@heather-d-makwinski
Active 7 years, 6 months ago-
Heather D Makwinski wrote a new post on the site ITACS 5205 8 years, 2 months ago
What are some current system-related risks that you have experienced in your organization?
How does the control environment affect IT?
What is the purpose of all auditors having some understanding of […]
-
Heather D Makwinski wrote a new post on the site ITACS 5209 8 years, 2 months ago
This week, let’s keep the discussion informal; we can get to know one another, and get acclimated to using the discussion forum for this course. Post a short bio about yourself, and your experience as it re […]
-
Hi Guys!
Its Vaibhav Shukla here. I am a full-time student in the ITACS program opting for cyber-security track.
I am an international student from India. I have completed my bachelors degree in engineering with major in electronics and communications.
I have a 2.5 yrs of full-time work-experience in Wipro Technologies as an application developer and tester.
I have collaborated with team of 9 software developers to develop a prepaid website portal in Dot-Net language.
I had been also involved in black-box testing for android and iOS applications for a healthcare provider .
Being a tester I was not able to test the security components of an application so am looking forward to enhance my skills through this program.
Furthermore being a graduate from electronics I have a knowledge of the network components so I look further on learning how to secure those network components and servers through this program. -
Hi Everyone,
My name is Julien Rossow-Greenberg. I’m a Lead Technical Support Specialist here at Temple. In my position I do Active Directory, Microsoft Exchange, and network storage administration so I’m eager to cover a number of the topics we’ll discuss in this course. -
Hi all,
I am Scott Radaszkiewicz. I am a technology professional with over 25 years of experience. I am currently the Director of Technology in New Hope-Solebury School district and have served in this capacity for 11 years. Prior, I was the Network Engineer at Upper Moreland School district, and worked there for 10 years. I graduated with a BS in Computer Science from LaSalle University and started the ITACS program last year.I also have a small consulting partnership that supports several small business offices with technology needs.
I’m looking forward to a fun semester with this course!
-
Hi Everyone,
My name is Joseph Nguyen. I am doing ITACS part time, just start this fall. I am Network Engineer. All of my experiences are in Switzerland. know well Cisco, Juniper, CheckPoint, Windows and Linux. I just came to the US 6 yrs ago.
Hope to finish this program asap. -
Hi Everyone,
My name is Joseph Nguyen. I am doing ITACS part time, just start this fall. I am Network Engineer. All of my experiences are in Switzerland. know well Cisco, Juniper, CheckPoint, Windows and Linux. I just came to the US 6 yrs ago.
Hope to finish this program asap. I start study CISSP 8 yrs ago but never pass the exam. -
Hey all,
My name is Anthony Fecondo and I graduated from Temple’s Fox School of Business in the spring of 2016. I majored in legal studies and minored in MIS. I’m currently enrolled as a full time student in the ITACS program.
I discovered MIS in my junior year and quickly became passionate about the technology industry. I wanted to pursue an MIS degree in place of legal studies, but that would have delayed my graduation by a year. It was at this time that I was introduced to the ITACS program by professor Mart Doyle. After learning about the program, I decided that the Cyber Security track of the ITACS program synchronized with my interests.
My time as a business major has helped me develop a lot of the analytical and critical thinking skills that I’ll need in this program. However, I’m relatively new to the more technical aspects. In addition to the MIS prerequisites for the ITACS program, I also completed MIS 3501-Data Centric Application Development which introduced me to coding. In this course, I learned the basics of HTML, CSS, SQL, and PHP. Since this course, I’ve spent ample time familiarizing myself with Python. Overall, I’ve accumulated 2 years of coding experience.
I’m passionate about learning and more specifically, I’m passionate about the information technology industry. I’m eager to jump into the curriculum and expand my knowledge on network security in order to prepare myself for a career in cyber security.
-
This is my first semester in the ITACS program. I live in Center City, Philadelphia with my wife and 2 cats. I became interested in the program because I currently work as a Cyber Security Systems Engineer for the navy. That fancy sounding title just means that I help secure the information technology systems that operate a ship’s mechanical platforms, such as navigation or propulsion.
My path into infosec/cyber security is a bit complicated. I received an undergraduate degree in Professional Writing from Michigan State University which I used to land a job as a web developer in Silicon Valley. After a few years of doing that, I made a huge career switch and joined the army as an artillery officer. My last job in the military tangentially touched on Information Security, and that’s why I’m here today.
