRC April 17, 2006 GAIT Getting the Go-Ahead The IIA’s Generally Accepted IT (GAIT) Principles is a welcomed addition to the world of corporate governance. These principles offer guidance for scoping information technology risks and controls for the annual assessment of internal controls over financial reporting. In this article, GAIT authors discuss driving forces behind GAIT, the importance of integrating a top-down approach, and using it as a common frame of reference for management and auditors. CONTENT AREA: Articles TOPICS: COSO, Technology, Internal Audit, Sarbanes-Oxley Act, Internal Audit Administration, IT Audit, IT Controls, IT Strategy April 17, 2006 Multifactor Authentication: A Blow to Identity Theft? In October 2005 the FFIEC issued guidance entitled ‘Authentication in an Internet Banking Environment.’ This guidance and earlier studies focus on steps that the financial services industry can take to help prevent identity theft, specifically account hijacking. This article defines account hijacking, explains the new regulatory requirements, and presents some of the options available to the industry for addressing them. CONTENT AREA: Articles TOPICS: Security, Access Control Systems & Methodology, Financial Services Industry April 10, 2006 Five Ways for Nonprofits to Manage the Risk of Excessive Executive Compensation Last year the IRS sent out nearly 2,000 letters requesting detailed compensation data from charities and foundations in connection with the agency's ongoing Tax Exempt Compensation Enforcement Project. This article suggests five ways that nonprofits can manage the risk that executive compensation is not at an appropriate level. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Compensation & Benefits, Corporate Governance, Ethics, Nonprofit Industry, Risk Management & Assessment, GRC April 10, 2006 IT integration eases Sarbanes-Oxley compliance, cuts costs Companies quickly learned the importance of integrating the IT function into the overall SOX compliance process and its associated benefits: reduced resource strain and improved compliance efficiency. In this article, Przemek Tomczak, offers advice on incorporating IT controls into the compliance umbrella. Tomczak also provides ‘how-to’ testing examples for common automated controls. CONTENT AREA: Articles TOPICS: Compliance, Technology, Sarbanes-Oxley Act, Internal Controls, IT Audit, IT Controls, IT Strategy, Canada, Entity-Level Control, GRC April 3, 2006 Crafting Information Technology Governance This article presents a holistic view of IT governance, in which structural, process, and relational capabilities are an integral part of an effective IT governance architecture. The article concludes with an IT Governance Assessment Process (ITGAP) model, with which business and IT executives can assess the effectiveness of their company’s current IT governance architecture. CONTENT AREA: Articles TOPICS: Technology, IT Infrastructure, IT Strategy April 3, 2006 Getting Controls Right and Automating Them First-year Sarbanes-Oxley endeavors were, by necessity, somewhat limited in terms of efficiency and effectiveness. This article suggests that companies should now move towards automated controls, otherwise they will continue to see only minor decreases in their costs related to internal controls and compliance. CONTENT AREA: Articles TOPICS: Compliance, Technology, Internal Audit, Internal Controls, Sarbanes-Oxley Act, Software, GRC March 20, 2006 Confessions of a Configurer: Managing Risk in the SAP Environment: All SAP Journal Entries Balance – Right? (Part 1) This is the first in a series of articles whose goal is to explain the potential risk areas within SAP, how to test for them, and how to ask more pointed questions to ensure that risks are adequately managed around that configuration. This piece focuses on answering questions for Internal Audit and IT Audit about Special Purpose Ledger Documents which can be directly entered into a Special Purpose reporting ledger. CONTENT AREA: Articles TOPICS: Technology, Risk Management & Assessment, Financial Reporting, Software, Accounting/Finance, GRC March 20, 2006 Excel in managing spreadsheet risk Finance would be virtually unthinkable without the humble spreadsheet. This article describes the four key stages of managing spreadsheet risk and how to define a spreadsheet control framework which will ensure that all aspects of spreadsheet management are addressed. CONTENT AREA: Articles TOPICS: Change Management, GRC, IT Controls, Risk Management & Assessment, Sarbanes-Oxley Act, Software, Spreadsheet Risk, Technology March 20, 2006 IT Change Management: The journey toward value Traditionally, the IT change process has been viewed as everything from bureaucratic red tape to a big headache that produces extra work, but nothing of value. However, this article argues that IT change management needs to be planned even more carefully than a long trip into unfamiliar territory. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Change Management March 13, 2006 Auditing Executive Compensation: Carpe Diem, Internal Auditors Intensity around the topic of executive compensation has increased in recent years. Shareholders are calling for honest and forthright "transparency" related to executive compensation. In this article, Parveen Gupta, from Lehigh University, discusses preserving the integrity of executive compensation through compensation audits. Gupta describes four key dimensions to executive compensation audits. CONTENT AREA: Articles TOPICS: Corporate Governance, Internal Audit, Audit Committee & Board, Audit Testing, Internal Audit Administration, Payroll, GRC March 13, 2006 Control Self Assessment – The Future of Store Audits in Retail Firms Whether it’s reducing shrink or complying with Sarbanes-Oxley, a rigorous store-level compliance process is key in protecting and substantiating company assets and reporting processes. This article describes the key ways in which this can be achieved through store self-assessment. CONTENT AREA: Articles TOPICS: Internal Audit, Self-Assessment, Consumer Products & Retail Industry March 6, 2006 Planning for a Faster Close – Are You Ready? Due to faster filing requirements by the Securities and Exchange Commission (SEC), U.S. companies have an added reason to speed up the financial close process. Even without the extra push from the SEC there are good reasons for companies to improve this process. In this article, Protiviti’s Gordon Tucker and Rachel Bell compare how large and small companies are performing in this area; discuss common hurdles; and provide leading financial close practices. CONTENT AREA: Articles TOPICS: Best Practices, Sarbanes-Oxley Act, Accounting/Finance, Financial Reporting, Section 302 - Executive Certifications, Section 404 - Internal Control Reporting, Close the Books February 27, 2006 Strategic Workforce Management: Managing risk and getting the most from your personnel assets Companies are starting to realize that creating competitive advantage and mitigating risk starts by proactively managing their single biggest cost item and most valuable asset – the workforce. As regulatory constraints tighten and transparency requirements strengthen, many organizations are adopting a proactive stance toward managing their personnel assets. CONTENT AREA: Articles TOPICS: Technology, Internal Audit, Risk Management & Assessment, Human Resources, Internal Audit Administration, Software, GRC February 20, 2006 Assessing Risk in Travel & Entertainment or Procurement Card Programs The steady drip-drip-drip of small to medium purchases on a corporate credit card can quickly fill a large bucket of unnecessary – and even fraudulent – expenses. This article discusses how assessing corporate card program risk is an important piece of a company’s risk management strategy. It also provides suggested steps to complete this risk assessment process. CONTENT AREA: Articles TOPICS: Technology, Internal Audit, Fraud, Risk Management & Assessment, Accounting/Finance, Expense Reporting, Purchasing & Accounts Payable, Software, Audit Testing, GRC February 13, 2006 Independent Testing: Anti-money Laundering Program Compliance To help organizations and their auditors understand and implement AML measures, these frequently asked questions (FAQs), extracted from Protiviti's "Guide to U.S. Anti-Money Laundering Requirements," provide guidance. CONTENT AREA: Articles TOPICS: Compliance, Fraud, Training & Development, Financial Services Industry, GRC February 13, 2006 New Tools for Assessments of SAP Controls and Security Out of the box, SAP does not come configured optimally as it relates to internal controls, and an organization may end up with control exposures after the implementation is complete. As organizations seek to transform SOX compliance into a sustainable, cost-effective process, they can take a giant leap in this direction by using automated tools to further optimize their SAP installation: automating controls, increasing monitoring capabilities, and achieving greater efficiency and effectiveness in the compliance process. CONTENT AREA: Articles TOPICS: Technology, Security, Application Development Security, IT Controls, Software, Process-Level Control, Segregation of Duties February 6, 2006 Sarbanes–Oxley: Achieving Compliance by Starting with ISO 17799 Compliance with SOX has been hampered by the lack of implementation details. This article argues that IT departments that have implemented ten categories of IT controls provided by ISO 17799 will be well on their way toward SOX compliance. A side-by-side comparison of the 124 control components of the ISO Standard and the published SOX implementation guidelines is provided. CONTENT AREA: Articles TOPICS: Compliance, Technology, Sarbanes-Oxley Act, Security, IT Controls, PCAOB, Segregation of Duties, GRC February 6, 2006 Using Enterprise Contract Management to Reduce Risk, Improve Performance A number of factors in the business environment are leading companies to examine their enterprise contracts management lifecycle. During this review, companies are also pursuing enterprise contract management (ECM) software solutions to help automate the contracts management process. In this article, Protiviti’s Amy Younger and Scott Vanlandingham discuss contract management challenges, associated business risks, and the benefits of adopting an ECM solution. CONTENT AREA: Articles TOPICS: Corporate Governance, Intellectual Property, Purchasing & Accounts Payable, Sarbanes-Oxley Act, Software, Supply Chain, GRC January 30, 2006 Auditing Anti-Money Laundering Compliance Beyond fulfilling a legal requirement, an anti-money laundering (AML) audit can also help to identify problems and areas for improvement in advance of a regulatory examination. Further, the AML audit will be used by regulators in setting the scope of their examination and identifying areas that may require more or less scrutiny. CONTENT AREA: Articles TOPICS: Compliance, Fraud, Internal Audit, Laws & Regulations, Financial Reporting, Financial Services Industry, GRC January 30, 2006 Canada turns its attention to new disclosure rules In response to Canadian Securities Administrators (CSA) requirements in Multilateral Instrument 52-109, public companies must prepare to certify their disclosure controls. In addition, Ontario is introducing statutory civil liability for continuous disclosure in secondary markets. This liability will extend not only to issuers but to officers, directors and others involved in the process. Protiviti’s Carmen Rossiter discusses how these disclosure requirements are the wave of the future in Canada. CONTENT AREA: Articles TOPICS: Compliance, Cross Border & Non-US Issues, Laws & Regulations, Sarbanes-Oxley Act, Internal Controls, Reporting/Disclosure, Canada, GRC January 30, 2006 Email Continuity: Maintaining Communications in Times of Disaster Given the importance of email for almost every business - both in terms of serving as a critical communication tool and as a de facto information repository - an email continuity plan should be at the top of every IT disaster recovery planning list. But is this truly the case? And is the plan comprehensive enough to maintain continuous email communications? CONTENT AREA: Articles TOPICS: Business Continuity Management, Technology, Security January 23, 2006 Partnering with the rest of the board It should come as no surprise that internal auditing works closely with the audit committee. But look a little closer -- the Standards call for IA to coordinate the activities of the board and communicate information among board members, external and internal auditors, and management. This article suggests a number of opportunities for internal audit to broaden its impact by partnering with the board. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Internal Audit, Corporate Governance, Internal Audit Administration, GRC January 16, 2006 Getting Serious about Fraud Awareness Training Every company recognizes the importance of preventing and detecting fraud, but from that point on, paths diverge. Nowhere is this more evident than in how companies train – or fail to train – their employees in fraud awareness. CONTENT AREA: Articles TOPICS: Fraud, Training & Development January 2, 2006 Sensitive or Critical Data Access Controls Corporations have incredible amounts of information that is created, acquired, modified, stored, and transmitted. Appropriate access controls should be implemented to restrict access to all of this information. The effectiveness of any control will depend on the environment in which it is implemented and how it is implemented. This guide identifies the controls required, and suggests implementation best practices. CONTENT AREA: Articles TOPICS: Best Practices, Compliance, Technology, Laws & Regulations, Security, Security Architecture & Models, Security Management Practices, IT Controls, GRC January 2, 2006 Six Sigma evolves into effectiveness and efficiency measurement tool One of the key aspects of the COSO Framework includes assessing the effectiveness and efficiency of operations. In this article, Protiviti’s Jon Harper discusses how internal auditors can apply elements of Six Sigma to measure a company’s operational effectiveness and efficiency. Harper also discusses the evolution of Six Sigma, when implementation is appropriate, and importance of management support. CONTENT AREA: Articles TOPICS: Benchmarking, Best Practices, COSO, Internal Audit, Audit Testing, Supply Chain December 12, 2005 Harness the Compliance Power of Your ERP Platform By setting up ERP systems to properly automate and monitor controls, companies can reduce staff time, cut costs, and decrease reliance on manual controls. The result will be to move SOX compliance from a project to an ongoing process. This article describes how ERP tools can be configured to help manage segregation of duties, monitoring, and approval rules and to provide exception reports and problem identification that reduces compliance paperwork. CONTENT AREA: Articles TOPICS: Technology, Sarbanes-Oxley Act, Compliance, Software, Segregation of Duties, GRC December 12, 2005 Training Employees To Identify Potential Fraud and How To Encourage Them To Come Forward Helping employees understand how to identify and report fraud is especially important in today's