Wednesday, September 5th, 2007
Sometimes a few words from a software vendor, potential partner or consulting security expert tell you everything you need to know about whose advice is worthwhile — when it’s best to smile and nod, or whether you need to interrupt and challenge someone who’s seriously off the rails. Here are 10 telltale phrases that signal troublesome advice.
"Our software is HIPAA (SOX, etc.) compliant."
No, it’s not.
Many security standards, such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, include requirements for the implementation and operation of a system. These detail the actual practice of protecting sensitive data, not just the type or design of security controls.
Proper security controls in a piece of software can support compliance with HIPAA, Sarbanes-Oxley or other regulatory requirements, but a direct claim of compliance-in-a-box is laughable. There’s no way to box up a proven-compliant life cycle into an unimplemented piece of software without incorporating your data and experience.
Have you heard these before?
"It uses an encrypted database." "… a proprietary security algorithm …" "You’re 77.83% compliant." "…all the data at your fingertips…" "… policies are ready-to-implement …" "It’s secure; just plug it in." "… highly customized security system …" "… completely removes files and evidence …" "Distribution of your content is controlled."
READ MORE at computerworld.com
Posted in General, Risk Management | No Comments »
Friday, August 3rd, 2007
Following approval last week by the Securities and Exchange Commission of a new auditing standard aimed at increasing the accuracy of financial reports while reducing unnecessary audit costs, public companies should start planning their 2007 audits with provisions of the new standard in mind, according to Accounting Management Solutions, Inc.
The new auditing standard — known as Auditing Standard No. 5, or AS 5 — in combination with the commission’s new management guidance, will make Section 404 audits and management evaluations more risk-based and scalable to company size and complexity.
AS 5 is effective for integrated audits for fiscal years ending on or after Nov. 15, 2007. However, the SEC notes, earlier adoption is permitted and encouraged.
AS 5 replaces Auditing Standard No. 2 (An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements) and is intended to increase the likelihood that material weaknesses in internal controls will be discovered before they result in a material misstatement of a company’s financial statements, according to Greg Starr, AMS Middle Market Practice director.
He added that AS 5 aims to reduce unnecessary procedures and related costs, particularly for public companies with a market capitalization of $75 million or less.
DIFFERENCES BETWEEN AS 2 AND AS 5
According to Starr, the differences between AS 2 and AS 5 are significant and have a direct bearing on the content and execution of the entire audit, starting with the risk assessment. For example, he notes, under AS 5:
1) Management's risk assessment and principles-based judgment are
emphasized over the prescriptive auditor-focused approach under AS 2.
2) The risk analysis starts at the financial statement level and entity
level controls.
3) There is an increased emphasis on entity-level controls.
4) The objective is to opine on the effectiveness of internal control over
financial reporting vs. opining on management's assessment of internal
control (AS 2).
5) AS 5 permits the auditor to place greater reliance on the work of
others.
6) There is an increased emphasis on fraud.
START WITH AN AS 5 RISK ASSESSMENT
When complying with Sarbanes-Oxley Act of 2002 (SOX) for the current year, whether you are a first time non-accelerated filer or an accelerated filer, Starr advises companies to start with a risk assessment based on AS 5.
While SOX compliance is rarely viewed positively, it provides a great opportunity for companies to take advantage of AS 5 to enhance and fine tune their control environment, says Starr.
"Putting the appropriate time and effort upfront, and applying the right resources to develop a superior risk assessment will likely reap rewards now and well into the future by reducing SOX compliance costs and audit fees," he says.
Posted in Compliance Management, Regulatory Reform, Risk Management, Sarbanes Oxley | No Comments »
Wednesday, July 11th, 2007
Handling compliance and risk have become inescapable elements of the modern CIO’s role as they strive to ensure the business can forge ahead while not exposing areas of weakness or potential liability. Danny Bradbury explains the dilemma… Compliance can be a daunting word for IT managers. Ultimately, it’s about managing risk exposure at a broad level. So what can IT directors do to satisfy the rest of the board, especially given that regulations are mostly vague, principle-based affairs? Be thankful for vague rules. The few regulations that meddle with operational specifics aren’t generally helpful security guides, argues Michael Barrett, chief information security officer at PayPal. READ MORE
Posted in Compliance Management, Risk Management | No Comments »
