Deepali Kochhar

Rightly pointed Shahla. But just to say your point in a different way, employees are not the weakest link rather they can be the weakest link in an organisation if the organisation doesn’t have good security policies and standards.
I would like to quote an example to this to explain my point. I would differentiate the experiences which I had…[Read more]

I agree with Wenlin. Good point raised. I have seen this happening in one of the organisation’s I have worked with. Not only employees but interns who were not permanent were allowed to use Personal USB Drives on their office laptops and computers.

In an incident one intern was caught copying some of important official data from project onto…[Read more]

Professor,

Because of the above findings, the audit failed and non compliance was issued for the project. This resulted into corrective action by project leadership including formal security training for the employees, applying controls such as email security so that no such kind (PII) data can be shared over the emails.

Thanks a lot for confirming this professor. We can discuss more on this in the class.

Rightly said Abhay.
Computer users are not not sophisticated users and due to this fact there is a need to provide formal training to all the employees within the organisation so that such incidents can be avoided.

I agree with Binu. This is a very good example to show how information security is not just a technical but a business problem. The example which you gave about the current and ex employees of the organisation, I would like to add one more thing to your point.
It is important to keep the entries of the present as well ex employees up to date in…[Read more]

Good example Sean,
Just to add some more points to your example, segregation of duties can help:

Manage access controls and prevent data leakage(authorization and approval)
Record keeping
custody of assets
Reconciliation

Auditor’s duty is to observe and document the findings. Deployment of the controls is a matter of concern for the stakeholders and not the auditors. Auditor will never make a change or recommendation.

Rightly said Priya. I would like to add an example to your point. If an auditor possess good understanding of Microsoft excel, PowerPoint, it can help the auditor in documenting, reporting and audit planning.

Good example to show how important it is to establish a control environment. Researches show that not implementing the data backup and disaster recovery can lead to downtime in data center and can cost an average of $505,500 per incident.

I totally agree with your point Binu that compliance driven and Profitability driven should not be kept mutually exclusive.
Your example illustrates the same in a very good way. I would just like to add a little description to the same example to show how profitability and compliance driven can be kept mutually inclusive..

While selecting the…[Read more]

I agree with your thoughts but since SOX is governed and administered by SEC, ultimately it proves that there is a loophole in the system which needs to be managed.
Therefore I am not against the point that it has not beneficial but it is insufficient to manage the big scams and require to be followed in a strict way.

I agree with Annamarie and Priya that SOX has been beneficial to the management to establish controls over the processes.

But we cannot ignore the cases such as Lehman Brother case and Bear Stearns Cos. Case which occurred after the implementation of the law where the senior management of the organizations were left uncharged in spite of their…[Read more]

What issues did you find out in the video?

• Employees in the organization are taking IT controls casually.
• Employees are not following the instructions to keep the physical area secure and locked. They are able to access the secure areas without authorization
• Employees are sharing their passwords unknowingly with the coworkers by repea…[Read more]

Hello Abhay,

Based on my knowledge and hands on experience, the auditor’s primary role is to conduct audit and report findings. Deployment of controls does not come under the duty of an auditor.

Q 3. What is the purpose of all auditors having some understanding of technology?

• Technology helps in automating the audit process such as ongoing monitoring of certain internal controls.
• Software programs such as Microsoft word, Excel, PowerPoint have become universal as a foundation technology for audit planning, program, reporting and…[Read more]

. Q 2. How does the control environment affect IT?

Control environment provides discipline and structure for the achievement of primary objectives of the system.
It affects IT in the following ways:
• Creates reliability in IT processes and operations
• Helps in assigning authority and responsibility
• Helps in creating preventive envir…[Read more]

Q 1. What are some current system-related risks that you have experienced in your organization?

System related risks that I have experienced in my organization are:

• Employees leaving their laptop unlocked when they are away from their seats making it accessible to unauthorized people
Sharing of PII (Personal Identifiable information) o…[Read more]

Answer to Q 2.

Sarbanes-Oxley act was implemented in the year 2002 following the major corporate and accounting scandals including Enron and WorldCom. Since then, there have been many question marks on whether the law is a sufficient reaction to the failures or are they just an overreaction.

There have been cases in past 14 years since this…[Read more]

This response is for Question 4. Apologies for the typo.