business climate. Personnel must be motivated to learn how to identify and report fraud by tangible and specific rewards and penalties to support an organization's fraud prevention efforts. This article discusses training topics, motivators, awareness methods, and evaluation. CONTENT AREA: Articles TOPICS: Compliance, Fraud, Laws & Regulations, Security, Training & Development, Human Resources, GRC December 5, 2005 Sarbanes-Oxley Compliance: A Technology Practitioner's Guide Information technology and security practitioners can take on the role of IT auditor, providing assistance to senior management during the assertion phase, or these professionals can assist the organization in the remediation of material weaknesses discovered during assessment and assertion testing phases. These roles will are discussed in detail in this article. CONTENT AREA: Articles TOPICS: Technology, Sarbanes-Oxley Act, IT Controls November 28, 2005 Avoiding Today’s Top Hiring Mistakes With numerous competing work demands, plans to add new staff may not always receive sufficient attention. This can often lead to recruitment challenges and poor hiring decisions. In this publication, Max Messmer, chairman and CEO of Robert Half International Inc., discusses some of the most common hiring mistakes and offers advice on how to avoid them. CONTENT AREA: Articles TOPICS: Internal Audit, Accounting/Finance, Human Resources, Internal Audit Administration November 28, 2005 Sarbanes-Oxley and Revenue Recognition Practices One of the primary goals of the Sarbanes-Oxley Act (SOX) is to ensure that companies are reporting accurate revenue numbers. Consequently, revenue recognition policies have been under particular scrutiny. A new survey of 400 public and private companies found that more than half (55%) of all public companies have changed revenue recognition policies as a result of SOX, and that many of these changes were “moderate” to “significant”. In addition, revenue recognition was identified as one of the top three ongoing control risks and remediation challenges. CONTENT AREA: Articles TOPICS: Sarbanes-Oxley Act, Financial Reporting, Revenue, Internal Controls, IT Controls, Software November 28, 2005 Wireless security needs to be in scope of risk assessments Growth in the use of wireless communications technology has been explosive, so fast that most audit teams have fallen behind in making it a part of the scope of risk assessment programs. Even as wireless manufacturers and standards associations continue to build more and more security into their products, the underground wireless community continues to discover ways to circumvent the new controls. This presents internal auditors with unique challenges. CONTENT AREA: Articles TOPICS: Technology, Risk Management & Assessment, Security, Wireless, Network & Internet Security, GRC November 21, 2005 Corporate Governance: A Primer, The Present & Some Predictions Given the events and headlines of recent years it would be easy to assume that corporate governance is a relatively modern concept. Or is it? In this article, Protiviti’s Bob Hirth examines trends in corporate governance and the opportunities it presents for internal audit, especially related to enterprise risk management (ERM). Hirth also addresses the looming ERM questions of how to get started and where to begin. CONTENT AREA: Articles TOPICS: Corporate Governance, Internal Audit, Sarbanes-Oxley Act, COSO, Audit Committee & Board, Enterprise Risk Management, Internal Audit Administration, GRC November 21, 2005 Information Security Governance Because the primary purpose of any governance within a corporation is to hold management accountable to the corporate stakeholders, information security governance must have as its primary purpose the process of holding management accountable for the protection and ethical use of information assets. This article discusses information security governance structures, metrics and pitfalls. CONTENT AREA: Articles TOPICS: Technology, Security, Knowledge Management, COSO, Security Management Practices November 14, 2005 New tools help internal auditors transform purchase-to-payment audits for competitive advantage By moving from manual to automated processing, from detective to preventive controls, and from periodic to continuous monitoring, companies will enjoy a distinct advantage over competitors. Internal auditors can help process owners find the tools to do this. In this article, Protiviti’s Miron Marcotte describes these tools and their application to the purchase-to-payment process. CONTENT AREA: Articles TOPICS: Internal Audit, Sarbanes-Oxley Act, Compliance, Cost Management, IT Audit, Audit Testing, Internal Controls, Continuous Auditing, GRC November 7, 2005 Business Continuity and Disaster Recovery Plans: How and When to Test Them This article provides guidance for testing BC/DR plans including types of tests you can undertake, planning considerations for developing a test plan and the elements of a test plan. It includes an example simulation test of a response plan for a company finance department. CONTENT AREA: Articles TOPICS: Business Continuity Management, Disaster Recovery October 31, 2005 Anti-Fraud Programs and Controls: Combating Fraud and Misconduct Risk While there is no “one size fits all” approach to anti-fraud programs, management should identify and measure the organization’s fraud and misconduct risk in order to institute an effective anti-fraud program and controls with active oversight by the Board of Directors and Audit Committee. This article presents prevention, deterrence and detection considerations and discusses defining fraud within the context of an organization, and dealing with management override of internal controls. CONTENT AREA: Articles TOPICS: Fraud, Corporate Governance, Sarbanes-Oxley Act, Risk Management & Assessment, GRC October 31, 2005 Securing Web Services This article explores security issues specific to Web services and illustrates the engineering and testing practices required to ensure security throughout the Web services development life cycle. CONTENT AREA: Articles TOPICS: Technology, Security, Application Development Security, Network & Internet Security October 24, 2005 Maintaining Email Security and Availability To continue to enjoy the convenience and cost-effectiveness of email, enterprises need to establish a flexible email infrastructure that protects email systems from accidental or intentional disruption and effectively addresses the financial and data management challenges of storing large volumes of email records. CONTENT AREA: Articles TOPICS: Technology, Security, IT Infrastructure, Network & Internet Security October 24, 2005 Sensible steps toward improved risk management Increased business risks and changing risk profiles suggest a need for organizations to continuously improve their ability to identify and manage risk. This need for continuous improvement calls for enterprise risk management (ERM). In this article, Protiviti’s Marc Dominus discusses five steps organizations should take to implement an ERM program. CONTENT AREA: Articles TOPICS: Corporate Governance, Sarbanes-Oxley Act, COSO, Enterprise Risk Management, Risk Management & Assessment, GRC October 17, 2005 Securing the Information Workplace: Managing Threats to Enterprise Email, IM, and Document Sharing Environments When looking at the elements that comprise the information workplace - email, IM, and document collaboration - one can see that it is a dynamic, ever-changing environment. And often, there is a lack of guidance on how to use these elements correctly. CONTENT AREA: Articles TOPICS: Technology, Security, IT