I’m a part-timer and hope to be finished by the summer of 2018. As I’m focusing on the Cyber Security track, I hope to graduate with a CISSP.
-
Hi all,
My name is Jerrin. I’m also a Temple MIS grad. I work as a programmer at the Einstein Medical Center. This is my 2nd semester as a part time student in the Temple ITACS program. I’m excited to be in this class and learn more about what can be done to secure the cyber surface of a business entity.
-
Hi all,
If anyone needs access to the Fedora 23 live image, you can get it here:
https://download.fedoraproject.org/pub/fedora/linux/releases/23/Workstation/x86_64/iso/Note: The files are hosted at multiple locations, it’s probably best to go to the link a few times and get the checksums from a few locations and make sure that the file you downloaded has the same checksum
Does anyone have a link to these readings?:
Cole, E. (2016) Network Security. 2 Ed., Boston: Wiley
E. Cole has written quite a few books on Network Security. -
Hi All:
If you are attempting to complete Practical Application 2.1, here are some troubleshooting that I did to complete the assignment. Brian will be updating his instructions to reflect these changes.Step 1.d
Original : # firewall-cmd -get-active-zones
Change : # firewall-cmd –get-active-zonesStep 1.l
If students install the updates for Fedora 23, they will not be able to find ftp_home_dir to set the Boolean to On. In that case, as you taught me, they will need to turn off enforce.Step 5.h and 5.j
Original : ldapadd -x -D cn=Manager, dc=localhost, dc=localdomain -W -f /home/student/basedomain.ldif
Change : ldapadd -x -D cn=Manager,dc=localhost,dc=localdomain -W -f /home/student/basedomain.ldif
(Space removed)
-
-
Heather D Makwinski changed their profile picture 8 years, 5 months ago
-
Heather D Makwinski commented on the post, Progress Report for Week Ending, March 1, on the site 10 years ago
-
Heather D Makwinski wrote a new post on the site Heather Makwinski E-Portfolio 10 years ago
Below is a link to an article posted on computerworld.com that I found really interesting. This piece discusses IT skills that are in demand as more and more companies are investing money in IT and cyber-security. […]
“The Control Environment is the overall attitude and tone of an organization toward internal control.” With that said, the control environment affects IT through management’s decision to implement internal controls or not. It affects the risk of IT, communication of the IT team, management styles, IT monitoring, and ultimately IT’s quality, product, and profitability.
Source: http://smallbusiness.chron.com/internal-controls-accounting-information-systems-66659.html
What is the purpose of all auditors having some understanding of technology?
IT auditors need to understand the technology because without the knowledge behind the technology, auditors would not be able to properly identify the inefficiencies in IT technology, determine the risk with the technology and recommend methods to minimize those risks, etc.
Organizational IT Risks:
-General IT Risks like viruses, space, scans, phishing, hardware and software failure
-Criminal IT Risks like hackers, fraud, Internal destruction, security breaches
-Natural disasters that affect IT systems: hardware damage, downtime, backup system failure, etc.
How about financial auditors or operation auditors? Why it’s important for them to have some understanding of technology?
Professor Yao,
Without a doubt, it is salient for financial/operational auditors to have some knowledge of understanding of technology. The reason why I have said that is financial and operational companies are living in technology. Technology systems are a backbone of their business operations. It is literally impossible for those companies to conduct their tasks without any assist of technology because they are hugely relying upon technology systems, such as ERP, CRM, POS, etc. To that end, it is important for financial/operational auditors to constitute enough understanding of technology.
Professor Yao,
I agree with Seunghyun as to different technologies being a backbone of an organization.
I also believe that it goes both ways: In addition to knowledge of different technologies, an IT auditor should also have a decent knowledge of the client’s operations and how the organization’s assets and liabilities are recorded.
I agree with Daniel , nowadays organization are living within technology and business are heavily rely on technology, especially computer systems. It’s very important for Operation and Financial auditors to have some understanding of technology because it will help the auditors to better perform the audit. For example, a financial auditors should have knowledge of how to use quick book and understand how to interpret the reports/financial statements created by quick book.
What issues did you identify from this video?
