Upload File

are you ready for the audit challenges of 2010?

4
65 © 2010 Canaudit, Inc., reprinted with permission Published online in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/jcaf.20596 f e a t u r e a r t i c l e Gordon Smith T his year, as I write my perspective on the new year, I am very concerned. I have seen a significant increase in organiza- tions that had to report the loss of confidential information (see pri- vacyrights.org for an update on the orga- nizations that reported cyber incidents). In 2009, there was a significant increase in electronic fraud particularly from organized groups. In a previous commen- tary for my clients, I outlined the shift in fraud scams and the techniques used to gain access to account information. Since then, there have been several more pay- roll frauds, a significant increase in bank wire frauds, and an increase in credit and debit card frauds. Clearly, the situation is getting worse, yet most organiza- tions are not increasing the scope of internal audits to identify flaws that are susceptible to fraud. “COMPLIANT” BUT NOT SECURE When a serious event occurs, I hear a similar mantra from management: “We are SOX com- pliant,” “We are PCI compliant,” “We are HIPAA compliant,” “We are COBIT compliant.” Man- agement actually believes that being compliant means that they are secure. Now, do not get me wrong. I believe that complying with these standards is essential. I just want to reemphasize that the standards are weak on real security. The standards often rely on general controls, manage- ment review, and some access and patch controls, but they do not go to the depth required to ensure a secure environment. This is not the fault of the stan- dard. Remember that the stan- dards usually set the minimum requirements. The standards are set at a point in time. They are reviewed and updated periodi- cally based on input to the governing body. Changes to the stan- dard must be studied, drafted, peer reviewed, and released. This is a labor-intensive process, performed primarily by knowledgeable and dedicated profession- als. Unfortunately, the process takes time. By the time revised standards are published, the bad guys and gals have invented new tricks to circumvent con- trol structures. If you close one door, they come in through the windows. Close the windows and they come in through the chimney. It is a constant battle to remain compliant and secure. As I work with a variety of audit and security profession- als, I have come to the conclu- sion that they are looking at the wrong things or wasting a lot of time in interviews. While it is necessary to document con- trol structures, I believe that thorough testing of controls is necessary. At Canaudit, we use a suite of automated software tools that enable us to quickly Last year, the author saw a significant increase in the number of organizations that had to report the loss of confidential information. Clearly, the situa- tion is getting worse. Yet most organizations are not increasing the scope of internal audits to identify flaws susceptible to fraud. How prepared is your company? © 2010 Canaudit, Inc., reprinted with permission Are You Ready for the Audit Challenges of 2010?

Upload: gordon-smith

Post on 11-Jun-2016

215 views

Category:

Documents


2 download

Report

TRANSCRIPT

Page 1: Are you ready for the audit challenges of 2010?

65

© 2010 Canaudit, Inc., reprinted with permissionPublished online in Wiley InterScience (www.interscience.wiley.com).DOI 10.1002/jcaf.20596

featur

e artic

le

Gordon Smith

This year, as I write my perspective on the new year,

I am very concerned. I have seen a significant increase in organiza-tions that had to report the loss of confidential information (see pri-vacyrights.org for an update on the orga-nizations that reported cyber incidents). In 2009, there was a significant increase in electronic fraud particularly from organized groups. In a previous commen-tary for my clients, I outlined the shift in fraud scams and the techniques used to gain access to account information. Since then, there have been several more pay-roll frauds, a significant increase in bank wire frauds, and an increase in credit and debit card frauds. Clearly, the situation is getting worse, yet most organiza-tions are not increasing the scope of internal audits to identify flaws that are susceptible to fraud.

“COMPLIANT” BUT NOT SECURE

When a serious event occurs, I hear a similar mantra from

management: “We are SOX com-pliant,” “We are PCI compliant,” “We are HIPAA compliant,” “We are COBIT compliant.” Man-agement actually believes that being compliant means that they are secure. Now, do not get me wrong. I believe that complying with these standards is essential. I just want to reemphasize that the standards are weak on real security. The standards often rely on general controls, manage-ment review, and some access and patch controls, but they do not go to the depth required to ensure a secure environment. This is not the fault of the stan-dard. Remember that the stan-dards usually set the minimum requirements.

