sox presentation 10 04
TRANSCRIPT
The Role of CIOs In a Sarbanes-Oxley World
Dwayne E. Jorgensen, CIA, CFEDirector, Sarbanes Oxley
ServicesInformation Security Solutions
2
Agenda
• Introduction/Sarbanes-Oxley• COSO overview• Your role • Spirit or Letter of the Law?• A Risk-based approach…• What’s Next?• Q&A
3
Sarbanes – Oxley in a Nutshell• The Act was signed into law on July 30, 2002 and includes eleven
ti t led sections:• Tit le I Public Company Accounting Oversight
Board• Tit le I I Auditor Independence• Tit le I I I Corporate Responsibil i ty• Tit le IV Enhanced Financial Disclosures • Tit le V Analyst Confl icts of Interest• Tit le VI Commission Resources and Authority• Tit le VII Studies and Reports• Tit le VIII Corporate and Criminal Fraud
Accountabil i ty• Tit le IX White Collar Crime Penalty
Enhancements• Tit le X Corporate Tax Returns• Tit le XI Corporate Fraud and Accountabil i ty
5
COSO - Overview
• COSO Definit ion of Internal Control– Internal control is a process, effected by an
entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations
• Key Concepts– Internal control is a process. It is a means to an
end, not an end in itself. – Internal control is effected by people. It’s not
merely policy manuals and forms, but people at every level of an organization.
– Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
– Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
6
Risks• Evaluated by:
• Severity• Likel ihood
• Types of r isks:• Inherent risks• Managed risks• Residual r isks
COSO - Overview
7
Spirit or Letter of the Law?
• Sarbanes-Oxley: The “end” or “means?”
• Positive/negative effects of the intent for creating the ideal control environment• “Static vs. Perpetual”
• Current debate over role of External Auditor• “4 – 3 – 2”
8
IT Components
Section302
Section409
Section 404
Risk Assessment
Control Environment
IT Risk Management,IT Risk Assessments,
Business Impact Analysis
“Tone at the top”, IT Governance, Regulatory Compliance
Firewal ls, Security, DRP, Business Cont inuity, SDLC, Change Control ,
Operat ions
IT Polic ies, Standards & Procedures Email , Scorecards, Dashboards, Project
Control, Help Desk
Server Logs, Database Logs, Firewall Logs, Intrusion Detect ion, Incident
Response, Awareness Training
Sarbanes-Oxley’s Impact on the COSO Cube
MonitoringInformation & Communication
Control Activities
9
The Compliance Iceberg
Company-SpecificStandards
Sarbanes-Oxley ActCompliance Requirements
What You Know
What You MightNot Know
404
302
301
409
Cerner Regulations (FDIC 1A, etc.)
Public Co. Reg. (NYSE, NASDAQ, etc.)
Lending Covenants
Mission Statements
Policies
Procedures
Tasks
Unique Control Events
© 2004 CTG
Company-SpecificStandards
Sarbanes-Oxley ActCompliance Requirements
What You Know
What You MightNot Know
Industry ComplianceStandards
10
Spirit or Letter of the Law?
• Section 404• Can external auditors “independently” test
and opine on management’s report on internal controls if they played any role in preparing the document?
4-3-2
11
Spirit or Letter of the Law?
• Section 302• Is management comfortable with this decision
in l ight of pending guidance on disclosure protocols, and the subsequent potential harm if something was deemed “inappropriate” about the external auditor’s role at a later date?”
4-3-2
12
Spirit or Letter of the Law?
• Section 201• Since this assistance of operating
management in preparing their assertion falls outside the scope of actual external audit work, does it require audit committee approval, and is management therefore comfortable asking for it?
4-3-2
14
Internal Control Maturity Model
Control structure is not defined. Control occurs incidentally.
Control structure is not defined, but control processes may occur based on past success and management oversight.
Control structure is documented, standardized and integrated into control processes for the organization.
The control process is regularly assessed and tested. Detailed measures of the control process are collected and reported.
Continuous process improvement is enabled by quantitative feedback from the control process.
Initial Repeatable Defined Managed Optimizing
Predictability, effectiveness and efficiency of an organization's internal controls improve as the organization moves through these five stages.
Initial
Repeatable
Defined
Managed
Optimizing
15
Key Recommendation:
• Pick a Pilot!!!!!!
