Sunday, February 22, 2009

Quick Update on Auditing the Cloud

She told us she would, and she did.

My post several days ago regarded a presentation by Leslie K. Lambert of Sun Microsystems that discussed auditing in a Cloud environment.

She told us she'd post the slides and indeed she has. The document is posted on the Denver ISACA website.

I've also repackaged it to appear here.

Isaca Issa Feb 2009 Final

All rights are reserved, so be sure to treat Leslie's (and Sun's) copyright appropriately.

Thanks Leslie.

-- Prescott Coleman, CIA, CISA

Wednesday, February 18, 2009

Auditing the Cloud

Readers, I enjoyed a nice luncheon yesterday put on by ISACA where the Vice President and Chief Information Security Officer of Sun Microsystems gave a talk.
Bucking the classic mobility trend of silicon valley, Leslie K. Lambert has been with Sun for 17 years and it is clear she knows her stuff.
She spoke on a number of topics, but one of the central themes regarded, "the cloud." For many, this is a fairly mature concept. Indeed she joked, as have I, that Web 2.0 is already in need of an upgrade to 2.5. Nevertheless, based on pretty weak responses from the crowd to her questions about cloud applications actually in use, this IT subject may be more something we all know about than something we are really doing.



But its only a matter of time.

Simply put, the cloud is comprised of services you may rely upon, but which are not run on your own premises - and which largely use the capabilities of the Web for delivery. From a personal perspective, I began engaging the cloud when I let my domain name expire, quit paying for an ISP for my old website, and began relying on Blogger to provide space for my thoughts. I did it again, when I shifted my personal calendar to Google Calendar.

Company's do it when the shift to tools such as Salesforce.com, which is a Customer Relationship Management (CRM) tool that lives within the cloud and is emblematic of the technology. Indeed, Bill Gates publically predicted the global use of something like the cloud in about 1998, as I recall. Of course, the idea that we wouldn't buy disks from the store and "load" the software seemed pretty scary then. "Who would have my data?, you're kidding right?"

Within the cloud, according to Leslie (and the profession) there are three categories of service.

  • SaaS - Software as a Service. The personal tools (Google Calendar, Blogger, Jotform, etc.) that I'm using are generally regarded as SaaS.

  • PaaS - Platform as a Service. The underlying Google App engine is the canonical example.

  • IaaS - Infrastructure as a Service. Not dissimilar from using an external hosting environment, except that it uses cloud computing for the infrastructure. Amazon's online backup is an example of this.

Of course, for auditors the control questions these kinds of new approaches raise can seem daunting.

How do we make sure our data is safe? Can we be sure its not being tampered with? What is the service's reliability? While it is neat to be able to access our data from anywhere, what about access speed? Change management. Are we going to be held hostage? Business Continuity-disaster?

She had a number of very full slides detailing these and many more cloud-related risks.

However, as she went through them she began to ask whether these were "new" risks. Risks that IT auditors would, as she put it, "need to go back to school on."

The answer, by the end of her presentation was definitely, "no." In the end, though the tools and tactics are changing, the control objectives are not.

What was interesting, and it generated a bit of discussion before time cut it off, is whether the traditional 3rd party assurance methodologies on which we have relied in the past will be up to the task. For example, one camp suggested that the traditional SAS-70 regime will be innadequate in a cloud environment.

Indeed, there would appear to be a number of layers of responsibility in such a computing model. It may be necessary to dig fairly deeply to figure out all the infrastructure and application providers on which we would be relying.

A SAS-70 cloud, perhaps?

Or would our contracts require that we send our auditors into the cloud to obtain assurance. The VP from Sun suggested that, to an extent, this is what they did and it cost them money initially to demand a certain level of assurance. However, she did note that Sun provides much of the actual behind-the-scenes infrastructure to these services, so they have a unique position from which to view the risk landscape.

On the other hand, another camp suggested that just as the risks have not fundamentally changed, so too the tools for covering them remain the same. The argument was made that SAS-70's are customized tools to begin with, and need only receive normal adjustment to comprehend these emerging risks.

I'll resist the temptation to pull a Kent Brockman (The Simpsons news anchor) and say, "only time will tell." Instead, let me say that I welcome comment on this issue.


-- Prescott Coleman, CIA, CISA

Saturday, February 14, 2009

Rotate - Why rockstars should be in audit

Underwriters are the "rockstars" of the property and casualty insurance business.