The main issues I was able to identify from the video were employees were ignorant or lacking knowledge of securing their information assets. Leaving the door open after accessing the restricted area, writing down personal passcode and leaving it on the area that anybody can easily access, not being cautious to carry salient information devices such as thumb drives or laptops are not acceptable. In order to fix the issues, a professionally structured control training needs to be placed to educate those employees.
Ian,
Great post. In addition to what you mentioned above, I can add several more elements of the Control Environment in managerial perspectives. The Control Environment benefits organizations to achieve their strategic goals; provide reliable financial reporting to internal and external stakeholders; operate their businesses efficiently and effectively; comply with all applicable Laws and regulations; safeguard their important assets.
Source: https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Auditing-the-Control-Environment-Practice-Guide.aspx
we will drill down IT risk categories soon…:)
What are some current system-related risks that you have experienced in your organization?
I know while I was still in the military that there was a significant problem with personnel connecting flash drives, iPods, etc. to govt networks and systems. This caused a lot of issues because many times personnel would unknowingly infect the network with malware that was present on their devices from home. Not only that, but there was also the vulnerability presented by a malicious employee who hoed to infect the network with malware, or an employee who wanted to copy NOFORN/Secret data to mobile storage devices for other nefarious purposes.
yes…we will discuss data leakage prevention (DLP) program in information security session. During that session, we will talk about risk associated with removable drivers and controls should be in place to mitigate such risk.
When I worked for the Navy and now Lockheed Martin, one of our greatest risks came from your managers, employees, and business partners. If the a manager was not treated well, an employee was fired, or a business partner caught a bad deal, all three parties had access to information that they could use against the company. So one risk that we paid a lot of attention to was internal cyber risk. There is no “fix” or even system to put in place to avoid this risk. You can put controls in to help with this but it is hard to battle.
Thank you for sharing your experience Ian.
In this case, asking employees to sign Non disclosure agreements or a proprietary information agreement might bind them to refrain them from conducting malicious activity.
I am not sure if that is the only way, but letting everyone know about repercussions, and binding repercussions of breaches with legal actions, removal from job, might keep the situation under control.
Ian – Insider risk indeed is one of the areas business management. risk management and auditors need to pay attention while dealing with cybersecurity. Insiders, especially those with privileged access can cause significant damage if the envrionemnt is not adequately controlled.
Sean,
I had a similar experience when I was in the Army. Our personal removable devices were all blocked. If we tried to use it, an exotic warning screen was displayed on the screen and the computer even made a warning siren sound. In addition to that, for the security purpose, an intranet was used in the Army bases.
I agree with you that the video presented a lack security awareness and understanding of importance. There were also the employees who purposely took their colleague’s password to login into the system to look at payroll data of other employees. Security controls can help mitigate many risks, but personnel who are “up to no good” are very dangerous since they’re already inside the business and its systems.
Sean,
Thank you for your reply! I really like you mentioned “up to no good” personnel. They are bugs in any entities. Personally, I can’t get along with those people. The way I look at them is they are nothing but harming our organizations. Can you think of any instances of preventing them harming our organizations or even not letting them into our organizations at all?
What are some current system-related risks that you have experienced in your organization?
I was working as a Technology Analyst Intern at a firm in Philadelphia. Firm operated heavily on NetSuite ERP & CRM and had branches all over the world. Firm’s IT controls for the foreign branches were unsophisticated, and thus firm’s system was exposed to logical threats like malwares, trojans, etc.
The firm’s Brazillian branch did get hit with a malware called Ransomware. Fortunately, it was a new machine therefore, no data, nor any system was compromised.
You can read more about Ransomeware here: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx#what
How does the control environment affect IT?
“The control environment is the foundation on which an effective system of internal control is built and operated in an organization that strives to (1) achieve its strategic objectives, (2) provide reliable financial reporting to internal and external stakeholders, (3) operate its business efficiently and effectively, (4) comply with all applicable laws and regulations, and (5) safeguard its assets.”
Control environment works as an enabler for an organization and empowers it to achieve its goals efficiently keeping its assets safe. It ensures that every system and process in an organization has a specific business purpose. An auditor can then make a risk management plan for a particular risk associated with a business function by identifying the risk, analyze, evaluate and monitor it using different internal controls.
Source: https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Auditing-the-Control-Environment-Practice-Guide.aspx
What is the purpose of all auditors having some understanding of technology?
