BBC: Bigger Badder Cybercrimes

Early Registration Deadline Extended

The June 11, 2011 CISA, CISM, CGEIT and CRISC certification early exam registration deadline has been extended to February 11 at 5:00 P.M. U.S. Central Standard Time (23:00 UTC/GMT). Register now to receive the early registration discount. After this June administration, the next opportunity to sit for the CISA, CISM, CGEIT and CRISC exams will be on December 10, 2011.


To register for a June 2011 exam, please visit www.isaca.org/examreg. For additional information on ISACA’s globally recognized certifications please visit www.isaca.org/certification.

Where Will NIST Go Next?

A BrightTALK Channel

News from the California Technology Agency

Recent updates at the California Technology Agency:

* 01/27 Video: Opening Remarks by CTO Adrian Farley - 1/24/11- Budget Subcommittee #4 http://tinyurl.com/48tnkws

* 01/26 Digital Literacy Video Series - Case Study - The Stride Center http://tinyurl.com/49b2pq3

* 01/26 Technology Agency Releases Third Annual Strategic Plan http://tinyurl.com/4q5brta

* 01/25 Panel Discussion on Citizen Engagement on January 27, 2011 http://tinyurl.com/4lcj9zt

* 01/25 Christie Borchin Appointed Agency CIO of California Department of Veterans Affairs http://tinyurl.com/4wbnlf6

* 01/20 Digital Literacy for a New Life Path http://tinyurl.com/48cqpzj

* 01/20 California 9-1-1 Emergency Communications Division to Hold Public Meetings on Next Generation System http://tinyurl.com/4sll7t2

Just What Is Internal Audit, Anyway?

Well, isn’t that just the question that haunts every internal auditor at parties? It’s fairly difficult to explain to people who are not familiar with the field or its concepts exactly what internal auditing is. Inevitably, after several rocky minutes of explaining what you do, the person will say, "So you’re an accountant?" Or, "You work for the IRS?" Very frustrating. Unfortunately, there is really no succinct way to explain the field of internal auditing. At is core, internal auditing is about organizational objectives, threats to the achievement of those objectives, controls to mitigate those threats to an acceptable level, and continuous monitoring and improvement of these interactive components. Per the Institute of Internal Auditors (IIA):

Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

This is one of those definitions that sounds impressive but probably doesn’t do much for someone without a foundation in business or accounting. Heck, even some involved in business might think, "So what do you really do?" Essentially, internal audit involves several steps and processes that are iterative in their approach, but produce vastly different results depending on the nature and type of area being audited. The basic steps in the internal auditing process are as follows:

1. Conducting a formal risk assessment for the organization (what’s important to investigate)
2. Creating an audit universe (what is potentially auditable)
3. Creating a risk-based audit plan (what will you audit and when)
4. Executing your annual audit plan (actually performing the audit)
5. Reassessing and reforming (start over again)

This is the basic cadence of internal audit. Within each activity, there are standard methodologies and approaches. For example, for each audit that you will execute, you will follow these steps:

1. Understand and document the processes and procedures of the function or area being audited.
2. Define the objectives of the area or function being audited.
3. Define the risks or threats to the achievement of those objectives.
4. Understand the controls in place to mitigate the risks to an acceptable level or the control weaknesses that exist in support of the risk.
5. Test the controls for adequate design and operating effectiveness and/or quantify the impact of control weaknesses or gaps.
6. Report your findings and offer recommendations for control and/or operating efficiency improvements.
7. Monitor and report managerial mitigation efforts for control weaknesses identified that were outside of management’s risk tolerance level.

That’s the basic iterative process that is followed for every area to be audited. These processes fall generally into one of four buckets as seen in the diagram below:
 

You can audit anything if you just follow these steps. It’s the methodology, not the expertise, that counts. This is how someone with 1 year of post-college experience can audit a process managed by someone who has been working for 20 years, and still bring about valuable recommendations for change and improvement  within that process.

Internal Auditors are sometimes referred to as corporate cops. However, modern internal auditing is much more rich in its application. Best practices in corporate governance call for such broad application rather than narrowly defined execution like beat the sheet—i.e., find the error in the spreadsheet—or financial assurance reviews. Outdated impressions of internal auditing usually focus on financial and accounting reviews. But modern auditing focuses on a much broader set of risks covering the:

• Effectiveness and efficiency of operations
• Reliability and integrity of financial and operational information
• Safeguarding of assets
• Legal, regulatory, or contractual compliance

Within an organization, the Internal Audit Department is usually ran by a Director or Vice President of Internal Audit (you may also see the term "Chief Audit Executive" or CAE applied in some cases) that reports to either the Chief Financial Officer (CFO), the Chief Executive Officer (CEO) or the Audit Committee of the Board of Directors. Best practices dictate that the Department report to the Audit Committee with only administrative reporting to the business in order to maintain the Department’s independence and objectivity in the execution of their duties. The activities and responsibilities of the Internal Audit Department are usually spelled out in an Internal Audit Charter that is signed and periodically reviewed and approved by senior management and/or the Audit Committee of the Board of Directors.

Internal Audit should periodically meet with the Audit Committee of the Board of Directors in order to discuss the results of their activities and any related concerns. It is not uncommon for internal auditing activities to be 100% outsourced or partially co-sourced to a third-party company that specializes in such activities. There are a handful of dedicated internal audit firms (i.e., they do not perform financial assurance activities) and most tier-one and tier-two accounting firms have specialized units that conduct internal audit consulting activities. As long as the firm is not also performing the companies’ financial audit there isn’t usually a problem with this type of arrangement.

Internal Audit as a profession has grown significantly with the corporate scandals of the late 1990’s (i.e. Enron, WorldCom, etc.) and the subsequent passage of the Sarbanes-Oxley act of 2002. These events thrust financial controls and related weaknesses into the limelight. As many organizations struggled to comply with the new legislation, organizational management frequently relied upon Internal Audit to administer compliance efforts, given their expertise in the field of risk and internal controls.

Adapted from the now-defunct Accounting Nation web log.