Infrastructure, Network & Internet Security October 10, 2005 Auditing PDA Wireless Devices in Financial Services The personal digital assistant, or PDA as it is more commonly known, presents new challenges to the financial services industry. Consistent, companywide, and properly implemented configuration and management of PDAs and wireless communications are of particular focus for the auditor. This article discusses auditor risk considerations, significant security threats and other threats, and provides suggested minimum configuration guidelines. CONTENT AREA: Articles TOPICS: Technology, Internal Audit, Security, Financial Services Industry, Wireless, IT Audit, Access Control Systems & Methodology, Physical Security, Network & Internet Security October 10, 2005 Internal Auditors’ Sharpened Focus on IT General Controls – Where Risks and Opportunities Converge Recent corporate governance initiatives have placed high demands on internal audit resources. Management is aware that it must now strike a balance between complying with corporate governance requirements and focusing on critical operational and compliance needs. A number of important internal audit responsibilities converge around security of company data—where a sharp focus on data integrity is central to gaining the desired comfort level. This article discusses how internal audit can balance their responsibilities by dealing proactively with protecting company data. CONTENT AREA: Articles TOPICS: Internal Audit, Sarbanes-Oxley Act, Audit Testing, IT Controls, Internal Controls, Section 302 - Executive Certifications, Section 404 - Internal Control Reporting October 10, 2005 Quality Assessment – Common Pitfalls and Making Preparations The deadline for quality assessments (QA) of internal audit departments is approaching. This article discusses a number of typical trends that QA teams find within departments during these assessments. Protiviti’s Basil Woller and Kyle Furtis, along with other experts, discuss these trends, the importance of readiness reviews, and strategies to solve problems. CONTENT AREA: Articles TOPICS: Internal Audit, Compliance, Sarbanes-Oxley Act, Audit Committee & Board, Internal Audit Administration, Audit Reporting, Internal Controls, Quality Assessment Review, GRC October 3, 2005 Internal Audit's Role Grows with Business Continuity As organizations become more complex, global in reach and under the eye of regulators, shareholders and lawmakers, internal auditors need to make sure they play a big role in business continuity management (BCM). Because of the focus on controls and enterprise risk management that internal auditors have, they are well positioned to assess risk, identify the impacts of downtime and comment on key attributes of a business continuity approach. CONTENT AREA: Articles TOPICS: Business Continuity Management, Internal Audit October 3, 2005 Sarbanes-Oxley and Enterprise Security: IT Governance and What It Takes to Get the Job Done Several sections of the Sarbanes—Oxley Act of 2002 (SOX) directly affect the governance of the IT organization, including potential SOX certification by the CIO, Section 404 internal control assessments, “rapid and current” disclosures to the public of material changes, and authentic and immutable record retention. This article examines effective IT and security governance in terms of SOX compliance. CONTENT AREA: Articles TOPICS: Corporate Governance, Technology, Compliance, Sarbanes-Oxley Act, Laws & Regulations, Section 302 - Executive Certifications, Section 404 - Internal Control Reporting, GRC September 26, 2005 Change Management Change management is a core IT general control required to support the business functions of the enterprise. Although change control is conceptually simple, the mechanics of implementation and monitoring require attention to detail as well as support from IT, users, and business unit management. CONTENT AREA: Articles TOPICS: Technology, IT Controls, Software, Segregation of Duties, Change Management September 19, 2005 Building an Effective Privacy Program Privacy and trust are essential in maintaining good relationships with customers, employees, and business partners. An effective privacy governance program will not only make your customers happier, but also mitigate your exposure to regulatory noncompliance, lawsuits, bad publicity, and government investigations. This article discusses the issues to address when building a privacy governance program. CONTENT AREA: Articles TOPICS: Security, Privacy, Risk Management & Assessment, Laws & Regulations, GRC September 12, 2005 Beyond the obvious—making room for IT at the ERM table It’s becoming clear that companies are trying to take better advantage of IT-enabling technologies to become more efficient. However, too often IT is siloed, and technology risks are not uniformly managed from an overall business objective and business risk perspective. This article discusses the Capability Maturity Model as a potent mechanism for measuring risk and for providing a road map; a means by which executives—particularly those who lack an IT background—can visualize and begin to manage technology risks from an enterprise perspective. CONTENT AREA: Articles TOPICS: IT Controls, Enterprise Risk Management, Technology, GRC September 12, 2005 Next Generation Accountant: A New Outlook on a Timeless Profession This publication is the result of research undertaken by Robert Half International to gain insight into the future of the accounting and finance profession. The study confirmed that the accounting and finance profession is undergoing profound change. Looking into the future of the accounting and finance profession, the research examines topics such as the long-term impact of reforms and how future professionals should prepare for this changing environment. CONTENT AREA: Articles TOPICS: Internal Audit, Training & Development, Financial Reporting, Accounting/Finance, Internal Audit Administration September 5, 2005 Emerging Trends in Construction and Internal Audit: From Compliance to Insight Historically, the role played by Internal Audit in construction has focused on matters of contract administration (e.g., compliance with contract terms, auditing payment applications and change orders, reviewing lien waivers and subcontractor insurance, etc.) or seeking to identify cost recoveries. This article addresses several emerging trends that Protiviti has identified that appear to be redefining the role Internal Audit plays in the construction industry. CONTENT AREA: Articles TOPICS: Internal Audit, Compliance, GRC September 5, 2005 Wireless Security Architectures Here is Chapter 15 of a new Wireless Security Handbook: Wireless Security Architecture. Earlier chapters described some methods previously used to secure wireless communications, and how some of them have fallen victim to oversight or incorrect security implementations. This chapter puts those security methods together to see a number of secure wireless solutions. CONTENT AREA: Articles TOPICS: Technology, Security, Network & Internet Security, Wireless August 29, 2005 Application Security: High-Profile Security Breaches Move Secure Development to the Top of the Security Checklist Secure application development requires a constant balancing act between functional requirements and business drivers, deadlines and limited resources, and risk and flexibility. Success comes to organizations who build security into all phases of their application development lifecycle. This article provides an understanding of secure application design, security trade-offs, and common problems with implementing secure code. CONTENT AREA: Articles