I believe that understanding the purpose of the existence of a particular technology in an organization and its effects on different business processes that go through different business functions is important. This knowledge can then help auditors deploy appropriate internal controls to mitigate different risks associated with processes.
Week One You-Tube Video:
This video was an eye opener for employees who are not properly trained in basic information technology controls and are unaware of the consequences associated with mistakes that can expose an organization to numerable risks.
The firm shown in the video was exposed to machine theft (not locking the door of the storage area), identity theft (saving passwords on sticky notes and leaving the desk without locking the computer), data breaches, etc.
Q 1. What are some current system-related risks that you have experienced in your organization?
System related risks that I have experienced in my organization are:
• Employees leaving their laptop unlocked when they are away from their seats making it accessible to unauthorized people
Sharing of PII (Personal Identifiable information) over the emails resulting in insecure data transmission
• No formal training process designed by senior leadership to educate the employees about company’s IT Security standards and policies.
• Use of unauthorized data and thumb drives making the system vulnerable to IT Security threats.
. Q 2. How does the control environment affect IT?
Control environment provides discipline and structure for the achievement of primary objectives of the system.
It affects IT in the following ways:
• Creates reliability in IT processes and operations
• Helps in assigning authority and responsibility
• Helps in creating preventive environment against any kind of frauds such as data breach, security and financial etc.
• Safeguards IT Infrastructure
• Ensure data integrity
Q 3. What is the purpose of all auditors having some understanding of technology?
• Technology helps in automating the audit process such as ongoing monitoring of certain internal controls.
• Software programs such as Microsoft word, Excel, PowerPoint have become universal as a foundation technology for audit planning, program, reporting and documentation.
• Use of internet helps auditors to access and share information such as requirements, standards, and audit practices.
• Data analysis tools can help auditors test entire financial and operational transactions and analyze it in real time on an automatic basis.
• Technology can help auditors to identify risk, test controls and examine the data evidence of all that has occurred. This can help business managers to respond timely and benefits the organization.
Source: http://www.protiviti.com/en-US/Pages/Improving-Internal-Audit-Through-Technology.aspx
How does the control environment affect IT?
The control environment can affect IT by requiring mandatory compliance with laws and regulations. Certain laws require a separation of duties and responsibilities. For example, certain employees in a business may have the ability in SAP to create an entry for a new supplier, but that same employee will not be able to issue payment to that supplier. By forcing another employee to issue any payments to suppliers the business makes it harder for a single employee to commit fraud. The control environment in this example forces the business through its IT system to separate duties and responsibilities to prevent fraud.
Good example Sean,
Just to add some more points to your example, segregation of duties can help:
Manage access controls and prevent data leakage(authorization and approval)
Record keeping
custody of assets
Reconciliation
Hello Abhay,
Based on my knowledge and hands on experience, the auditor’s primary role is to conduct audit and report findings. Deployment of controls does not come under the duty of an auditor.
Deploying appropriate internal controls can be part of the auditor recommendations. Or isn’t he/she allowed to make recommendations?
Auditor’s duty is to observe and document the findings. Deployment of the controls is a matter of concern for the stakeholders and not the auditors. Auditor will never make a change or recommendation.
I don’t believe it’s entirely correct to say that auditors will never make recommendations. In fact, auditors are encouraged to make recommendations to customers. The strongest actions plans to remediate issues are usually the ones that audit and the customer worked on together (known as the “Solution Approach”). This also has the benefit of fostering a cooperative relationship between the customer and audit, rather than audit just listing out issues and then tossing it to the customer to deal with themselves.
However, while auditors can make recommendations, they cannot oversee their implementation, as this would remove their objectivity in future audits.
Please bring this point to the class next week. You are absolutely right. Auditors’ role is to “independently” assessing the controls implemented by management. Auditors should neither design nor deploy any controls.
Thank you for clearing it out for us.
Thanks a lot for confirming this professor. We can discuss more on this in the class.
Rightly pointed out, Deepali. In my experience, only the Internal Auditors would make recommendations. The external Auditors would only report their findings.
What is the purpose of all auditors having some understanding of technology?
