Tag Archives: sox

How to Perform Population Validation

Do you perform appropriate population validation of the data you rely on in an audit?

Population validation is simply gaining confidence that the data you are using in your audit contains all the appropriate data for your audit objectives (e.g., your server list includes all the SOX servers).

For the difference between population validation and data validation, see Why You Must Validate Data.

So how do you do population validation? Let’s look at an example…

Continue reading

9 Comments

Filed under Audit, How to...

How to Audit User Access

How to Audit User AccessWhen checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:

  • Application ID
  • Application role or group
  • Membership in an local server group, Active Directory (AD) group, or UNIX Group
  • Access to the application’s share and/or folder on the server
  • Database ID
  • Database role, including access permissions (read/write)
  • Other permission (from a home-grown application code or enterprise identify management system)

Continue reading

5 Comments

Filed under Audit, How to..., Security, Technology

Biggest Problem in Computer Security

What’s the biggest problem in computer security, according to valsmith at carnal0wnage.attackresearch.com? Well, it’s…

Staffing.

As the author admits, the post leans toward self-promotion of the company, but it makes many good points and deserves a read and a good pondering.

Continue reading

Leave a comment

Filed under Audit, Security

Security Diagram and SOX Space Lazer

I recently found a Sarbanes-Oxley (SOX) Space Lazer (sic) on a network security diagram. No kidding. The following items also appeared:

  • Interstate 495
  • Wang 5000
  • Batphone
  • Peanut butter
  • Printer of evil
  • Gene Hackman
  • Automated Retirement Party Flyer Generation Appliance

Continue reading

Leave a comment

Filed under Humor/Irony, Security, Technology

Why Hate Auditors?

If you’re an auditor, you’re most likely not the most popular person around, at least in most companies. Unfortunately, auditors are hated (I don’t think that’s too strong a word in some circles) for a number of reasons, as noted below. Fortunately, most of them are avoidable.

  • SOX is a waste of time. For most auditees, SOX takes a lot of valuable time away from accomplishing the “real work” of keeping the business running. When you hear this complaint, it usually means one or more of the following is true: Continue reading

2 Comments

Filed under Audit

More Pain, No IT Auditors Hired

I don’t make this stuff up…

In a recent phone interview where I was trying to hire a IT SOX auditor for a short-term project, I had asked most of my interviewing questions. So I asked the candidate, “Do you have any questions for me?”

“You said that this project consists solely of testing IT SOX controls. SOX is now 5 to 6 years old. What is driving this project?”

I swallowed my surprise, and answered, “SOX compliance – annual testing requirements.”

“Oh,” said the consultant, “That makes sense.”

[You know what that means, don’t you? More interviews. Help!]

Related Posts:

Interviewing IT Auditors

Bad Interviews Qs

More IT Auditor Interviews…

Pain of Letting (Auditors) Go

4 Comments

Filed under Audit, Employment

SOX on Trial?

David S. Hilzenrath, of the Washington Post, writes:

    The Supreme Court yesterday agreed to consider a challenge to the Sarbanes-Oxley Act of 2002, the centerpiece of the government’s response to the watershed accounting scandals at Enron and Worldcom. Continue reading

Leave a comment

Filed under Audit