TOPICS: Technology, Security, Application Development Security, Software August 22, 2005 A Common Language Masks Global Differences in Financial Reporting The Institute of Chartered Accountants in England & Wales (ICAEW) issued a press release announcing the publication of a report highlighting the historical reasons for differences between US and UK financial reporting and auditing. ‘Divided by Common Language’, by Tim Bush of Hermes Pensions Management, highlights difficulties arising from the US 1933 Securities Act. The report launches the ICAEW’s ‘Dialogue in corporate governance’ initiative. CONTENT AREA: Articles TOPICS: Corporate Governance, Cross Border & Non-US Issues, Laws & Regulations, Sarbanes-Oxley Act, Audit Committee & Board, Internal Controls, United Kingdom, GRC August 8, 2005 How California’s security breach law set the pace Since California’s security breach law, SB 1386, took effect two years ago, corporations haven’t been deluged with the rash of consumer lawsuits predicted when strict data privacy laws went into effect. So why have 16 other states already passed similar legislation on their home turf with the federal government, and why are many more states expected to follow? CONTENT AREA: Articles TOPICS: Technology, Security, Privacy, Laws & Regulations August 1, 2005 Enterprise Vulnerability Management and Its Role in Information Security Management This article underscores the central role of vulnerability management in ensuring enterprise security. An effective vulnerability management program will not only guard against hackers, but will also assure minimal impact from hybrid malware that exploits known vulnerabilities. CONTENT AREA: Articles TOPICS: Technology, Security, IT Controls, Security Management Practices, Network & Internet Security July 25, 2005 Centuries-Old Property Law Makes Costly Claims Against Modern Companies Laws and regulations focused on escheatment are forcing companies to identify unclaimed property under their control. In this article, Protiviti’s Miron Marcotte and Linda Anderson explain the concept of escheatment and its broad implications. In addition, they offer advice for companies subject to an escheatment audit. CONTENT AREA: Articles TOPICS: Internal Audit, Compliance, Laws & Regulations, Credit & Collections, Purchasing & Accounts Payable, Audit Testing, GRC July 25, 2005 Using Standardized IT Security as a Competitive Advantage There are two standards that companies can implement that can help with IT and information security: ISO 17799 and British standard BS 7799-2. When the two standards are combined, a company has a great platform from which to create a secure IT system. By achieving such a standard, a company can tout its security when marketing its services. CONTENT AREA: Articles TOPICS: Technology, Security, Best Practices, Security Management Practices, IT Audit July 18, 2005 Commitment to Excellence Fuels Enterprise Risk Management at First Data Even before the Sarbanes-Oxley Act, First Data began assessing risk – primarily operational risk -- on an enterprise level. Today a team comprised of internal audit, six sigma, traditional risk management and project management personnel is dedicated to Enterprise Risk Management (ERM) and Sarbanes-Oxley and spans across all business lines. Heath Sampson, Vice President of Risk, Control and Audit, discusses the evolution of ERM at First Data and discusses what the company expects to gain, and lessons learned from implementations. CONTENT AREA: Articles TOPICS: Enterprise Risk Management, Internal Audit, Compliance, Corporate Governance, Sarbanes-Oxley Act, Internal Audit Administration, GRC July 11, 2005 Canada develops Sarbanes-like reporting requirements Canadian companies are following their American counterparts into the world of detailed reporting on internal control over financial reporting. This ruling, Proposed Multilateral Instrument 52-111 closely mirrors Sarbanes-Oxley. This article explains 52-111’s requirements and how the compliance process is expected to differ from Sarbanes-Oxley. It also discusses the reaction of Canadian companies. CONTENT AREA: Articles TOPICS: Sarbanes-Oxley Act, Cross Border & Non-US Issues, Compliance, Internal Controls, Section 404 - Internal Control Reporting, Corporate Governance, Canada, GRC July 4, 2005 Managing Risk Through Database Monitoring Business organizations have long known that the ability of privileged database users to obtain or manipulate database information presents a security risk. Because of privacy protections and security requirements in the Sarbanes-Oxley Act, HIPAA and other laws and regulations, companies no longer can rely on trust and hope that privileged users act responsibly. The potential penalties and reputation risk to the organization are too great. CONTENT AREA: Articles TOPICS: Technology, Security, Risk Management & Assessment, Application Development Security, Software, GRC June 27, 2005 A Model of Information Assurance Benefits Effective information assurance (IA) is the key to reliable management decision-making, customer trust, business continuity, and good governance in all sectors of industry and public service. Yet making a business case for IA investments can be difficult because the scope of the potential benefits can be very broad. Based on interview data collected from company executives, senior managers, and a variety of external stakeholders, we develop and discuss a four-layer model that can be used to help structure the case for information assurance investments. CONTENT AREA: Articles TOPICS: Technology, Security, Access Control Systems & Methodology, IT Audit, Security Management Practices June 27, 2005 Strategy for Meeting Financial Regulatory Compliance Financial institutions face an increasing number of compliance regulations. IT audit methods and techniques have been enhanced to successfully perform compliance audits in the financial sector. In this article, Nicholas Benvenuto, Protiviti managing director, discusses the objective of the compliance audit. Additionally, he describes a compliance audit methodology that can be customized to each company’s unique requirements. CONTENT AREA: Articles TOPICS: Access Control Systems & Methodology, Audit Testing, Compliance, Financial Services Industry, Internal Audit, Internal Controls, Laws & Regulations, Sarbanes-Oxley Act, GRC June 20, 2005 Battling the Bots The concept of a powerful robot machine that can become more powerful than man is a frightening one that has lit up the screens of Hollywood for several decades. Today that fear has become a real threat in the eyes of some system administrators who have had to deal with something known as a bot. But there are ways to defend against them, as this article explains. CONTENT AREA: Articles TOPICS: Technology, Security, Software, Network & Internet Security June 20, 2005 Build a whistleblower program without blowing the budget For smaller companies, developing a whistleblower program can be a big job due to limited time and resources. This article summarizes various whistleblower guidance and requirements. Additionally, the author suggests methods for small companies to satisfy these requirements including reporting mechanisms, communication programs, case management, and investigative protocols. CONTENT AREA: Articles TOPICS: Corporate Governance, Sarbanes-Oxley Act, Ethics, Fraud, Whistleblower/Complaint Reporting, GRC June 13, 2005 It’s All About the Data Data problems come about when little regard is paid to the consequences of data replication. As IT infrastructure costs decline, investing in the accuracy and currency of the corporate data asset will become paramount. A