The purpose of all auditors having some understanding of technology helps make it harder to hide fraud and corruption in a business. Most businesses incorporate technology into their business processes and functions at every level. Auditors need to have a basic and fundamental knowledge of technology, and its uses in the business in order to be effective in conducting audits. The auditors need to have the understanding required to find answers to their questions on their own without relying on employees to take advantage of their inexperience and show them misleading information instead of the truth. Also, by understanding technology, auditors have an awareness of where fraud and corruption is most easily carried out which helps focus their efforts in those specific areas.
Agreed Sean, without understanding of technology, auditors can get mislead by employees trying to hide fraudulent information within the system. Like you said they must understand it and be able to go through it finding answers to questions they may have. Companies are using technology to house their information and auditors must be able to understand it to be able to navigate through it. They do not want to be taken advantage of and get mislead. The company could be hiding transactions and information within their system and auditors must be able to understand and uncover this.
I agree with Sean and Vu. Auditors shouldn’t underestimate the importance of understanding some basic technology knowledge. In fact, most of major public companies now own huge amount technical related equipment which have millions value include other information assets. Without the understanding of technology, auditors may not find out potential technical related risks like the ineffective disaster recovery plan, and weak firewall of the core servers.
[Q] What are some current system-related risks that you have experienced in your organization?
An organization faces risks from the varied external and internal factors. I came across many such scenarios at my organization.
Although risk was identified and mitigation actions were followed, practically while working we faced new risks that came up even after providing solutions. And treating new risks from the existing problem was interesting.
Risk : About multiple login sessions
Requirement : One of the clients had an requirement to restrict multiple sessions on more than one system.
Solution : We implemented a policy that would be pushed via the server to detect the multiple logons and give the error message displaying ” You are logged into another session. Please logout from earlier session to start a new one!”.
Risk 1: We were surprised to see that the policy took longer than expected time to run and for 30 odd seconds while the policy was executing multiple logins sessions were possible.
Risk 2: The policy we executed compared all sessions in the existing LAN. If one person with malicious intent would login to machine 1 and remove its connection from LAN and login to machine 2, the policy could not detect that and would believe the person is logging for the first time.
Solution: To run the policy script not only on login screen but all throughout as a background process.
Risk : Password storage
Requirement: Passwords must not be stored.
Solution: We educated all employees not to write down passwords, not to share passwords, not to keep same passwords for multiple applications.
Risk 1: There were certain applications that handled live data and needed to reset password once in 15 days. We came across teams that handled 20 such applications at a given time. Following the best practices it was impossible for them to remember all passwords. They had to store the passwords. the question was how?
Solution: Password storage tools and approval over policy exceptions regarding the use of this tool.
Deepali correctly pointed out few very important ones.
I believe the most important one is regarding formal training to the employees. Although senior management makes lot of effort in certification or making brilliant policies, the number of employees that are directly associated in making those policies is very less may be 2-5% of the organization. However who will let the remaining 95% employees of organization know what are the security best practices?
Thus formal training must be conducted on day one of the employees. To make the training effective following can be done
– Regular training at set intervals
– Make training interesting by having games, videos, posting real life examples
– Make sure of the participation and attendance of the employees
– Revision of the training is important
Rightly pointed out Daniel. To add a few more,
– Employee attitude towards following security practices is shallow
– Laptops are not physically locked. Visitors who are in the building can also have access to those laptops. We are not sure if laptops have encrypted hard disks.
– The employee uses her name in the password. Such passwords are easy to decode and obvious choice. Also she tells that to the person who is helping her reset the password.
Nice post Deepali! It goes without saying, that if someone wants to point out flaws in a system, that someone must have the know how of the system in and out.
The auditor must have the business knowledge, operational knowledge and technical knowledge of the system that they are auditing.
Ex. The 7.1 requirement of PCI DSS requires to” Limit access to system components and cardholder data to only those individuals whose job requires such access.”
[https://www.pcisecuritystandards.org]
To verify accesses, the auditor must have the knowledge of the application, and must be able to retrieve data from database to see what type of access is given to whom.
The IIA also has stated that internal auditors now have to move beyond inspection and come in the advisory mode who can contribute to strategic risk assessment.
In addition to the competency required to audit I would also like to add that auditors technical knowledge determines success of the audit. A technically sound person will be able to do a quality audit.
Also based on my experience, auditors get a defined timeline to complete the audit. If the auditor is not technically sound and lacks business knowledge he will take more time to understand the process thus extending the timeline.
