May 29, 2011

Understanding the Importance of Auditor Confidentiality

Many people are envious of the CISA's position. They see nice cars, lunches with important people, expensive suits, and comfortable expense accounts. Nobody seems to pay attention to the humorous situation of six auditors sharing one folding table while sitting in a closet, balancing laptop computers with only one network jack and one telephone to share. Frankly, the auditor position grants you the luxury of being well-paid observers with professional benefits. Occasionally, your office and travel accommodations may not be the best. However, the reality is that most people look up to auditors with respect.
Your clients expect you to be authoritative and professional regardless of the circumstances. Your office is mobile, so you are depended on to handle decisions in the field. Your clients include the highest levels of management within an organization. Those clients expect you to assist them with your observations and occasional advice. You will deal with the challenges of providing advice in a manner that does not interfere with the independent audit. Remember the independence question raised earlier in this chapter?
Personnel at every level of your client's organization have an expectation of your appearance. You are going to be judged by your speech, mannerisms, clothing, and grooming. You should always wear professional attire to a level more formal than the attire of your client. Your neat and pressed appearance instills respect and confidence. Your courtesy of manner and speech dictates that you should use reassuring words. Any humor by the auditor should always be restrained and professional.

The client entrusts the auditor with sensitive information. A good auditor would never betray that confidence nor allow sensitive information to be revealed at any time. Any breach of confidentiality would be unforgivable. It is conceivable that during your audit, you may discover information that could cause some level of damage to the client if disclosed. You should prepare for the possibility of detecting irregular or even illegal acts that have occurred.
To protect yourself, you must exercise caution and least privilege in all activities. The concept of least privilege refers to providing only the minimum information necessary to complete a required task. It is the auditor's responsibility to implement security controls to maintain confidentiality. Auditors use working papers composed of reports, checklists, and spreadsheets that contain details plus secrets that need to be protected. The information you're privy to may be alarming to some, damaging to others, or trigger additional actions by a perpetrator.
To ensure confidentiality, the auditor should adopt the following operating principles:
  • Sensitive information is the property of the owner and should not be removed from the owner's office by the auditor.
  • The auditor should contact legal counsel for advice concerning confidentiality and laws that would dictate disclosure to authorities. You should follow basic principles of confidentiality at all times.
  • Many auditors use automated working papers (WPs) during an audit. Spreadsheets and report-writing templates are common tools to increase efficiency. We refer to audit checklists, procedures, computer-generated output, templates, and databases as working papers. The next level of automation is entering our workplace to aid even the smallest auditor. This includes more-advanced database automation, evidence tracking, and report-generation tools. The data must be protected with access control and regular data backup. Make sure to back up your work. It would be unforgivable to lose your audit work and client data by failing to implement your own recommended controls.
  • Every auditor should seriously consider using locking security cables and privacy viewing screens for laptops. You will gain respect by demonstrating your concern for maintaining confidentiality while protecting assets. The laptop could still be stolen with broken parts lying on the floor, but at least you would have some evidence that the theft was not completely your fault. At prior audit firms where I worked, these controls were mandatory for continued employment.
  • A document file archive is created during each audit. The archive is subject to laws governing records retention. Every auditor is advised to leave all records in the custody of the client unless criminal activity is suspected. The client shall maintain sole responsibility for the safe retention of the archive.

May 20, 2011

Audits to Prove Financial Integrity

IS auditors may be engaged in a variety of audits. The only fundamental difference between internal and external audits is auditor independence. Although the focus and nature of the audit may vary from time to time, your audit function and responsibilities will remain constant.
Government interpretation of laws and regulations has determined that financial audits and internal controls are interrelated. Medium-to-large businesses undergo a quarterly audit for their financial statements. The goal is to ensure that the executives are held accountable for the accuracy of financial reports. IS auditors are called upon to determine whether the systems used for financial reporting are secure and trustworthy. This connects the integrity of the financial statement to the integrity of the IS environment. You could not ensure the integrity of one without verifying the other.
If financial integrity problems are discovered, a common legal strategy is to claim someone else committed any offenses creating misrepresentation. However, a well-managed IS environment prevents and detects unauthorized modifications. It takes a series of strong controls to help prove who to hold accountable.
As an example, consider the requirements specified under SOX for public corporations. There are two critical reporting functions that management must fulfill under SOX:
  • SOX Act section 906 statement, in which management attests to the integrity of finan-cials and indicates that no hidden or questionable transactions exist
  • SOX Act section 302 statement, in which management attests that full disclosure of the section 401–404 internal controls has been made to the audit committee, and that no deficiencies or weaknesses were withheld
Management must make their assertions of compliance without reliance on the auditor. The intention of these two statements is to bind management with liability. SOX is essentially a disclosure law. Its purpose is to provide government authorities with a method of ensuring criminal prosecution of corporate officers if management misrepresents the truth.

May 10, 2011

Specific Regulations Defining Best Practices | Implementing Audit Standards

Let's review the basic purpose of several major regulations (see Figure 1). These are predominantly U.S. regulations with worldwide compliance implications due to global outsourcing.

Figure 1: Sample of regulations defining best practices
Every regulation is designed to mandate the minimum acceptable requirements when conducting any form of business within that specific industry. The auditor must remain aware of two types of statements contained in all regulations:
Recommended (Discretionary) These are actions that usually contain statements with the word should—for example, suggested management responsibilities, staffing, control mechanisms, or technical attributes.
Required (Mandatory) These are actions that contain the word shall. Shall indicates the statement is a commandment of compliance. Shall is not optional. The auditor must remember that failing to meet a required Shall objective is a real concern. The regulations serve to protect the citizens at large.
Incredible justification would usually be required to prove the organization's actions do not fall under the jurisdiction of the regulation. The regulator will accept no excuses without a major battle, and on almost every occasion will win any potential disputes. Most juries are composed of individuals who will interpret claims by using a basic commonsense approach without detailed knowledge of a particular industry. Almost all excuses for violating the regulatory objective have failed in court battles.
Each organization in that market is required to meet the objective in spite of cost or revenue issues. In other words, the organization must comply even if it means that compliance will cause the organization to lose money. Failure to make a profit is not a valid exception from the law. The organization must strive to obtain compliance or can be forced to exit the industry with fines and sanctions. The auditor may need to consult a lawyer for advice upon discovery of significant violations.