guideline to live by is that an environment with too much data replication is often costly and unwieldy, but one that has data that is replicated and different is often devastating. This article discusses the issues involved in choosing the right balance. CONTENT AREA: Articles TOPICS: Technology, Knowledge Management, IT Audit, IT Infrastructure June 6, 2005 Building Management Commitment through Security Councils This article explores some techniques for building management commitment through the implementation of a successful information security council. CONTENT AREA: Articles TOPICS: Security, Security Management Practices May 30, 2005 Desktop Security and Usability Trade-Offs: An Evaluation of Password Management Systems One of the most exploitable elements in the chain of security is the password. For many, there is a high usability barrier to the proper handling of passwords. This article examines some of the causes of this difficulty and possible approaches to managing the password explosion. CONTENT AREA: Articles TOPICS: Technology, Security, IT Controls, Access Control Systems & Methodology May 23, 2005 Implementing an Information Security Awareness Program This article addresses the elements that make up a successful information security awareness program. It addresses the role that organization personnel play in the information security program and how to use this information to one’s benefit. It also discusses how to establish awareness program scope, how to segment the audience, and how to ensure that the content is effective in getting the message to the user community. CONTENT AREA: Articles TOPICS: Technology, Security, Training & Development, Security Management Practices May 23, 2005 Quality Assurance Standard 1312: Which option is best for you? The clock is ticking to comply with the IIA quality assessment standard (Standard 1312). As the timeline shortens, companies are evaluating which quality assessment option best fits their company: an external assessment or a self-assessment with independent validation. In this article, the vice presidents of internal audit at Chiquita Brands International and Experian each discuss the quality assessment option they selected and why. CONTENT AREA: Articles TOPICS: Best Practices, Compliance, Internal Audit, Audit Committee & Board, Self-Assessment, Audit Testing, Internal Audit Administration, Quality Assessment Review, GRC May 16, 2005 Fighting Spyware and Adware in the Enterprise While obvious security threats like fast-spreading worms have a tendency to garner news headlines, other stealthy security risks threaten businesses every day. Increasing amounts of spyware and adware programs have the ability to facilitate the disclosure of business information and risk privacy, confidentiality, integrity, and system availability. This article discusses various ways in which adware and spyware can be combated. CONTENT AREA: Articles TOPICS: Technology, Security, Privacy, IT Controls, Network & Internet Security, Software May 9, 2005 HIPAA Programs: Design and Implementation The degree of success of operating within the rules of HIPAA depends on the ability of the organization to establish a program that ensures thoughtful and consistent execution of the requirements of HIPAA. This article describes a program approach to deal with the required security and privacy standards. CONTENT AREA: Articles TOPICS: Privacy, Security, Laws & Regulations, Compliance, Healthcare & Pharmaceuticals Industry, GRC May 9, 2005 Sustaining SOX Compliance Accelerated filers that did not receive a passing SOX grade are dealing with the consequences and those that made the grade are enjoying a short sigh of relief. Regardless of success, all accelerated filers should now be addressing Year Two compliance efforts. This article explores the lessons learned in Year One, the compliance environment going forward, and considerations for building a sustainable ongoing SOX compliance process. CONTENT AREA: Articles TOPICS: Audit Committee & Board, Compliance, External Auditor, Project Management, Sarbanes-Oxley Act, SAS 70, Section 404 - Internal Control Reporting, Self-Assessment, GRC May 5, 2005 Enterprise Risk Management: Practical Implementation Ideas It has become clear that traditional risk management approaches do not adequately identify, evaluate, and manage risk. Protiviti’s Jim DeLoach discusses how ERM transforms risk management to a proactive, continuous, and process-driven activity. Additionally, he offers practical ideas on how to implement ERM within an organization. These include articulating a risk management vision, using the capability maturity model, evaluating the existing risk management structure, and selecting the enterprise’s priority risks. CONTENT AREA: Articles TOPICS: Corporate Governance, Sarbanes-Oxley Act, Enterprise Risk Management, COSO, Internal Controls, GRC May 2, 2005 Involving Internal Audit In Business Continuity Management Internal auditors can play an invaluable role in the development of strategies, plans, and actions that provide protection for those activities or business processes which, if interrupted, might bring about a seriously damaging or potentially fatal loss to organizations. This article discusses how Internal Audit can help manage business continuity efforts, using the healthcare industry as an example. CONTENT AREA: Articles TOPICS: Business Continuity Management, Internal Audit, Healthcare & Pharmaceuticals Industry May 2, 2005 Recognizing and reporting material changes in internal control It is important companies remember that in Year Two of SOX compliance they must disclose information about material changes made to internal controls over financial reporting. This article discusses the concept of material changes, the importance of a structured evaluation approach for this process, and recommended steps for implementing such a process. In addition, this article offers a checklist to help assess your understanding of Year Two requirements. CONTENT AREA: Articles TOPICS: Corporate Governance, Sarbanes-Oxley Act, Compliance, Internal Controls, Section 302 - Executive Certifications, Section 404 - Internal Control Reporting, GRC May 2, 2005 The Importance of Asset Management Asset Management: It's a topic no enterprise likes to talk about. But the fact is, few organizations today have a thorough understanding of what, exactly, is on their networks at any given time. This article looks at how an effective asset management solution enables organizations to feel secure, knowing that they have a complete inventory audit without the need for physical or manual checking. CONTENT AREA: Articles TOPICS: Technology, Asset Management, Compliance, IT Infrastructure, GRC April 25, 2005 Proactive Network Security: Making Your Network Unassailable Used in combination with reactive technology such as intrusion detection systems, proactive network security offers realistic protection by treating threats and vulnerabilities not as isolated events, but as permanent “features” of the new networked environment. CONTENT AREA: Articles TOPICS: Technology, Security, Network & Internet Security April 25, 2005 RFID Risk Management Radio Frequency Identification (RFID) is transforming the way business is conducted. Rudimentary versions of this hot, new, technology are being used today, probably more often than most of us are aware. Although there are many benefits to using the new RFID technology, careful thought must be given to the possible risks that come with it. This article describes the risk assessment process and lists key questions the internal auditor should consider in any RFID project. CONTENT AREA: Articles TOPICS: Technology, Security, Privacy, Risk Management & Assessment, Supply Chain, Materials Management & Inventory, Network & Internet Security, Wireless, GRC April 18, 2005 Security Analyses for Enterprise Instant Messaging (EIM) Systems This article focuses on security issues related to instant messaging, first examining the threats and available countermeasures present in existing IM services. These include viruses and worms, Trojan horses, identity theft, impersonation, eavesdropping, data loss, and denial-of-service attacks. This article then examines the variety of EIM solutions available. CONTENT AREA: Articles TOPICS: Technology, Security, IT Infrastructure, Software, Telecommunications, Communications Industry April 18, 2005 The Next Step: Extracting Value from Sarbanes-Oxley Buried in the mountains of SOA documentation are opportunities to accelerate the month-end close process while reducing both cost and risk. The task-level process review required by SOA can help identify redundancies, inadequate systems tools and process quality issues that reduce effectiveness and efficiency. This article discusses key indicators that your process can be improved, how to start moving towards optimization, and what companies can expect to gain. CONTENT AREA: Articles TOPICS: Corporate Governance, Sarbanes-Oxley Act, Accounting Organizations, Accounting/Finance, Financial Reporting, Internal Controls, Close the Books, GRC April 11, 2005 Information Security Threats and Practices in Small Businesses This article focuses on how small businesses (fewer than 500 employees) are managing information security and the associated risks. The findings indicate that the businesses interviewed for this study are taking many of the typical steps that are indicative of best security practices. However, there are also several areas of concern that could potentially leave their systems open to threats. CONTENT AREA: Articles TOPICS: Technology, Security, Best Practices, Security Management Practices April 11, 2005 Raising An Audit Issue Is One Thing, Closing It Out Is Another From an audit committee standpoint, Sarbanes-Oxley has made follow-through on internal control matters even more important. In this article, three experts share their views on creating a successful follow up process for audit issues. They discuss developing action plans, tracking outstanding issues, the importance of complete documentation and of creating accountability for unresolved items. CONTENT AREA: Articles TOPICS: Corporate Governance, Internal Audit, Accounting/Finance, Sarbanes-Oxley Act, Audit Reporting, Audit Testing, Internal Audit Administration, GRC April 4, 2005 Financial institutions weigh the risks of offshore outsourcing Outsourcing has become a way of life for financial institutions, and the trend is not confined to just the major players. 40 percent of community banks and savings associations are using outsourcing for core systems processing work. While moving IT or other functions offshore may increase efficiency and reduce costs, it is not without its risks, and offshore outsourcing adds country risk factors to the equation. CONTENT AREA: Articles TOPICS: Financial Services Industry, Laws & Regulations, Outsourcing/Co-sourcing/Shared Services, Risk Management & Assessment, SAS 70, GRC April 4, 2005 The Ethical and Legal Concerns of Spyware Computer users are threatened by stealth invaders, in the form of spyware, which gather users’ personal information for target marketing purposes, but can also disrupt the operation of the computer. This article examines the ethical and legal controversy within the United States surrounding spyware. The various methods of battling spyware, including approaches by individual users, organizations, and government oversight, legislation, and litigation, are discussed. CONTENT AREA: Articles TOPICS: Technology, Security, Ethics, Privacy, Laws & Regulations March 28, 2005 Accountability in EDI Systems to Prevent Employee Fraud An electronic data interchange (EDI) system must be accompanied by appropriate controls to protect the system from individuals who could commit fraud against their organization’s trading partners, typically through the unauthorized use of the system to create counterfeit documents to accomplish personal goals. This article summarizes the controls necessary to prevent, detect, and fix fraudulent attempts against an EDI system, to help ensure trust between trading partners. CONTENT AREA: Articles TOPICS: Technology, Security, Fraud, Internal Controls, Ethics March 28, 2005 Technology Change Management and Sarbanes-Oxley: Adding Value to the Process As a result of Sarbanes-Oxley and other compliance efforts, many organizations have finally, and sometimes painfully, documented and tested their key IT systems, risks and controls. Now they have a new challenge: dealing with ongoing change. This article discusses how and why to optimize the technology change management process. CONTENT AREA: Articles TOPICS: Change Management, IT Strategy, Technology, Sarbanes-Oxley Act, IT Controls, Corporate Governance, Compliance, GRC March 21, 2005 Assessing and Managing Security Risk in IT Systems: Chapter 1, Using Models This is the first chapter of a book about assessing the security attributes of an information system and implementing improved security environments. Chapter 1 discusses understanding, selecting and applying models. CONTENT AREA: Articles TOPICS: Security, Risk Management & Assessment, Security Management Practices, GRC March 21, 2005 Developing a whistleblower model that works Building a successful whistleblower program takes an organization-wide effort. Protiviti’s Joe Freiburger discusses critical success factors, program needs assessment, response protocol, and legal considerations. He also provides a 10 audit steps for reviewing a whistleblower program. CONTENT AREA: Articles TOPICS: Corporate Governance, Sarbanes-Oxley Act, Fraud, Ethics, Audit Committee & Board, Whistleblower/Complaint Reporting, GRC March 14, 2005 Audit the Data – or Else Data integrity is a critical component to business operations. Compromising data leads to compromising the business. This white paper discusses the importance of building an audit trail around business data. An audit trail is the tool that will detect anomalies, prove compliance, and provide assurance that data is used appropriately. In addition, this paper discusses the hazards surrounding data, how to contend with compliance, and best practices in auditing data. CONTENT AREA: Articles TOPICS: Technology, Internal Audit, Compliance, IT Controls, IT Audit, IT Infrastructure, Audit Testing, GRC March 7, 2005 Lessons Learned for 404 Accelerated Filers As accelerated filers close out Year One, they have much advice to pass along to companies with a 2005 Sarbanes-Oxley due date. Communicating proactive advice will help move SOA compliance towards best practice efforts and avoid costly mistakes. This article includes thoughts on what went right in Year One and items 2005 first-time filers should be aware of while working towards compliance. Topics include what to think about before you begin, awareness throughout the process, international issues, and Year One team success factors. CONTENT AREA: Articles TOPICS: Corporate Governance, Sarbanes-Oxley Act, Compliance, Internal Controls, IT Controls, Project Management, GRC February 28, 2005 Building a corporate ethics program Corporate ethics programs have become a priority for many company executives in response to new regulatory requirements. In this article, Chris Yost, Whole Foods director of internal audit, Donna Passal, Office Depot director of