Understanding the Demand for IS Audits

For decades, the dominant control placed upon an organization was the financial audit. Although theft and fraud have always existed, the general expectation was that almost all organizations could be trusted without additional regulations. We expected management to be honest. Well, those naive days are over. Welcome to the new world, which has a growing number of intrusive regulations. Modern business culture is moving rapidly to less trust and more testing.

Let's reflect on a few of the great people who created this wonderful job opportunity for us. Mom always said to give special recognition to those deserving people who help you further your career opportunities:

• Italy's Parmalat dairy scandal occurred in 2003, when executives admitted that an account that was supposed to be holding 4 billion Euro dollars of assets in the Cayman Islands did not exist. The 14 billion Euro organization collapsed into bankruptcy. According to industry news, four of the world's leading banks were indicted in June 2007 for their participation.
  
  
• Adelphia Communications Corporation executives John Rigas and son Timothy Rigas were convicted of securities fraud, bank fraud for misrepresenting the source of $1.6 billion of funds used in company stock, and stealing $51 million in cash advances. Rigas's illegally misrepresented $2.6 billion of off-balance sheet loans, which led to the company's collapse in 2002. In July 2006, Comcast and Time Warner purchased the failed company and relocated it to Colorado.
  
  
• American International Group (AIG) former CFO Howard Smith overstated income by $3.9 billion (10 percent of income) and loss reserves by $500 million to quiet analyst complaints about AIG's declining financial reserves. Executives at the world's largest insurer are struggling to recover. Securities and Exchange Commission agreed to settle after AIG agreed to pay over 1.6 billon in damages. SEC did not release Mr. Smith from prosecution as the case continues to progress.
  
  
• Arthur Andersen executive David Duncan violated his independence with his client, CFO Andrew Fastow of Enron. Duncan participated in improper, biased activities for Enron by ordering his staff to shred documents to obstruct the Enron investigation.
  
  
• Cendant Vice Chairman E. Kirk Shelton was convicted of fraud in an accounting scandal for falsely inflating income to drive up the stock price.
  
  
• Converse Technology CEO Jacob "Kobi" Alexander was captured by Federal authorities after fleeing the country in an attempt to avoid prosecution for orchestrating a fraudulent scheme of backdating options while running a secret stock options slush fund. This illegal scheme made millions of dollars. CFO David Kreinberg and General Counsel William Sorin voluntarily surrendered to authorities for their participation in the scheme. All three are currently in jail awaiting prosecution.
  
  
• Enron executives Ken Lay, Jeffrey Skilling, Andrew Fastow, Lea Fastow, Ben Glisan Jr., and Dan Boyle were proven guilty for running the world's largest scam of off-balance sheet (OBS) transactions.
  
  
• International Product Investment Corp. (IPIC) CEO Gregory Earl Setser was convicted of conspiracy, securities fraud, and money laundering Mr. Setser has been sentenced to 40 years in prison without parole and ordered to pay approximately $62 million in restitution for running an investment pyramid scam.
  
  
• ImClone Systems CEO Samuel D. Waksal was sentenced to more than 7 years in prison and ordered to pay $4.2 million for insider trading in his attempts to sell off his shares of stock after learning that the Federal Drug Administration was planning to reject ImClone's application for Erbitux, a new cancer drug. In a twist of irony, the FDA granted tentative approval for Erbitux the day after Waksal was sentenced.
  
  
• Former HealthSouth CFO Weston Smith was sentenced to 27 months in prison for his participation in the $2.7 billion accounting fraud at the company. Smith was one of five ex-CFOs who agreed to plead guilty and testify against former CEO Richard Scrushy. Ultimately Scrushy was acquitted on all counts of the accounting fraud charges.
  
  
• Tyco ex-CEO Dennis Kozlowski is serving 8-25 years in prison for stealing $134 million from the company. Ex-CFO Mark H. Schwartz was given the same prison sentence. The scheme involved grand larceny, conspiracy of falsifying business records, and inflating statements of operating income by at least $500 million by using improper accounting practices.
  
  
• Patterson-UTI Energy CFO Jody Nelson was sentenced to 25 years and $77 million restitution for a phony invoice scheme of embezzling $77 million for personal use. (Criminal filing took only two weeks to freeze accounts and assets.)
  