• Work with external auditor to pick a key process to run the entire approach through, then ensure the approach is satisfactory to the auditor, prior to commencing on the remaining processes
16
Recommended Approach: Assess
ASSESS DOCUMENT TEST REPORT
ProcessProcess OutcomesOutcomes
FormTeamFormTeam
Perform RiskAssessment
Perform RiskAssessment
ConfirmResults
ConfirmResults
DevelopWorkplanDevelop
Workplan
Define overall SO requirementsIdentify and form teamPartner with external audit firm
Confirm audit universeDefine risk weightingConduct assessment
Analyze assessment resultsConfirm risk rankingsMap to knowledge base of mitigating practicesPresent findings to managementDevelop plan for documentation phaseReview plan with external auditor and management
Management support
Internal champion
Trained team
Consensus on objectives
Risk-ranked universe
The PLAN
17
Recommended Approach: Document
ASSESS DOCUMENT TEST REPORT
ProcessProcess OutcomesOutcomes
COSOAlignment
COSOAlignment
DocumentControl
Activities
DocumentControl
Activities
ImproveControlsImproveControls
DefineMonitoring
Process
DefineMonitoring
Process
Define target maturity level by processAssess COSO maturity by processIdentify where improvements are needed
Define control objectivesDetermine tool approachMap assessment to objectives and identify gaps
Develop plan to address gaps with control changesAssess and implement changes in controlsTest new processes and train users
Confirm the role of the internal audit departmentAssess current monitoring environmentImplement monitoring process
COSO maturity ranking
Consensus on end state
Improved controls environment
Ongoing monitoring
Documented controls
18
Recommended Approach: Test
ASSESS DOCUMENT TEST REPORT
ProcessProcess OutcomesOutcomes
ManagementControls
Monitoring
ManagementControls
Monitoring
MaterialWeakness Plan
MaterialWeakness Plan
OngoingReport Process
OngoingReport Process
Educate management on controlsDevelop framework for management monitoringFacilitate management monitoring of controls
Identify weaknesses from management testDevelop action plan for weaknessesReiterate if necessary
Implement process for ongoing quarterly reportsDefine process for development of IC reportPartner with external auditor on report requirements
Management control monitoring
Independent monitoring
Management reporting process
Ongoing reportingIndependentInternal Audit
Testing
IndependentInternal Audit
Testing
Develop framework for independent monitoringFacilitate independent monitoring of controls
19
Recommended Approach: Report
ASSESS DOCUMENT TEST REPORT
ProcessProcess OutcomesOutcomes
ManagementReport
ManagementReport
ExternalAudit
ExternalAudit
ExternalControl Testing
ExternalControl Testing
ExternalAuditor
Assertion
ExternalAuditor
Assertion
Management reports on role in controlsManagement reports on testing processManagement delivers final controls report
External audit commences
External auditor tests controls per requirementsExternal auditor reviews management reportExternal auditor issues final report
External auditor issues final assertion
Management report
External audit report
External assertion
20
Week Number 1 2 3 4 5 6 7 8 9 10Weeks Remaining: 10 9 8 7 6 5 4 3 2 1
# Task Description:
1 Initial planning and information gathering
2 Conduct initial interv iews
3 Review Engagement Letter
4 Finalize interv iew list
5 Finalize specialists required
6 Prepare letter for interv iewees to overv iew project/ team
7 Prepare interv iew objectives and general questions
8 Finalize workplan
9 Develop overv iew of client business/industry
10 Finalize tailored questions by functional interv iew
11 Draft format for deliverables
12 Schedule interv iews (approx. 25-35 interv iews)
13 Perform interv iews (approx. 25-35 interv iews @ approx. 1.5 hrs each)
Interv iews led by IA with client internal audit personnel involvement 14 Document results of interv iews / confirm with interv iewees
15 Develop risk ranking 16 Develop audit plan 17 Determine resource needs to execute audit plan
18 Obtain client management consensus on risk profile 19 Finalize and present deliverables
I l lustrative Assessment Work Plan
21
Control Assessment Structure
General Controls Control COSO Control
Capabilities Component Risk Factors
Control Capabilities AuthorizationControl Environment Delegation of Authority
a) Authorization Authority and approval levels is not delegated to the low est levels.
b) Processing and Recording Authority is delegated to the front lines how ever executive management is involved.
c) Safeguarding Authority is delegated to the front lines and decision making resides at that level.
d) Reportinge) Compliance Processing and
Recording Control Environment Skill sets
f) Risk Management Employees possess the know ledge and skills necessary to effectively execute their job.
g) Resource Availability Employees possess some of the skills required to effectively execute their job.