The standards are set at a point in time. They are reviewed

and updated periodi-cally based on input to the governing body. Changes to the stan-dard must be studied, drafted, peer reviewed, and released. This is a labor-intensive process, performed primarily by knowledgeable and dedicated profession-

als. Unfortunately, the process takes time. By the time revised standards are published, the bad guys and gals have invented new tricks to circumvent con-trol structures. If you close one door, they come in through the windows. Close the windows and they come in through the chimney. It is a constant battle to remain compliant and secure.

As I work with a variety of audit and security profession-als, I have come to the conclu-sion that they are looking at the wrong things or wasting a lot of time in interviews. While it is necessary to document con-trol structures, I believe that thorough testing of controls is necessary. At Canaudit, we use a suite of automated software tools that enable us to quickly

Last year, the author saw a significant increase in the number of organizations that had to report the loss of confidential information. Clearly, the situa-tion is getting worse. Yet most organizations are not increasing the scope of internal audits to identify flaws susceptible to fraud. How prepared is your company? © 2010 Canaudit, Inc., reprinted with permission

Are You Ready for the Audit

Challenges of 2010?

JCAF20596.indd 65JCAF20596.indd 65 4/9/10 11:57:21 PM4/9/10 11:57:21 PM

Page 2: Are you ready for the audit challenges of 2010?

66 The Journal of Corporate Accounting & Finance / May/June 2010

DOI 10.1002/jcaf © 2010 Canaudit, Inc., reprinted with permission

departments are not prepared to respond to the heightened risk of compromised networks and the disclosure of confidential information.

As mentioned in some of my previous client newsletters, the hackers have changed tech-niques. They target databases directly. The shortage of both IT auditors and IT audit skill sets results in the failure to audit crit-ical databases. Recently, I added some live demonstrations to my presentations. These demonstra-tions show the ease with which databases can be compromised while avoiding intrusion pre-vention and detection software controls. The participants are shocked to see the simplicity of

the methodologies currently in use by cyber criminals and how effectively they beat a sophisticated control structure. The demonstra-tions have the most impact on senior executives. When they see with their own eyes how easy it is to bypass controls and steal data, they finally under-stand the need for a mod-ern IT control structure.

AUDIT REPORTS DOWNPLAY RISK

Moving on to another topic, it is clear to me that audit reports are not conveying the informa-tion executives need to truly understand the risks. I believe that three things cause this information gap. The first is the failure to clearly state the risks in our existing audit reports. The second is failing to do the right audits. The third is failing to do the audits we do perform correctly. Let me explain these in more detail.

In my review of my clients’ audit reports, I often see an

that there is definitely a public relations cost to declining secu-rity tools, tying the hands of your security and audit profes-sionals, and generally burying their heads in the “it won’t hap-pen here” sandpit. These are strong words, particularly from me, but they have to be said. We can no longer proceed as if our networks are secure. We must recognize that the threats are real, additional controls are needed, and security must be rig-orously tested on a regular rather than periodic basis.

SKILL SETS ARE DEGRADING

I have also noticed that the IT audit skill sets of many

audit departments are degrad-ing. Training budgets have been decimated over the last two years. As a result, it has been difficult for auditors to remain cognizant of new threats and the required controls to ensure that their informational assets remain secure. Many IT audit groups continue to use some of the same techniques we used 15 years ago instead of newer tools that can automate risk identification and qualifica-tion. Compounding the loss of professional development resources, some audit depart-ments have downsized their IT audit staff over the last few years. As a result, many audit

audit operating systems, data-bases, network devices, Web applications, and Internet sites. This is just a small sampling of our tools and techniques that we have developed over the last 25 years.

There are many publicly available tools that also enable automated or semiautomated auditing. We teach participants in our seminars how to use some of the most popular tools. We also provide them with a CD containing a variety of proven software tools to automate many of the security checks we believe are necessary. The ironic thing is that most of the auditors and some of the security officers in my classes are not permitted to use these tools when they return to their offices. I understand that IT manage-ment is concerned with use of the tools on the network. I also know that these same people are concerned that this type of testing will reveal serious gaps in the organization’s IT security structure. To ensure that the status quo is not disrupted, auditors and security personnel are prevented from using the tools. This works well until there is a major security incident. That is when I hear that executives relied on the very security professionals whose hands they tied. The security professionals may be the ones who ultimately pay for the breach with their jobs.

When I am called in after a security event, I like to review budget submission, e-mails, and other documentation. This often shows that the security professional was not permitted to acquire or use the tools neces-sary to validate that the required security is in place. Then I make a point to let management know

We can no longer proceed as if our networks are secure. We must recognize that the threats are real, additional controls are needed, and security must be rigorously tested on a regular rather than periodic basis.