IT Auditors would also have to use many software that assist and they must be updated with the advancements in the tools.
What issues did you identify from this video?
The video portrayed the lack of a security awareness of some employees. In fact, employees from this company are not aware of the risks they are taking by not securing sensitive information. For example, Rebecca left her password on her desk. By doing so, her coworkers were able to login on her computer and lookup for payroll information…It seems like there is no any IT/IS procedures in the company. The employees are just doing what they want.
Nice post Said.
I think the manager in the video is not strong enough to demonstrate the restricted policies for the workers to follow. He basically approves the workers to ignore such IT policies such as helping the employees to lock off the computer. If the upper management can demonstrate a strong message on how to protect information by providing proper training, such issues can easily be prevented.
What you are saying can be an example of how control environment affects IT to the extent that management has not established policies and procedures to follow in order to protect information in the company.
What is the purpose of all auditors having some understanding of technology?
Nowadays, businesses use technology to operate or to generate revenue. An auditor whose job it is to carefully check the accuracy of business records must have a minimum understanding of technology. In fact, the more technology he/she understands the better he/she will be.
For example. if an auditor does not understand or has never been exposed to the ERP system used by the company he/she is supposed to audit; how would he/she be able to do his/her job?
I agree with your example. If an auditor cannot independently perform an audit than there is much more chance that the auditor will miss something by having to rely on the benevolence of employees to show them the correct information the auditor is looking for. By having the technological skills necessary to perform the audit independently prevents other employees from misleading the auditor and hiding fraud.
What issues did you find out in the video?
• Employees in the organization are taking IT controls casually.
• Employees are not following the instructions to keep the physical area secure and locked. They are able to access the secure areas without authorization
• Employees are sharing their passwords unknowingly with the coworkers by repeating the passwords on phone and leaving it on their desk making teh system vulnerable for the coworkers to access
• Employees are leaving their unattended computer unlocked.
• Pen drive was not kept password secured so when it was misplaced, confidential data breach occurred. Second level of security was also missing of data encryption on the pen drive.
• Company provided laptop was left unattended at an unsafe place which lead to stealing of laptop
Q How does the control environment affect IT?
Control environment helps organization increase efficiency and effectiveness of IT governance.
– Establishes control over data being sent out and data that comes in the organization. ex. DLP software
– Control over access management ex. Authentication to access the facility
– Helps in keeping track of actions performed by the employees. ex. Logs can be tracked to check for any discrepancy.
How does the control environment affect IT?
Control environment is the set of values, policies, and procedures defined by the management of a company. It affects IT to the extent that those policies and procedures can be applied to IT. In other words, control environment can set the procedures to follow in IT and/or defined how the IT department should be run.
I agree Said, control environment do set up rules in a way that the IT team must follow when conducting their work. There is a certain way management want things run and the IT team must follow that when they are working on a project. So thus, control environment affect IT in a major way by setting up these procedures in which they must follow.
What are some current system-related risks that you have experienced in your organization?
– Employees leave their desktop without locking it or signing out.
– Employees go to insecure websites
Is it HTTP sites specifically, or insecure sites in the sense of sites with malware embedded? Has anybody suggested to the IT personnel to update firewall settings or set a content filter prevent going to those types of sites?
People go to all kind of sites without worrying if it’s secure or not. And, to my knowledge no one has suggested to set filters. Now that you mentioned it, I think I will make recommendations.
Let us know how your recommendation goes!
Organizations should develope information security policies and procedures to provide guidances of securtiy practices including internet access. Most companies use Proxy Servers to control employees’ internet access, some develop “black list” or “white list” for the same purpose. In addtion, downloading executable files from website should be restricted, because executable files may contain malware or virus.
I have seen both of these at work. I work in a secure area at Lockheed Martin and we actually have individuals that walk around to see if people are breaking these “rules” now. Not locking your screen is an easy mistake to make when you are super busy. Surfing the web and going to sites that may not be secure is tough to monitor but it is definitely happening!
In my previous company we had a policy to use cable lock when leaving the laptop at your desk unattended. And we had security who would confiscate the laptop. If in a year if the laptop was confiscated for more that 3 times his manger and HR would be informed to warn him of the consequences.
By setting the policy to lock screen after 5 mins of inactivity helps to a certain extended. But yes 5 mins is more than sufficient for anyone to get all the data he or she wants.