Employees generally do not have the know ledge or skills to effectively execute their job.
COSO Control Components:Processing and Recording
Control Environment Volume of transactions
a) Control Environment Low volume of transactions and minimal interventions and hand-offs.
b) Risk Assessment Average volume of transactions and considerable number of manual interventions.
c) Control Activities High volume of automated and manual transactions and hand-offs.
d) Information & Communicatione) Monitoring Risk
ManagementControl Environment Organization Structure
Operations are highly centralized with effective communication systems.Operations are fairly decentralized with fairly effective communication systems.Operations are very decentralized with ineffective communication systems.
22
Framework for Risk Assessment• Identify
• What are the risks?• Measure
• What is the relative degree of risk? (Determined by Severity and Likelihood.)
• Priorit ize• Which risks are most important?
23
Risk Assessment: The Big Picture
• Internal and external r isks faced by all organizations.
• Requires l inked and consistent management objectives.
• Identif ied/analyzed to manage and achieve objectives.
• A system to address organization impact of external and internal condit ion changes.
IIA Definition-“… a systematic process for assessing and integrating professional judgments about probable adverse conditions
and/or events. …organize and integrate professional judgmentsfor development of the audit work schedule.”
24
Enterprise Risk Assessment
Driven by enterprise strategies and overall goals.
Risk rank audit universe, applying the same risk factors to all audit entities.
Top-down focus begins at the enterprise level.
Bottoms-up begins at the entity level.
• Approach dependent on management’s objectives and other initiatives in place.
25
Enterprise Risk Assessment Defined• Enterprise Risk – Potential exposures which could
signif icantly impact or impede an enterprise’s abil i ty to succeed in accomplishing its overall f inancial and operational goals and objectives.
• Risks can be categorized as follows:• Strategic – relating to high-level goals, aligned with
and supporting the entity’s mission/vision.• Operations – relating to effectiveness and eff iciency of
the entity’s operations, including performance and profitabil i ty goals.
• Reporting – relating to the effectiveness of the entity’s reporting.
• Compliance – relating to the entity’s compliance with applicable laws and regulations.
26
Ways To Look At Risk
• Quantitative• Assign a value to each control risk t imes
a probabil ity of the threat of the risk• Higher value/greater risk
• Qualitative• High, medium, low or
adequate/inadequate
27
Approaching Risk Assessment
Solicit executive management’s enterprise strategies, goals, objectives and concerns.
If applicable, obtain external auditor’s perspective of the company.
Also consider insurers, outside counsel, other third-party service providers.
Capture organization, products, processes, functions, locations, systems, support areas, etc. relevant to auditable entities.
Develop a model using risk factors, weightings and scoring criteria.
Objective is a risk-ranked audit universe.
28
An Enterprise Risk Assessment Tool
Provide analyses regarding risk exposures at an audit universe (enterprise) level.
No pre-defined database of standard questionnaires, risk factors and set risk weightings.
Information compiled by experienced professionals.
Information/analyses as good as the information compiled.
29
Types of Risk Factors
• Assets at r isk• Cash• Inventory• Intellectual property
• Operational• Procurement• Production• Material Handling• Sales• Service• Human Resources• Planning• Legal• Environmental
Systems• Information quality
• Security Architecture• Contingency planning• Equipment/software
Financial • Data accuracy• Available information
• Completeness of data• A/R, A/P, Cash flow,
etc.
30
Risk Weighting and Scoring
Weigh risks based on customized criteria.• Relative importance of individual risk factor. • Risk factor impact on business units based on
likelihood of occurrence and severity of impact.• Facilitate with management and process owners.
Risk weighting results reviewed by management and the process owners.• Risk score is assessed for each risk factor. • Scores summed for a total risk score. • Supports risk ranked audit universe.