JCAF20596.indd 66JCAF20596.indd 66 4/9/10 11:57:21 PM4/9/10 11:57:21 PM

Page 3: Are you ready for the audit challenges of 2010?

The Journal of Corporate Accounting & Finance / May/June 2010 67

© 2010 Canaudit, Inc., reprinted with permission DOI 10.1002/jcaf

in, hook up to the network, and proceed to do the audit using our audit software. After we have completed the majority of the work, we then have the informa-tion required to determine the essential controls that need to be implemented and the priority of the control implementation.

We believe that the IT Security Baseline is the most important part of an IT audit or security two-year plan. At the beginning of the audit cycle, it identifies the greatest risks and provides a series of metrics that can be used by executives to measure improvements. The

baseline also enables audit management to adjust and reprioritize the audit plan. The security baseline gives the audit committee and the chief audit executive the knowledge they need to reassess the audits and the urgency or priority each audit should be given.

DATA WAREHOUSES POORLY SECURED

As we are now into a new year, it is time for auditors and security folks to focus and concentrate. We need to focus on the projects that need to be done and concentrate on getting them done. As mentioned ear-lier, our applications, networks, and databases are at risk. Every day, more cyber theft and frauds are reported. Our work on data warehouses, where many of our clients store their critical data, demonstrates that they are often poorly secured. They are a sit-ting duck to a professional cyber criminal. Many of our clients have off-shored critical opera-tions and support functions. As a result, there are a plethora of network gateways from the outsourcer to their many clients

executive summary that does not communicate the risks to man-agement in a way that enables them to grasp the severity of issues. The executive summary starts out with a short description of the audit scope. Then we have several paragraphs describing how various controls are inef-fective. Then we close by stating that controls are adequate. Is it any wonder that management does not fund enhanced control structures? If controls are ade-quate, why should they worry? Yes, there are some issues, but they believe they can live with them. In my classes, I have a routine I do to explain the futility of existing audit summaries. The typical summary starts by describ-ing the scope. The sum-mary continues by stating that this control stinks, that control stinks, and addi-tional controls stink. Then the summary ends with the statement that overall con-trols are adequate.

Now let us look at the word adequate. In the dictionary, it states that adequate means “barely sufficient to suitable.” Would you get on an airplane that had an adequate amount of fuel? Would you invest your life sav-ings in a stock that had an ade-quate probability of appreciating? At Canaudit, we write our audit reports in a way that management can understand the issues and the severity of the issues. We do not state that controls are adequate. Instead, we describe the greatest unmitigated risks identified during our audit. Occasionally, our clients have a very effective control structure. When that happens, we state clearly that the controls are effective and that staff did a great job. In any audit report, it is necessary to ensure that management gets

the correct message. Do not say that controls stink, but that they are adequate. If controls are bad, state it clearly.

Now let us look at failing to do the right audits. General controls are overaudited. It is amazing to me that internal and external auditors and regulators all tend to audit these. We need to look at a new dimension in auditing: protecting our networks and data from cyber criminals, disgruntled employees, and, yes, employees who make dumb and stupid mistakes. This means that we have to raise the priority of database, network, and operating

system audits. At Canaudit, we have combined these audits into a single project, the IT Security Baseline. In four or five days, we sweep the entire network look-ing for poorly secured machines, databases, and network devices. We perform a full battery of tests on these items. Other items, such as technical audits of applications, take longer.

The IT staff at our clients is usually very surprised when we come in and do our technical audits. We do not ask the same questions other auditors have repeatedly asked them. Instead, we look at the network, the data-bases, the applications, and the Web applications as a truly tech-nical audit. We audit them with a combination of automated and manual procedures. We do not spend much time interviewing the client staff. Instead, we come

We do not state that controls are adequate. Instead, we describe the greatest unmitigated risks identified during our audit.

JCAF20596.indd 67JCAF20596.indd 67 4/9/10 11:57:21 PM4/9/10 11:57:21 PM

Page 4: Are you ready for the audit challenges of 2010?

68 The Journal of Corporate Accounting & Finance / May/June 2010

DOI 10.1002/jcaf © 2010 Canaudit, Inc., reprinted with permission

which was carefully considered, needed to happen. I can only hope that your company contin-ues to support your membership in professional organizations.

