Monday, May 30, 2011

How Internal Auditors Can Help With ERP Implementations

It has been a long time position of auditors that they should be involved in some way with ERP and other major project implementations. Much of this approach comes from observing such implementations from afar and then trying to sort out the many internal control problems that surface after the project goes live - problems that should have been addressed up front.

Of course, independence rules can be a barrier to the nature and extent of the assistance that auditors can offer., However, those requirements can be observed and still leave considerable scope for consulting activity of this type. Moreover, it is an important service and one that benefits management and the company.

The contributions that an auditor can make are not restricted to internal controls. Auditors have a great deal of skill with documenting documents and document flows. They also know how to delve into a system and identify major data points and repositories that are critical to a system.

This article on the IAA site provides a good overview of this topic.

Wednesday, May 25, 2011

Vaporstream Survey finds Email Security Related to Inherent Weaknesses of email

We've all done it - sent messages we wish on later reflection we hadn’t sent. Or hit reply all when we meant to just reply. Or replied to a listserve when we meant to reply to an individual.

Although companies have spent a lot of time and effort training employees, it just hasn’t worked in these areas. In a recent survey published by the security provider, Vaporstream, they concluded that the problems relate more to the inherent weaknesses of email that to the follies of the users. 

Good to hear. More here.

Sunday, May 22, 2011

The Obama Security Plan

The Obama administration has tabled its much anticipated legislation on Cybersecurity. It is the most comprehensive package of legislation to be issued by the US government to date.

The proposals are not without controversy, as expected in the area of the extent of oversight the government should implement. Some feel that more consultation with industry is required before a solution is reached. For example, the proposals would require that all private companies certify to the SEC that they have implemented an adequate security infrastructure. This would be a major shift for government regulation of security and also for the SEC itself.

An excellent overview article on this topic can be found at this site.

Monday, May 9, 2011

The Changing Landscape of IT Security

The IT landscape is changing because of such shifts as cloud computing, a proliferation of mobile devices, internet accessibility on a variety of devices, and more sophisticated internet based applications. As the pace of change in the world of IT Security continues to move along, there is a need for a fundamental rethinking of how to approach security.

The basics still apply - threat identification, risk and cost benefit analysis, determination of levels of acceptable risk. But the scope and range of the risks has changed dramatically. For example, the global nature of modern IT systems vastly increases the number and type of risks that most systems face.

Ernst and Young has released a white paper addressing these very issues - essentially a roadmap for applying the basics in the new environment. It can be downloaded free from the E&Y site.

Thursday, May 5, 2011

Cloud Services Call for Security and Assurance

Ever since companies have been making use of cloud services, they have recognized the risk involved in outsourcing critical applications to a cloud provider. They know that the safety of their data depends on the adequacy of the controls in place by the provider. Many of the companies therefore have placed an emphasis on the wording of their contracts, seeking out terms that limit their exposure and shift as much liability as possible to the provider.

The problem is this does not really address the problem. Once a breach takes place, the damage is done in terms of the impact on customers. The real damage is often felt in future business and reputation. While some of this can be compensated with large legal settlements, that is really an ineffective and expensive way to do it.

The best approach is to take preventive steps. This means making sure that the very best controls are in place by the provider before a breach happens. This can only be done by hiring an auditor to provide an assurance report on the provider's system - a service organization report. All of the big accounting firms have IT security experts who are very good at providing these reports.

Companies are remiss if they outsource important applications and do not obtain such reports. The money spent on them is a cost that can be much less than the business costs of a breach later on.

For another take on the issue, check out this article.

Tuesday, May 3, 2011

Security Threats for ERP Systems Have Changed Too

Over the past few years, we have seen a big change in the nature of security threats for enterprise systems. Many of the new threats arise from increased connectivity, which enables unauthorized intruders (hackers) to gain access to systems through internet and other connections. With the proliferation of such elements as wireless and mobile devices having internet access, the threats have become more frequent and diverse.

Recently several security related changes had to be made to the JD Edwards ERP system to reflect these new realities. Many IT experts say that the changes reflect the nature of the underlying problem - the old traditional approaches to ERP security, such as division of duties, although still necessary, don't cut it anymore. Such ideas born of the new age of connectivity, such as encryption and tight firewalls are more important than ever. For a take on this issue please click this link.

Sunday, May 1, 2011

Kansas City Conference

Efrim Boritz's blog summarizing the proceedings at the Kansas University Conference held April 29-30 on XBRL and related issues can be found at http://efrimsblog.blogspot.com/