31
Risk-based Approach: Examples
Business ProcessesAlignment
Business ContinuityComplianceContracting
EmpowermentEnvironmental
FraudHealth and SafetyIllegal Activities
Management InformationObsolescence/ShrinkageProduct/Service Quality
RelevanceUnauthorized Use
TechnologyAvailability
AccessFunctionality
IntegrityUsability
Functional Risk
FinanceCollateral
CounterpartyCredit
CurrencyDerivatives
Interest RateLiquidity
ReinvestmentSettlement
Financial ReportingFinancial Assessment
EvaluationFinancial Statement
FalsificationRegulatory Reporting
Taxation
Strategic Risk
Capital AvailabilityCompetition
Financial MarketsFlexibilityIndustry
LeadershipLegal
RegulatoryProduct Life Cycle
Product DevelopmentReputation
Trademark ErosionSovereign
Strategic AssumptionsValuation
AuthorityBench Strength
Budgeting & PlanningCapacity
CommodityCommunication
Cycle TimeEfficiency
Human ResourcesOrganization Structures
Performance MetricsPricing
Resource AllocationSupplier
Technology SelectionTechnology Deployment
Conversion Risk
32
Risk-based Approach: Process
Company StrategiesExecutive Management Input
Risk Factor ModelDevelopment
• Executive Management Input and Buy-in
• Extract Risk Factors from Strategies
• Identify & Define Risk Factors to be Used
• Define Related Scoring Criteria for Each Risk Factor
• Weight the Risk Factors
Audit UniverseDevelopment
• Input Obtained from Many Sources
• Organizational Charts, Internal Management Reports, Company Directory, Annual Report, General Ledger, Location Listings, Major Projects or Contracts, Information Systems, etc.
• Cost Centers, Profit Centers, Investment Centers, Locations, Functions, Processes, etc.
Risk ExposureScoring
• Scoring Occurs from Interviews with Senior Management Responsible for the Auditable Entities
• One Person may be Responsible for Scoring Multiple Entities
• Many Persons may be Responsible for Scoring One Entity
Audit PlanDevelopment
• Compute Risk-Ranked Audit Universe from Completion of the ERA model
• Develop Audit Plan Based on Risk-Ranking and Available Resources
• Obtain Executive Management Approval
• Execute Audit Plan
• Reassess Risk Exposures
33
Risk-based Approach Re-cap
• Risk-based approach• Defined model of enterprise r isk factors• Customized to f it our client’s needs• Eff icient direction of audit resources• Supported by an electronic tool that
provides for data analysis• Provides suff icient information to build an
audit plan• Performed by experienced professionals• Cost effective solut ion to improve enterprise
r isk management init iat ives
35
Technology Evolution
Data
High-Speed Network
Low-Speed Network
Large BranchLarge Branch Large Branch
Small BranchSmall BranchSmall Branch
Gateways
Mainframes
SuperServer
Centralized VirtualDistributed
70’s 80’s 90’s 00’s
36
Evolution of Technology Risk
Risks Are Continually Compounding
RISKS
RISK DRIVERS
UsersControl Point/
ConnectivityComplexityReaction Time
Distributed
Centralized
Virtual
Major Trends thatAdversely Impact Risk
• Exponential Expansion of Technology• Excessive Focus on Cost• Accelerated Pace of Change• Complexity of Infrastructure• Short Term Vision• Mergers, Collaborative Initiatives• Security Impact on ROI
200X1970
RISKS
RISKS
• Industrial Espionage and Sabotage
• Introduction of Value Chain Interdependency
• Viruses and Program Contamination• Software Piracy / Licensing• Hardware / Data Portability• Decentralized Procurement Allowed
Unauthorized Activities
• Authentication & Authorization• Back-up and Redundancy of Data and
Programs• Business Continuity• Introduction of Technology
Dependency• Infrastructure Support
• Viruses and Program Contamination
• Software Piracy / Licensing• Hardware/Data Portability• Decentralized Procurement
Allowed Unauthorized Activities
• Authentication & Authorization• Back-up and Redundancy of Data and
Programs• Business Continuity• Introduction of Technology
Dependency
• Unauthorized Access• Back-up and Redundancy
of Data and Programs• Business Continuity• Introduction of
Technology Dependency
RISKS
37
Common Enterprise Security Threats
InternalLAN
InternalLAN
HEWLETTPACKARD
HEWLETTPACKARD
HEWLETTPACKARD
1 234 56
7 89101112
AB
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Eth
erne
t
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C12 34 5 6
78 9101112
AB
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Eth
erne
t
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C
Internal Router
Novell or Unix Server
Windows NT Workstation
Windows 98 Station
Windows NT 4.0 orWindows 2000 Server