Just as Brokers are in an investment house, Pilots are for an airline, and, to some extent, Buyers in a retail business. They are the folks in the organization with the most in-demand or high-value skill.

"What!" you say, "It isn't the Internal Auditors?"

I'm afraid not. As much as I wish it were otherwise.

Yet, the point is that really top-hat audit functions need the company's rockstars to come work with them. Unfortunately, you need them but, frequently, they can imagine nothing more unpleasant than spending time auditing.

Why do we need them?

1) Where they are is where the risk is. In my time in insurance, I found plenty of claims-related frauds and missteps. But that side of the business has an awfully hard time doing serious damage to the company. On the other hand, the $250 million quasi-scam we uncovered resulting from underwriters (and underwriting leadership) run amok did definitely leave a mark.

2) Credibility with the Audit Client. When you walk into an underwriting office...

By the way, since I'm talking about these guys alot in this post, let me share what an underwriter does. In a property and casualty (P&C) business, these are the dealmakers. They quote the price to insure the building, the business, the fleet of cars, whatever. Then they negotiate and "bind" the insurance company to the risk. The more big-time the risk, the greater the rockstar atmosphere. For example, we insured a portion of the World Trade Center and I was at the responsible underwriting office when the attacks came. Within minutes that team knew that we'd only be on the hook for our $300 million portion *if*, "they had to tear the buildings down to repair them." Uh oh. Big rockstars.

But I digress.

So, when you walk into an underwriting office ready to do the audit and you have an actual certified underwriter on your team, not only are you likely to do a better job auditing, the manager of that unit is likely to give you a slightly better reception. That respect leads to a better business-audit partnership and ultimately to a more effective audit.

3) Credibility with the Audit Committee. At the end of the day, all the audit function has to sell is its opinion, and the reputation that it's built on. When your team tells the Audit Committee about something scary, and you can demonstrate that you have had *your* rockstar(s) look at it fully, then in my experience the impact is greater.

4) Efficient Time and Resource Usage. There are alot of audit teams who feel they must visit an audit client's site at least twice. Sometimes more. The first is usually a familiarization tour and the second is focused on testing. While that might work if you have only a few locations or a campus-style facility, it gets very expensive and time consuming if you have to fly there commercial each time. It is also fairly disruptive to the business.

And, just as importantly, you burn your team out while shrinking the number of audits you can get done in a year.

In my experience, when you have a trained and experienced rockstar on your team, you can diminish significantly the need for the first trip. After all, they should know what to look for.

5) Business-Focus. One of the really big traps in the auditing and consulting environment is having your team fall in love with the fictional world of controls. This is the world of audit recommendations that bear no resemblance to the on-the-ground reality of the business. We begin to make recommendations because they seem to fit beautifully with ISO, CobiT, ITILS, the IIA, ISACA, and/or COSO. Yet, they have no cost-risk-benefit connection.

I have found that rockstars on your team help prevent this. First, they understand the business better than you do. Second, they expect one day to return to it, so they have a stake in keeping things honest.

Of course, the opposite trap exists too. Your auditors could listen too much to the rockstars and forget good control protocols. From my perspective, this is much less likely. The gravitational field of the Treadway Commission (to name one) is usually too strong.

Taken together, these five points present a pretty compelling case for recruiting rockstars to your audit team. The big remaining question is, "how do you attract them?" Hint - it has nothing to do with music videos, recording contracts, or illegal substances.

Next time, what it takes to lure rockstars to audit.

-- Prescott Coleman, CIA, CISA

[Image from Beagle Productions - Gone by Ten]

Wednesday, February 11, 2009

Why is 2009 so full of New Guidance?

The new year offers a bounty of new guidance and information for the controls, process improvement, and assurance profession.

Batting first in this line up is the new IPPF. Lets give it a rousing welcome. The IPPF or International Professional Practices Framework is smaller than its previous incarnations.

According to the What's New packet available for download,

As the conceptual framework that organizes guidance promulgated by The IIA, the IPPF’s scope has been narrowed to include only authoritative guidance developed by IIA international technical committees following appropriate due process. Authoritative guidance consists of two categories: Mandatory and Strongly Recommended.
This means that less "official" advice and other guidelines have been removed from places like the Practice Advisories and shifted to separate Practice Guides and Whitepapers. Makes sense. Also, there appears to be a committment change that will have these standards updated every three years. Obviously, professional auditors should stand in line at their local IIA bookstore to get a signed and, of course, properly logged/recorded/batched/reconciled copy.