Surfing the websites cannot be stopped completely, but we can restrict the user to access any sites and allow only DBS team approved sites to be given access. For any website that they do not have access to if they need access they should first get the DBS approval providing business justification
I agree with you, the monitor was hard to control the employees’ practice, so I think the company should train employee in order to know the importance of the information security. Also, the company should improve IT software in order to reduce the risk.
That’s true! In my previous work experience in college library, most employees would leave their screen open, even when they have a 3-hours meeting. The librarian management system has every students’personal information which is only available under manager accounts. Keep login the system and not locked PC may cause data leak. Even worse, people can edit the librarian collection information by using the manager account.
Q: What are some current system-related risks that you have experienced in your organization?
Based on my internship experience over the summer:
1. Some of my co-workers leave his/her desk without logging off the computer
This could lead to data lose or stolen because of lack of IT security
2. Post-it notes with username and password are stuck to the working desk.
3. Employees rarely scan virus by using anti-virus detection software and browse insecure websites.
Rightly said Priya. I would like to add an example to your point. If an auditor possess good understanding of Microsoft excel, PowerPoint, it can help the auditor in documenting, reporting and audit planning.
These are all great points. I would add that knowledge of technology can help an auditor gain credibility with their customers. If an auditor has no understanding of the technology that they are auditing, they may be seen as an outsider by the customers, which can harm the relationship between the two. This can lead to customers misleading auditors by providing them “the answers to their questions, and nothing more”, and can also lead to auditors missing important risks and controls.
Also not knowing the technology would mean he or she might need to rely on someone else for expertise or have to spend more time to learn and understand the processes involved.
Annamaire,
I can’t agree more than what you said on your post. Auditors should be knowledgeable of what they are auditing. For example, as an IT auditor, he/she should be aware of not only information technology systems of auditees, but their business and financial structures as well, You mentioned about the relationship between auditor and client. I also want to emphasize it how important the relationship between the two in the auditing processes. An auditor should be fully trusted by a client so that the auditor can get a full-assist from the client in order to get enough evidence to examine.
Week One You-Tube Video:
What issues did you identify from this video?
There was a complete lack of awareness and respect for basic security controls. A room required to be secured was left open. Company equipment was insecurely transported outside of the business which allowed a thumbdrive to be lost. Passwords were left unsecured around employee workstations. Password resets were done in a way that wasn’t authenticated well. Employees left their workstations while logged in and unlocked.
I thought it was concerning that an employee could have their password reset over the phone. That makes a social engineering attack much more possible.
Question: What are some current system-related risks that you have experienced in your organization?
Some risks that my organization faces include:
• Employees potentially allowing viruses onto their computer by opening unsecure emails, from within or outside the organization.
• Employees leaving their desktop without locking it, which could lead to unauthorized individuals accessing it.
• Improper password protection, such as writing it down or sharing with coworkers, can also lead to unauthorized access.
• Not securing company property, such as laptops, can cause them to be stolen and accessed by individuals outside of the organization.
Question: How does the control environment affect IT?
A control environment comes from the perceived attitude and actions of upper management regarding the importance of the internal control system within an organization. This attitude will trickle down through the organization and be perpetuated at all levels, so it is crucial that management recognizes the importance of the internal control system. The strength or weakness of the control environment will determine how well risks are mitigated within IT. A strong control environment will usually lead to a greater number of well thought-out controls, while a weak control environment in an organization may lead to fewer controls for IT.
I agree with you. For me, I more think a control environment is like to set up some rules to help company improve the ability of management. And a good framework will totally help every aspects of organization.
I agree. It is important for the leaders of the organization to lead by example. I think it definitely does work its way down to the company’s employees. I keep saying it but the commitment needs to come from all departments within the organization. It can’t just be the IT department worrying about information security anymore. Its everyone!
Question: What is the purpose of all auditors having some understanding of technology?
For IT Auditors, the need for understanding of technology is rather obvious. Since technology will be the focus of all their audits, it is crucial that they have some knowledge on the technology that they are auditing. But other auditors, such as Operational and Financial, should also have this understanding, since the processes and such that they will be auditing utilize technology in some way (ERP systems, for example). By having such understanding already, an auditor will spend less time having to educate themselves on the topic. In addition, an auditor showing such knowledge will gain them credibility with their customers, and can prevent them from being misled or missing key risks/controls that they may not have found otherwise.
