June 20, 2011

Working with IT Professionals

Most IT professionals can be divided into two categories: supporting roles (IT) or programmers (IS). Let's take a moment to focus on their viewpoints and concerns:
IT Supporting Roles These individuals include help desk, user support, server administrators, and network administration. Their scope of influence is on purchasing, installing, and supporting off-the-shelf products. Therefore, the solutions they propose may follow a specific vendor's product line rather than consider other options. In the media business,99 percent of all solutions will be based on using Apple computers because of the well-known advantages in the complex media production workflow. Generally, Microsoft users work in an office environment, where productivity is based on a simpler workflow of independent tasks: email, word processing, spreadsheets, and less-sophisticated presentations such as PowerPoint. Whether it's Apple or Microsoft Windows users, we are usually referring to commercial off-the-shelf software.
The IT viewpoint of system security is limited to functions such as enabling/disabling settings, running system scanners (antivirus, port, or services analyzer), loading vendor patches, making data backups, and following physical security procedures. IT support systems are primarily geared toward detecting attacks through "known" system vulnerabilities. Utterly rare is any defense in place against attacks on middleware. Middleware is every program or driver existing between the user interface and their data. Actually changing a complete series of default settings when installing programs is extremely rare by IT staff for fear of creating support headaches. IT people almost never run the custom installation nor should the auditor expect IT operations to delete unnecessary lines of program code from an open source software package. The highest security impact rests on the programmers.
IS Programmers Programmers actually decide on the security architecture while designing and writing the software application. This applies to both end-user applications as well as to operating systems. Building in-depth security can be a real pain to developers because the user may never even see it. For programmers, the security is predicated on the services and protocols they choose to use, port numbers, add-in functions by embedding smaller programs, and logic procedures. Advanced yet required security functions such as encrypted databases are dependent on complex key management, often requiring skills beyond the typical programmer.
Today the vast majority of breaches occur through exploiting design faults in software applications. Common hacker targets include embedded login ID with passwords stored in scripts for the programs to interact with other programs. These new attacks against overlooked or ignored program weaknesses are referred to as zero-day attacks because they use specialized types of circumvention not previously known to IT support staff.

June 7, 2011

Secrets of a Successful Auditor

Working with Lawyers

There is much discussion concerning who should hire the auditor. Should it be the client or the client's lawyer? At stake is the legal argument of confidentiality under attorney-client privilege. Most communication between lawyers and the client may be exempt from legal discovery (disclosure). But there is no such legal protection to hide fraudulent activities or conspirators involved.
We suggest that you ask the client. If necessary, the lawyer could issue a letter authorizing the auditor's work on the client's behalf. As an auditor, you have to be able to do your job without intimidation in order for it to be fair and honest work. This should be spelled out in the audit charter or your engagement letter. A good auditor will leave the legal issues to the lawyers and focus on performing a good audit. Truth often serves as an excellent defense.

Working with Executives

New auditors will notice that pressing attitudes in executive management may be different from what you expect. Executives are usually very concerned about the following basic issues:
Current Sales This is the primary indicator of the health of a business. (In government circles, the same concern would be funding.) In a down economy, executives will be seriously focused on how to restore revenue. In executive circles, we regard our jobs as temporary—the job lasts only as long as we report good financial gains. It takes only a few months or two quarters of poor financials before investors will seek to replace the executives in charge, depending on the organization.
Operating Costs Executives keep a watchful eye on operating expenses, capital purchases, payroll, and anything else that has a major effect on financial reporting.
Opportunity Executives are watchful of the present market. What opportunities lay ahead that we should focus on exploiting? These opportunities will create interest in reorganizing the business, adding or reducing staff, and repurposing product lines or services to gain market share.
Executive interest in compliance is based on supporting needs in the pre-ceding three concerns: opportunity, sales, and reducing operating costs.
Most executives understand that legal interpretations usually immunize executives for business decisions made within the power of the organization charter, with proper authority and in good faith, using whatever information was available at the time, indicating due care was used. It is highly unusual to find any deep research was used in the initial decisions.