But that's not all.

Following the IPPF's homerun swing, is our next hitter - COSO's Guidance on Monitoring Internal Control Systems. COSO, known to its friends as the Committee of Sponsoring Organizations of the Treadway Commission, released on February 4th a new set of guidelines regarding monitoring.

Monitoring is one of the five components of internal control identified in COSO's landmark guidance issued in 1992, Internal Control-Integrated Framework, which is remains the primary set of guidance on internal control used in the U.S. It is also at the core of Sarbanes-Oxley Section 404.

The other four components of internal control identified by COSO in 1992 are: control environment, risk assessment, control activities, and information and communication.

I found an illustrative article from the January/February edition of Financial Executive, which includes information from interviews with R. Trent Gazzaway of Grant Thornton and Michael P. Cangemi, Formerly FEI President and CEO and representative of FEI on COSO's Board of Directors. FEI, along with the AICPA, American Accounting Association, The Institute of Internal Auditors (IIA) and the Institute of Management Accountants make up the sponsoring organizations.

One of the most salient quotes from that article,

Some companies, he notes, were placing too much reliance over too long a period of time on indirect information like budget-to-actual comparisons and key performance indicators (KPI). “As a consequence, small errors were allowed to fester under the radar screen until they became material.” In fact, he adds, “in many cases the indirect information looked normal entirely because the underlying internal controls were broken.”
So, in keeping with my tortured baseball metaphor, we'll all have to agree that the only reason COSO's "at-bat" didn't bring in a run is a snap decision by the third base coach.
Tortured is right.

And batting clean-up in this all-star line up is the newest member of our team, coming up from the minors only two days ago. Hailing from the Center for Audit Quality, is the Lessons Learned – Performing an Audit of Internal Control in an Integrated Audit.

While arguably the least "official" of the three major-leaguers we've seen today, nevertheless the CAQ's effort provides some useful intel regarding integrated auditing with respect to SOX.

It also has the benefit of being freely downloadable, where the others are not.

The Lesson's Learned document offers 21 practical insights for auditors, including:
  • Understand and Use Management’s Assessment and Documentation as a Starting Point
  • Integrate the Audits
  • Establish the Right Team
  • Identify Material Risks to Reliable Financial Reporting
  • Identify Controls Necessary to Sufficiently Address Identified Risks
  • Take a Risk-Based Approach to Testing Identified Controls
Much of what is here is not new, but it does have a degree of practicality that the other two offerings mentioned here do not. Compared to the works from the IPPF and COSO, the CAQ's effort can be likened to the difference between two speakers at a conference. One talks about the mandatory requirements and the other gives you gritty tools you can use back at the office.

The first feels necessary, but you talk about the second much longer.

--Prescott Coleman, CIA, CISA

Tuesday, February 3, 2009

Deloitte Study Suggests Audit Role in Anti-Corruption


For readers of this blog, I like to highlight new data that describes trends in the audit and consulting profession.

Well, yesterday Deloitte published a new study of 329 executives from around the world on the subject of corruption.


Now, the common headline on this story (the one getting all the airplay) is that only 4 in 10 of the surveyed executives are likely to make a public disclosure, preferring instead to either investigate themselves or wait and see.

While I find that interesting, I thought another couple of statistics deserved some highlighting.

According to the study,

When asked to select up to three sources that would likely lead to changes in the respondents’ organizations, advice from internal auditors was identified by 57 percent of respondents as most likely to lead to changes in an anti-corruption program, while compliance and internal audits were selected by 80 percent of respondents as one of the best ways to measure a program’s effectiveness. In addition, 47 percent of those surveyed said that integrating an anti-corruption program into their internal audit system would make detection and prevention of corruption easier, with an additional 33 percent indicating that it is already integrated.

In recent months, as evidenced by the recession, the Satyam failures (see my post Tis the Season), the Maddoff fraud, and other high profile controls failures the need for robust, well funded, and independent internal audit functions in organizations (both public and private) cannot be more clear.

This new information from Deloitte just continues to confirm it.

-- Prescott Coleman, CIA, CISA