corporate governance, and Scott Mitchell, OCEG president, offer their perspectives on building and maintaining a successful corporate ethics program. They describe their automated compliance tools, following up on findings, communication strategies, and other key aspects of ethics programs. CONTENT AREA: Articles TOPICS: Corporate Governance, Sarbanes-Oxley Act, Ethics, Compliance, Audit Committee & Board, Whistleblower/Complaint Reporting, GRC February 21, 2005 The Nascent Chief Audit Executive: Preparing for a Brave New World of Business Because of the rapidly evolving audit environment, the role of the chief audit executive (CAE) is undergoing fundamental change. In a post Sarbanes-Oxley environment, today’s CAE must assume a higher profile than at any time in the past. This white paper discusses the challenge and opportunity of the CAE position by examining the changing face of internal audit, new leadership agendas, traits of a successful CAE, and managing the convergence of audit, risk, and compliance. Protiviti’s Bob Hirth also provides his perspective on the important role of a CAE within a business organization. CONTENT AREA: Articles TOPICS: Corporate Governance, Accounting Organizations, Internal Audit, Sarbanes-Oxley Act, Audit Committee & Board, Internal Audit Administration, GRC February 14, 2005 The Case for Continual Auditing Increasingly, organizations need independent assurance that control procedures are effective and that the information produced for decision-making is both relevant and reliable. In this article, David Coderre explains the concept of continual auditing and how it supports these demands by bringing risk assessment, audit planning, digital analysis and other audit techniques together. Coderre distinguishes continual auditing from continuous monitoring and demonstrates how this approach can support risk management, audit planning and follow-up. He also gives an example of applying continual auditing techniques to accounts payable. CONTENT AREA: Articles TOPICS: Internal Audit, Risk Management & Assessment, Accounting Organizations, Audit Reporting, Audit Testing, GRC February 7, 2005 Aligning Sarbanes and Internal Audit Resources Public companies have poured huge amounts of time, effort and money to meet the documentation, testing and reporting requirements of Section 404 of the Sarbanes-Oxley Act. Now that Year One of Sarbanes compliance has come to an end, it is an ideal time to ensure that other COSO objectives are adequately funded in internal audit department budgets, as well as other projects management might want done. This article focuses on the importance of aligning internal audit and Sarbanes work while assessing future resource and budget needs. CONTENT AREA: Articles TOPICS: Internal Audit, Sarbanes-Oxley Act, Compliance, Budgeting, Internal Audit Administration, Enterprise Risk Management, Project Management, GRC February 7, 2005 Cookies and Privacy This article provides an overview of cookies, the small files used to collect information about Internet use. Although initially designed to assist users in shopping online, cookies have become a synonym for the invasion of privacy. The article discusses the structure of cookies, their advantages and disadvantages, legal issues, and US and EU laws regarding their use. CONTENT AREA: Articles TOPICS: Technology, Privacy, Security, Cross Border & Non-US Issues, Telecommunications, Laws & Regulations, European Union, Communications Industry February 7, 2005 The Role of Internal Audit – A Prudential Perspective In this speech, John F. Laker, Chairman of the Australian Prudential Regulation Authority (APRA), addresses the NSW Chapter of the Institute of Internal Auditors to offer an APRA perspective on the role of internal audit within the institutions the APRA supervises. He discusses how internal audit is one of the fundamental “checks and balances” for sound corporate governance but is a separate function from risk management. Laker also describes the expectations of internal audit by prudential regulators at the international level and how APRA assesses whether internal audit in the institutions it supervises meets these expectations. CONTENT AREA: Articles TOPICS: Internal Audit, Sarbanes-Oxley Act, Accounting Organizations, Cross Border & Non-US Issues, Internal Audit Administration, Internal Controls, Australia January 31, 2005 Electronic spies beat corporate espionage The computer has taken industrial espionage out of the realm of miniature cameras and into cyberspace, where mole-hunting is a whole new ballgame. CONTENT AREA: Articles TOPICS: Security, Fraud, Technology January 31, 2005 IT Asset Management: How to Improve the Business of IT Managing IT assets improves the bottom line, minimizes risk exposure and increases the return on a company's technology investment. It leads to informed decision-making regarding such issues as IT service management, problem management, and change management. This article discusses the business case for IT asset management, hallmarks of best-in-class programs, and getting started. CONTENT AREA: Articles TOPICS: Asset Management, Technology, Compliance, IT Infrastructure, Change Management, GRC January 24, 2005 Closing Out Year One: Final Steps and Advice on SOX Compliance Now that many have completed Year One of SOX compliance, companies are armed with advice for non-accelerated filers gearing up SOX efforts in 2005. In this article, Gordon Tucker, Protiviti Managing Director, discusses the important lessons learned during Year One. These include advice on dedicating adequate time and resources, gaining clarity around Audit Standard No. 2, and general IT control documentation. CONTENT AREA: Articles TOPICS: Corporate Governance, Internal Controls, IT Controls, Project Management, Sarbanes-Oxley Act, SAS 70, Entity-Level Control, GRC January 24, 2005 Making the Most of an Internal Investigation Ken Yormark, CPA and CFE, is a Managing Director in the New York City office of Protiviti and has been involved in numerous internal investigations of all degrees of size and complexity. In this article, Yormark discusses the steps essential to conducting a successful internal investigation. These key steps include setting goals, choosing the right players and who will manage the process, items to think about while the investigation is occurring, and how to report the findings. Yormark also emphasizes that if an expert team operates with speed and efficiency, the investigation will produce beneficial results beyond identifying the perpetrators. CONTENT AREA: Articles TOPICS: Corporate Governance, Sarbanes-Oxley Act, Fraud, Laws & Regulations, Whistleblower/Complaint Reporting, GRC January 24, 2005 Reducing Enterprise Risk with Effective Threat Management Threat management combines all operational actions of intrusion prevention and protection into a life cycle where one component feeds the next. By implementing effective threat management, an organization will fortify its environment, reduce its exposure to threats, and attain the security intelligence it needs to continuously improve its security. This article describes the foundations of threat management. CONTENT AREA: Articles TOPICS: Security, Enterprise Risk Management, Operations Security, Security Management Practices, GRC January 17, 2005 Sarbanes-Oxley and Private Companies: Operating in a New Environment Although private companies are currently exempt from the requirements of the Sarbanes-Oxley Act, they cannot ignore the principles behind the legislation. Private companies are not immune to the same forces that brought the collapse of several highly visible public companies. In this arti |