Friday, October 26th, 2007
www.eweek.com
Practically every enterprise must abide by and demonstrate compliance with some group of regulations intended to head off the next Enron or WorldCom scandal or headline-grabbing data breach.
What’s more, since so many of the routes through which organizations reach and demonstrate compliance run through their IT infrastructures, this rat’s nest of requirements tends to end up in the laps of IT managers.
Fortunately, as eWeek Labs has learned, much of what you need to satisfy regulations most likely already exists in your organization. And for IT departments in search of a return-on-investment case for system management improvements, regulatory compliance can offer a Y2K-style opportunity to enact needed enhancements.
View the Resource
Posted in Compliance Management | No Comments »
Friday, October 26th, 2007
Tuesday October 30th is the world-wide launch of the British Standards Institute (BSI) new Business Continuity Management System standard BS 25999-2. The launch in the United States will take place in New York and over 200 people are expected to be in attendance. On the same day the standard will also be launched in London, England and Tokyo, Japan.
As a long time holder of a CBCP (Certified Business Continuity Professional) certificate and someone who follows the DRII (Disaster Recovery Institute International) Generally Accepted BC Practices, I was originally skeptical that this standard would do anything but further confuse everyone about how to develop, implement and maintain a business continuity plan. But I’ve become increasingly excited about this new standard. My excitement has increased because of 2 reasons:
1. The standard is auditable and a company, not a person will get certified. All previous recognized certifications have focused on the practitioner and not the organization. It will always be important to have organizations that certify a practitioner’s competency, to design, develop and implement sound Business Continuity Plans. However, increased scrutiny by not only regulatory agencies, but also within the supply chain has placed new emphasis on a companies ability to develop and sustain comprehensive Business Continuity Plans.
An increasing number of companies are being asked by their clients to provide documented, tested and maintained Business Continuity Plans. These requests are combined with the requirement to complete detailed questionnaires developed by each client. A general lack of consistency in these questionnaires has led to companies expending valuable resources to create responses to these requests instead of focusing on implementation of a management system to address the ‘real’ requirement of having a Business Continuity Plan which is tested and updated as the business grows and changes. Getting certified in this new standard gives a company a leg up in this environment by providing client companies with their internationally accepted certification.
2. The new standard places an emphasis on not only developing a plan, but on the management system surrounding the plan. Too many times I’ve seen companies develop a Business Continuity Plan and then just let it sit on a shelf. They quickly learn that this type of plan is no plan at all. But, not unlike ISO/IEC 27001:2005 and ISO/IEC 20000, the BS 25999-2 standard is based on the cyclical principle of ‘plan, do, check, act.’ The strength in using this principle is that a company will now have a set of processes to review, test and continuously improve a company’s business continuity plan. This coupled with regular auditing by an external party, in this case BSI can give a company piece of mind that they have a strong enough system in place to overcome most any contingency.
The launch should prove to be a great day with hopefully a cross-section of industry and governmental business continuity experts scheduled to attend. I’ll report to you next week with my thoughts from the launch.
Until then….be safe and remember to ‘Expect the Unexpected’
Posted in Business Continuity Management, General | No Comments »
Thursday, October 25th, 2007
PCAOB: The 11 Things Auditors Need to Fix - The audit firms’ oversight body compiles the most serious and common problems it found during its first three years of inspections.
PCAOB Reports on ‘Triennial’ Audit Worries - General trends that the PCAOB found in inspections of 497 so-called "triennial" firms, which are inspected at least once every three years, as opposed to the more frequent inspections that firms with more audit clients are subjected to.
Boards ‘Serve Management, Not Shareholders’ - High-net-worth investors and financial advisers said corporate board members are too closely aligned with the interests of executive management teams, not shareholders.
SEC Commissioner Expects Audit Fees to Decline - "If auditing fees do not come down as a result of these changes, then something is terribly wrong with the interpretation of Audit Standard 5 and perhaps with the competitive landscape in the auditing profession itself"
Internal control audits take top spot on accounting board’s priority list - "Now that AS5 has been approved, our focus is on its implementation, and in making sure the registered firms have the information and training they need to appropriately implement the new standard"
Another (Small) Step for XBRL - US rolls out a more complex set of computer-code tags that turn financial statements into interactive data, but critics worry it will be costly to implement.
US audit watchdog finds faults with PwC audits - In total, the board found deficiencies with PwC’s audits for six unnamed companies.
New Corporate Accountability Measures Necessary - Business experts say companies aren’t doing enough to promote accountability, transparency and compliance; responsibilities that usually fall on "gatekeepers" — corporate directors, in-house and outside counsel, and internal and external auditors.
Posted in General | No Comments »
