Wednesday, February 25, 2009

IT Auditing in Difficult Economic Times
by Gerald Trites, FCA

It is well known that difficult economic times presents additional challenges for auditors. As a result, in December, the PCASB issued a guidance document called "Audit Considerations in the Current Economic Environment" which identifies a number of issues that auditors need to be particularly aware of. Many of these items relate to accounting issues, such as the adequacy of allowances for losses and valuation issues. They also cover controls over disclosures. In addition to these financial accounting issues, however, the document makes a point of possible breakdowns in internal controls, either directly relating to lay-offs and firings and the resultant discontent among the employees, and also less directly as a result of staff cutbacks and the resultant possible loss of division of duties - always a key element of good internal controls. This means that IT auditors, not just generalist auditors, need to be particularly aware of these control issues. For more on this matter, see this article in the CFO site.

Tuesday, February 24, 2009

Most fired workers steal data on way out the door, survey shows

A recent survey published by Ponemon Institute has found that 59% of workers who are fired, laid off or who quit take corproate data with them. Concern about ex-employees somehow violating the system has long been a classic concern of IS auditors. However, the more recent emphasis on data security and privacy adds some important context to this concern, and the new study indicates that this area needs to be addressed in audits. Most fired workers steal data on way out the door, survey shows

Sunday, February 22, 2009

Monitoring Control Systems

It takes time to set up a good control system. But it can be a waste of time if the issues identified by the system never get reported to management, such that meaningful corrective action never takes place. What is required is a good monitoring system., that results in these issues being reported effectively and on a timely basis. Setting up a monitoring system that works is an essential part of a control system. The AICPA has published a booklet "Guidance on Monitoring Control Systems" that can be helpful in this process. The booklet can be purchased from the AICPA site.

Thursday, February 19, 2009

IT governance in practice: Insight from leading CIOs

IT governance in practice: Insight from leading CIOs: "Insight from leading CIOs

PricewaterhouseCoopers has interviewed a number of CIOs worldwide to obtain their views on IT governance, their experience in implementing IT governance, and what it takes to make IT governance work.

They report that from their "interviews it is evident that most organisations recognise the importance of IT governance. However, a 'holistic' view that considers all dimensions of IT Governance is not widely found. The concept of IT governance as an umbrella framework encompassing a wide spectrum of arrangements, including the measurement of benefits, has yet to emerge."

They have included in their report some examples of best practices they have identified."

Wednesday, February 11, 2009

IT Risk Management
by Gerald Trites

Earlier in February, ISACA released an Exposure Draft setting out a framework for IT Risk Management. The framework takes Cobit a step further, by going beyond the means for managing risk to addressing the governance and management of IT Risk from end to end. The document is 92 pages long, and addresses the area in a comprehensive manner.

The ED begins by defining IT Risk as distinct from business risk. To quote, "IT risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. IT risk consists of IT-related events that could potentially impact the business. It includes both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives as well as uncertainty in the pursuit of opportunities."

The document then goes on to develop principles related to risk management and risk governance and uses these principles to set forth the key building blocks of IT Risk management.

The actual framework is built around the central ideas of governance, evaluation and response. Comments will be received for 45 days. IT Auditors should take careful note of this ED, as it is certain to play a signficant role in future engagements, both as a tool for the use of the auditors and as a tool that will be used by management and other stakeholders to manage IT risk.

The Exposure Draft can be downloaded from the ISACA site.

Monday, February 9, 2009

Sustainable IT
by Gerald Trites

Sustainable IT is much more than a buzzword. And more than trendy. For auditors, it means exactly what the term says - ensuring that corporate IT systems are sustainable in the medium and long term. That the systems - and therefore the host enterprise - can survive.

IS Auditors and auditors generally have always been concerned about the sustainability of enterprises; about their ability to remain operational. Going concern is a concept that goes back many decades. But while the going concern concept is usually activated because of economic concerns, it increasingly will be activated, in future, because of environmental concerns. This has already happened because of major disasters, such as floods, earthquakes and fires. But major disasters can creep up on us and this is what is starting to happen with IT systems.

IT systems are environmental concerns because of several factors, including notably:

1. High power usage,
2. High use of paper, and
3. Disposal if used and outdated parts, like computers, disks, wires, routers, etc.

Reports have been coming in of power grids being overtaxed because of the growth and proliferation of data centers. The city of London, for example, is reported to have been curtailing new data centers in anticipation of the 2012 Olympics.

With storage space being relatively cheap, and increased storage and processing taking place on the Internet, the need for more data centers will grow considerably over the next few years. The current grid cannot tolerate much in the way of such growth.

The capacity of computer systems to waste paper is legendary, and ironic in view of the widesprad talk about the paperless office a few years ago. And while there has been some recycling activity of old computer parts of late, the effort is pitifully small in comparison to the need.

So IT Auditors have a need to review the sustainability program of the systems they review. As a minimum, they need to consider whether the power consumption of the systems is being adequately planned, with power friendly devices and power saving programs. They also need to consider if there is a good print control program, that ensures that printing is done only when necessary. And they need to ensure that the equipment that is retired is done so in an environmental responsible manner - recycled where possible.

Moreover, IT systems can be used, though the use of video and audio conferencing, as a means to reduce business travel, and consequently reduce the energy consumption involved with such travel.

Such reviews are often seen as a useful value-added service of IT auditors. But they are much more than that. They should be viewed as a central and essential part of routine audits, directed to whether the company can really survive into the future.

KPMG, among other firms, has released a paper on this topic which is downloadable from their website and explains these ideas. There is also an article on their website that offers some useful commentary. Deloitte also has a paper on the subject on their site.

Thursday, February 5, 2009

Technology Threat Avoidance Theory
by Gerald Trites

Some of the most stimulating and challenging aspects of information systems research lie in the interaction of human behaviour and the technology itself. Technology poses certain challenges that people must try to address and their behavioural inclinations can be important to the outcome. One such area is that of technology threat avoidance theory (TTAT). The area addresses the question of how people react and deal with a perceived threat having unpleasant, unwanted or malicious results. Research into TTAT has revealed certain patterns in the behavourial responses of people to threats. This is a fundamental question for IS auditors, because they need to devise or advise on processes that will provide the most effective response to threats, the greatest degree of safety for the system and consequently for the host organization itself.

Any mitigative set of processes cannot be fully effective without taking into account the way in which people will react to threats to the information system.

The March 2009 issue of MIS Quarterly included a paper essentially defining TTAT and providing insight into the research opportunities available in this field. An abstract can be found on the MISQ website.

Monday, February 2, 2009

Spam Isn't so Bad in Canada
by Gerald Trites

Canadians being swept under a mountain of spam can take some comfort in a recent report by Sophos that shows Canada not even making their list of Spam problem countries. In fact Canada is mentioned in the report as having improved the situation during the past year. The US still takes first prize, with spam running at 19.8% of total email, exactly double the rate of its closest rival, China, which clocked in at 9.9%. While most countries, including the US, have taken steps to fight spam, it seems that spammers are getting more creative in their methods, making it difficult to keep up with them. Also, spammers are directing more of their energies to social network sites, like Facebook, which have shown a large increase in spam traffic. One would assume that this type of spam can be brought under control, so maybe there is some hope for the future. And while companies are gravitating towards social networking, they are tending to do it in proprietary or customized forms, rather than simply adopting open networks like Facebook. This will help them control the traffic much more closely. The Sophos report can be viewed at the Information Systems Security site.