Remote Access Server
Dialup
Internet DMZ/Gateway Servers
Mobile/Home User
Branch Office(s)
Perimeter Router
Information"leakage"
Inadequate logging anddetection
Unnecessary services
Misconfiguredweb services
Inadequate passwordcontrols
Excessive file anddirectory access
Improperly filterednetworks
Windows NT 4.0 orWindows 2000 Server
Dedicated Circuit
Excessive user rights
O/S misconfiguredExcessive trust
relationships
Improperly configuredrouting
Unsecured RemoteAccess Services (RAS)
Unauthorized servers onthe network
Lack of effective enterprisepolicies and standards
Misconfigured firewallsand/or open TCP/IP
port connections
Internet
Inadequate databackup and retention
HEWLETTPACKARD
Database Server(s)
Inappropriate administrativerights and table attributes
Inadequate application and dataintegrity controls
Inadequate controls overphysical access to devices
"xSP" andClients
SLAs, "Confidentiality,Integrity, and Availability ", and
encryption concerns
(Threat Colors: Red - External, Green - Internal, Blue - Both)
39
Assets – Assets to be secured and controlled from inadvertent and/or intentional misuse.
Governance – Establish policies, procedures and standards to define behavior.
Profile – Locate and identify all assets across the infrastructure.
Value – Determine business worth of resources.
Vulnerabilities – Identify potential vulnerabilities and the ability to exploit them.
Threats – Identify potential threats and the likelihood of occurrence.
Risk – Calculate level of risk based upon exposures and countermeasures.
Solutions – Elimination or reduction of likelihood of vulnerabilities.
Metrics – Establish measurements to determine impact and value of security initiatives.
Monitoring – Ensure compliance with established policies, procedures and standards.
SAF Life Cycle
40
Risk Assessment Process
DecisionSupportAnalysis
CountermeasureAssessment
ThreatAssessment
VulnerabilityAssessment
RiskDetermination
ProcessCapture
41
DecisionSupportAnalysis
CountermeasureAssessment
ThreatAssessment
VulnerabilityAssessment
RiskDetermination
ProcessCapture
Process Capture:• Identify critical/key Mega and Major Processes (Information, Physical and Functional) and
their dependencies on one another.• Identify all of the infrastructure components that are required to support the various
processes. (Current & Future State)• Hardware• Software• Communications (Network Protocol, connectivity)• Facilities• Personnel
• Identify the owners, maintainers and consumers for the processes and infrastructure components that have been identified.
• Help place both a value (imputed or intrinsic) and importance on critical/key processes/assets.
Risk Assessment Process
42
DecisionSupportAnalysis
CountermeasureAssessment
ThreatAssessment
VulnerabilityAssessment
RiskDetermination
ProcessCapture
Threat Assessment:• Identify and rank those threats that apply to the organization.
• Environmental• Man-made
• External• Internal
• Hostile (structured and unstructured)• Non-hostile (structured and unstructured)
• Measure the amount of presence a threat has to the organization• Physical presence a threat could have to the organization• Electronic or logical presence a threat could have to the organization
• Measure the relative motivation and capability of a threat
Risk Assessment Process
43
DecisionSupportAnalysis
CountermeasureAssessment
ThreatAssessment
VulnerabilityAssessment
RiskDetermination
ProcessCapture
Vulnerability Assessment:• Identify and Rank the known vulnerabilities associated with the client’s specific
processes/assets and infrastructure components.• Vulnerabilities are primarily driven by the system definition completed during
process capture.• Determine if a vulnerability can be exploited via physical or electronic exposure to
the vulnerability.• Measure the severity of the vulnerability by measuring:
• Potential damage caused by exploitation• Age of the vulnerability (when it was discovered)• Amount of information available for the vulnerability• Determine the operational concerns that are impacted by the vulnerability
Risk Assessment Process
44
DecisionSupportAnalysis
CountermeasureAssessment
ThreatAssessment
VulnerabilityAssessment
RiskDetermination
ProcessCapture
Risk Determination:Risk is the combination of a threat exploiting some vulnerability that could cause harm to some process/asset based on the threat, vulnerability and asset measure previously defined. Determine what threats can exploit which vulnerabilities against what
processes/assets.
