Quote: Not Concerned about General Ledger Changes

Last week I was meeting with one of our company’s Accounts Payable clerks, who told me she was not concerned about some upcoming General Ledger changes.

2 changes that were submitted by developers on her behalf.

2 changes she didn’t know anything about, so she didn’t consider them her problem.

This post is a Quote of the Weak post. For more info on these types of posts, see the Quote of the Weak topic under About.

 

Continue reading →

Advertisement

How to Perform Population Validation

Do you perform appropriate population validation of the data you rely on in an audit?

Population validation is simply gaining confidence that the data you are using in your audit contains all the appropriate data for your audit objectives (e.g., your server list includes all the SOX servers).

For the difference between population validation and data validation, see Why You Must Validate Data.

So how do you do population validation? Let’s look at an example…

Continue reading →

How to Audit User Access

When checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:

• Application ID
• Application role or group
• Membership in an local server group, Active Directory (AD) group, or UNIX Group
• Access to the application’s share and/or folder on the server
• Database ID
• Database role, including access permissions (read/write)
• Other permission (from a home-grown application code or enterprise identify management system)

Continue reading →

Biggest Problem in Computer Security

What’s the biggest problem in computer security, according to valsmith at carnal0wnage.attackresearch.com? Well, it’s…

Staffing.

As the author admits, the post leans toward self-promotion of the company, but it makes many good points and deserves a read and a good pondering.

Continue reading →

Security Diagram and SOX Space Lazer

I recently found a Sarbanes-Oxley (SOX) Space Lazer (sic) on a network security diagram. No kidding. The following items also appeared:

• Interstate 495
• Wang 5000
• Batphone
• Peanut butter
• Printer of evil
• Gene Hackman
• Automated Retirement Party Flyer Generation Appliance

Continue reading →

Why Hate Auditors?

If you’re an auditor, you’re most likely not the most popular person around, at least in most companies. Unfortunately, auditors are hated (I don’t think that’s too strong a word in some circles) for a number of reasons, as noted below. Fortunately, most of them are avoidable.

• SOX is a waste of time. For most auditees, SOX takes a lot of valuable time away from accomplishing the “real work” of keeping the business running. When you hear this complaint, it usually means one or more of the following is true: Continue reading →

More Pain, No IT Auditors Hired

I don’t make this stuff up…

In a recent phone interview where I was trying to hire a IT SOX auditor for a short-term project, I had asked most of my interviewing questions. So I asked the candidate, “Do you have any questions for me?”

“You said that this project consists solely of testing IT SOX controls. SOX is now 5 to 6 years old. What is driving this project?”

I swallowed my surprise, and answered, “SOX compliance – annual testing requirements.”

“Oh,” said the consultant, “That makes sense.”

[You know what that means, don’t you? More interviews. Help!]

Related Posts:

Interviewing IT Auditors

Bad Interviews Qs

More IT Auditor Interviews…

Pain of Letting (Auditors) Go

SOX on Trial?

David S. Hilzenrath, of the Washington Post, writes:

The Supreme Court yesterday agreed to consider a challenge to the Sarbanes-Oxley Act of 2002, the centerpiece of the government’s response to the watershed accounting scandals at Enron and Worldcom. Continue reading →

5 Security Steps for Non-Big Businesses

Lenny Zeltser suggest 5 steps that mid-market organizations can take down the security path:

1. Identify key data flows
2. Understand user interactions
3. Examine the network perimeter
4. Assess the servers and workstations
5. Look at the applications

Continue reading →

Attackers Don’t Help Companies, PCI Does

Is PCI still relevant? Some are proclaiming that PCI is irrelevant due to the recent, high-profile breaches. David Mortman disagrees, and I’m on his side.

Continue reading →