The issues I have raised in this article will ensure that each of you has plenty of work to do in 2010. I suggest that you start with a security baseline as soon as possible. Your network, and the machines and databases within it, need to be subjected to a rigorous test. My objec-tive for 2010 will be to help our clients find their security risks, assess those risks, and ensure they are properly fixed. Never before in my 30 years of audit-ing have I seen the risks we face today.

they need to face new audit and security challenges.

Another challenge that audi-tors face is the ever-increasing cost of membership in profes-sional organizations. The Insti-tute of Internal Auditors just notified me that membership dues would be increasing by 50 percent. My communications with them about this indicate that the increase is required. Personally, I think this is terrible timing. Many of the members are facing reduced financial sup-port from their companies for professional dues. Others have lost their jobs and are unable to pay for the increase. That said, the Institute claims that their costs are rising and the increase,

that may not be properly audited or even known to your risk man-agers. As a result, there is a need to ensure that your staff has the knowledge to operate effectively in these complex environments.

Professional development is essential for the members of our profession. Audit and security professionals need to continuously upgrade their skill sets. Our firm, Canaudit, offered a two-for-one registration special late last year to provide our clients with a vehicle to obtain high-quality profes-sional development at a price that constrained budgets could afford. We will continue to offer incentives to assist our clients in obtaining the skills

Gordon Smith is the president of Canaudit, Inc., a Simi Valley, California, audit consulting firm.

JCAF20596.indd 68JCAF20596.indd 68 4/9/10 11:57:22 PM4/9/10 11:57:22 PM


AN INVESTIGATION INTO CHALLENGES FACING THE INTERNAL AUDIT …

3287 Responding to the Challenges of Supreme Audit

THE CHALLENGES OF INTERNAL AUDIT FUNCTION IN THE …

Audit Ready All the Time Webinar - alchemysystems.com

Are you Ready for an Audit? Acquisition Internal Control Considerations

Residential Waste Audit Report - Recycle Lafayetterecyclelafayette.org/.../09/Residential-Waste-Audit-Report-Final.pdf · RESIDENTIAL WASTE AUDIT REPORT" ... challenges and limitations

Blog Audit: Make Your Blog Brand and PR Ready

How to be External Audit Ready

Responding to the Challenges of Supreme Audit Institutions

Nulogy Webinar: How to Run an Audit-Ready Co-Pack Operation

Becoming Audit Ready: Understanding HRSA … · Data and Reporting Questions to become Audit Ready . 1. ... • Five Question Check List. ... The health center has an established

B lay oracle audit are you ready?

DIGITAL TRANSFORMATION CHALLENGES and the marketing audit imperative

Is Internal Audit Ready for Disruptive Innovation? · Is Internal Audit Ready for Disruptive Innovation? Reshaping the Audit Plan Using Protiviti's Digital Maturity Assessment Tool

Are you ready to turn today's challenges into opportunities?

Clinical Governance Dan Audit Klinik - Ready to Print

Are you ready for a HIPAA audit? - Ernst & Young

Are We Ready for School Abolition?: Lessons and Challenges ...education.uci.edu/uploads/7/2/7/6/72769947/bb_stovall.pdf · Are We Ready for "School" Abolition?: Lessons and Challenges

IIA Miami Top Challenges Facing Internal Audit Departmentss Trending- Karen... · IIA Miami. Top Challenges. Facing. Internal Audit Departments. Baptist Health South Florida. 2016

Are You Ready For An Audit? What you Need to Know

AUDIT REPORT · Audit of Official Controls in Department of Agriculture, Food and the Marine supervised ‘Ready-to-Eat’ and ‘Ready-to-Heat Meat’ Establishments SEPTEMBER 2016

Progress Made and Challenges Ahead for the Bangladesh Ready

Are you ready for a HIPAA audit?

Audit Drivers: Benefits and Challenges

Are You Ready for RFID? THe promise and challenges of

AppFolio Webinar: Is Your Business Ready for an Audit?

Audit ready-webinar

AUDIT READY COMPLIANCE

Are you ready for an ISMS audit based on ISO/IEC 27001? · PDF fileAre you ready for an ISMS audit based on ISO/IEC 27001? This is a sample chapter from Are you ready for an ISMS audit

Conducting a SharePoint Audit and Resolving Challenges

Getting ready for your waste audit

INTERNAL AUDIT IN BULGARIA – DEVELOPMENTS AND CHALLENGES

Audit Ready Guide

CIPFA Audit Conference 2013: Keynote: Meeting the Performance Challenges

TFRS 15 Ready for the Challenges - KPMG