Risk Assessment Process
45
DecisionSupportAnalysis
CountermeasureAssessment
ThreatAssessment
VulnerabilityAssessment
RiskDetermination
ProcessCapture
Countermeasure Assessment:• Identify applicable countermeasures by considering infrastructure specific threats,
vulnerabilities, processes/assets and components.• Produce a list of valid countermeasures to support the decision support analysis.• Countermeasure Factors are based on:
• Process/Asset Factors: Sensitivity, Criticality, Perishability, Recoverability, Quantity, Quality, Economic Value.
• Threat Factors: Physical Access, Electronic Access, Capability, Motivation.• Vulnerability Factors: Potential Damage, Available Information.
• Conduct risk mitigation calculations by applying countermeasures to the risk factor that it mitigates.
Risk Assessment Process
46
DecisionSupportAnalysis
CountermeasureAssessment
ThreatAssessment
VulnerabilityAssessment
RiskDetermination
ProcessCapture
Decision Support Analysis: Conduct Cost Benefit Analysis:
Identify comparable alternative solution sets Identify the most cost efficient solution set Consider cost benefit ration:
• Risk delta/cost• Highest cost benefit ration implies most cost effective solution
Identify solution leading to the biggest bang for the buckFor a countermeasure to be considered it must mitigate at lease one factor in the risk measure.
H
M
L
VALUE
L M H
RISK
Risk Assessment Process
47
User Rights, Transaction Logs
Authentication, Firewalls, Intrusion Detection Solutions, Physical Security, analyzers, Sniffers
Administration Rights, O/S Security Level, System Logs
Authentication, Firewalls, Intrusion Detection Solutions, Physical Security
48
IT Control Layers IT Controls
Data – Processes/Procedures and Management Monitoring: Manual processes and procedures that facilitate financial transactions and data and the management monitoring that occurs around these activities
• Completeness, Accuracy, Validity, Monitoring controls
Systems: The underlying hardware and operating systems where financial transactions and data are stored through the business applications and databases
• Restricted Access• General IT Controls
Applications and Databases: The business applications and underlying databases that process, store, and report financial transactions and data
• Completeness, Accuracy, Validity, Restricted Access, General IT Controls
Internal Networks: Network infrastructure components that facilitate the processing of transactions to/from internal locations and organizations and provide access to internal business applications and databases
• Restricted Access• General IT Controls
Network/Perimeter: Network infrastructure components that facilitate the processing of transactions to/from external organizations and provide access to external and internal business applications and databaseas
• Restricted Access• General IT Controls
50
Enterprise Risk Framework
• Four objective categories – Strive to achieve
• Eight components – Needed to achieve
• Entity and organizations units
51
Enterprise Risk Framework
• Is a process- is a means to an end, not an end and itself.
• Is effected by people- is not merely policies, survey and forms, but involves people at every level of an organization.
• Is applied in strategy setting.• Is applied across an enterprise,
at every level and unit, and includes taking an entity-level portfolio view of r isks.
Four objective categories-Strive to achieve
Eight components-Needed to achieve Entity and organizational units
52
Enterprise Risk Framework
• Is designed to identify events potentially affecting the entity and manage risk within its risk appetite.
• Provides reasonable assurance to an entity’s management and board.
• Is geared to the achievement of objectives in one or more separate but overlapping categories
Four objective categories-Strive to achieve
Eight components-Needed to achieve Entity and organizational units
53
Questions?
Contact Information:
Dwayne E. Jorgensen, CIA, CFE Dwayne E. Jorgensen, CIA, CFE Director, Sarbanes-Oxley PracticeDirector, Sarbanes-Oxley PracticeInformation Security Solutions Information Security Solutions 800 Delaware Avenue Buffalo, New York 14209800 Delaware Avenue Buffalo, New York 14209Office: 770/622-0073 Office: 770/622-0073 Mobile: 770/789-7581Mobile: 770/789-7581E-mail: [email protected]: [email protected]
The Role of CIOSIn a Sarbanes-Oxley World
Dwayne E. Jorgensen, CIA, CFEDirector, Sarbanes Oxley
ServicesInformation Security Solutions