  
• Lincoln Savings and Loan CEO Charles Keating was found guilty of causing the $2.6 billion collapse of the savings and loan industry in 1988. So far the estimated cost of the bailout is said to be over $110 billion ($10 from every person in America). Mr. Keating accused the auditor of having a vendetta against him for bringing the evidence to the attention of regulators.
  
  
• WorldCom ex-CEO Bernard Ebbers is serving 25 years for securities fraud and filing false reports concerning an $11 billion accounting fraud. WorldCom triggered the creation of the U.S. Sarbanes-Oxley Act of 2002 (a corporate governance law for internal controls). CFO Scott Sullivan testified against Ebbers to get a reduced sentence. Controller David Myers admitted he told the accounting staff to make billions of dollars in adjustments to financial statements so their stock price would rise. Former accounting director Buford Yates went to prison for following the orders of his superiors to make billions of dollars of unexplained adjustments in financial records.
  
  
• More than 1,000 successful corporate fraud convictions by the U.S. Securities and Exchange Commission (SEC) from 2002-2005 include the following:

• 92 corporate presidents
• 86 chief executive officers (CEOs)
• 40 chief financial officers (CFOs)
• 14 chief operating officers (COOs)
• 98 vice presidents (VPs)
• 17 attorneys (lawyers serving as corporate council)

Times are rapidly changing worldwide. These global businesses were damaged by bad executive decisions. Even some common business practices that were acceptable five to ten years ago are now illegal. No one in their right mind would want to suffer the fate of those poor souls.

New regulations for more-stringent financial and internal controls are driving business leaders into a controlled frenzy. You may have heard of the following: Sarbanes-Oxley Act (SOX, for corporations), Gramm-Leach-Bliley Act (financial transactions), Federal Information Security Management Act (FISMA, for government), Health Insurance Portability and Accountability Act (HIPAA), Supervisory Control and Data Acquisition (SCADA, for utilities), Fair and Accurate Credit Transactions Act (credit processing), Federal Financial Institutions Examination Council regulations (FFIEC), Payment Card Industry (PCI), and numerous privacy laws worldwide. These are just a sample of the regulations and regulators facing today's businesses.

All of these regulations require businesses to possess two simple components:

• Evidence of business integrity
• Evidence of internal controls to protect valuable assets

An asset is defined as anything of value, including trademarks, patents, secret recipes, durable goods, data files, competent personnel, and clients. Although people are not listed as corporate assets, the loss of key individuals is a genuine business threat. We can define a threat as a negative event that would cause a loss if it occurred. The path that allows a threat to occur is referred to as vulnerability. Your job as an IS auditor is to verify that assets, threats, and vulnerabilities are properly identified and managed to reduce risk.

In the past, businesses were allowed to operate with fewer restrictions. The problem with past regulation (or lack thereof) was that many organizations were taking risks that would have been unacceptable to investors and business partners had they been fully informed of corporate actions. Financial auditors were focused on bank balances and transaction totals proving to be correct. Increasing automation enables little mistakes to cascade into massive catastrophes. Stockholders, customers, and the government are looking for reassurance that management has taken the necessary precautions to prevent loss or corruption.

Our economy is founded on banking and investment. The majority of our global economy invests directly or indirectly in stock and financial markets. You may be an indirect investor through pension funds or bank investment portfolios. Unfortunately, there exists a group of individuals who view stock as their own private monetary system. How wonderful it must be to have our money at their disposal, without any terms of repayment, without interest or consideration, and without the requirement to ever pay the money back. Sounds ridiculous, doesn't it? But frankly, that is exactly how the stock market operates. You invest money with the hope that one day you will see something in return, knowing that you could lose it all.

One of the purposes of a controls audit is to ensure that there is reason to believe investors' money is protected from stupid mistakes. Our free enterprise strives to prevent another market collapse and protect the world banking system from crashing. We expect management to specify policies and to create procedures, processes, and safeguards to prevent loss and corruption. It is the job of management to design a solution that effectively protects corporate assets.

As an IS auditor, you must be familiar with the various policies, standards, and procedures of any organization or company that you are auditing. In addition, you must understand the purpose of your audit.