I agree with your point. Without a doubt, all types of auditors should be able to understand the relevant technology associated with their auditing process because having the knowledge on hand can help them spend less time in learning the topic.
For example:
Mobile applications such as smartphones and tablets, are now the top areas for auditors to utilize because it can help them accomplish by their objectives by bringing a more reliable, quicker auditing process.
I completely agree with your point that with some understanding of technology, auditors can spend less time in educating themselves. The audit resource is limited, the efficiency and how to organize an audit project is important to auditors. With these background understanding in technology, auditors can spend more time in other objectives, and enhance the effectiveness of final audit report.
Question: What issues did you identify from this video.
The biggest issue I identified from this video was the lack of understanding most of the employees had towards the importance of security controls in general. The manager clearly saw training as an annoyance, and not something worth investing time in for the organization. This sort of attitude creates a weak control environment within the organization, which is what leads to problems like we saw in the video, including laptops or other technology properties getting lost/stolen, or employee computers being hacked into.
I agree with you. Actually, i`m noticed that manager`s attitude of this video. However, you are right about the the sort of attitude of the manager let the weak control environment. Company should pay more attention to the training of their employees including those managers.
I agree that lack of knowledge regarding the importance of security controls was the greatest issue in the video, and that training throughout the organization is one of the best ways to remedy this. I think in addition to the training that all employees must complete, management should receive additional training on how to promote the necessity of controls throughout the organization. The attitude of management largely affects how seriously security controls are taken, so it is crucial that managers understand this and use their influence to help make the organization more secure.
The risk of inappropriate access/use of PII is one that my organization has also identified, and has created several controls to mitigate. First, any emails that contain PII must be encrypted. Additionally, emails can no longer be sent outside of the organization (so employees can no longer email work data to their personal emails). These controls help reduce the risk of unauthorized individuals accessing Personal Identifiable Information for improper reasons.
What about transferring the data onto a USB flash drive?
When I was in the military I remember all flash drives and removable storage were banned from DOD computers. Most computers contained reminders not to use a flash drive, in addition to the background on some computers. I think the primary concern was malware or a virus, data was definitely a concern for networks with access to sensitive information.
We will discuss Data Leakage Prevention (DLP) program during the class.
I guess the management should identify the teams or projects working on PII and specially limit the capabilities of those machines by pushing security patches or using encryption tools.
In my previous company, we had 2 factor authentication used for securing client information especially for ODC’s other that the regular bit locker encryption on the HDD and making sure that all external drives where disabled: DVD/CD , USB drives. And no electronic devices were allowed in those secure environment. And once the project was completed after the necessary information was taken the machines were formatted and reimaged.
In fact, technology from physical devices to IT systems can be seen in the day-to-day operation of a company. It is important that the auditor (financial, operational, IT…) understands what is going on. I will even go further and say that today auditors must have a minimum understanding of technology.
Indeed, without knowledge of technology I do not think auditors can be efficient in their job. Basic IT knowledge should even be mandatory because most organizations use technology for report, to share data, for benchmarking etc… For instance, if an auditor need a specific system in a company they need to be able to clearly convey their needs to the IT professionals who design that system. Similarly, there are a lot of technological tools available to auditors to make their job easier and faster. However, those tools, such as process-mapping software or software for data mining, require a certain level of IT skills,
What are some current system-related risks that you have experienced in your organization?
Data leak is a system-related risk. The USB port, digital cameras, MP3 players, and external hard drives can now be used to remove data from a computer and the network to which it is connected. Employees can easily copy data from the devices to their home computers before the devices are returned. It is a threat to information that carries data outside the walls.
viruses is another system-related risk. computer code that can copy itself and spread from one computer to another, often disrupting computer operations
human error is also an system-related risk. Incorrect data processing, careless data disposal, or accidental opening of infected email attachments.
Q:How does the control environment affect IT?
The control environment is the internal control of the environment. It stands for the upper manager’s attitude and awareness in the organization in order to reduce the risk of the entity. This environment includes many aspects such as business structure, corporate culture, values, operating style, human resource policies and procedures. The information and communication part of the internal control framework is charged with making sure that information gets where it needs to be in the organization. For example, implementation of a policy to report suspected fraud would be included in the information and communication part of the framework.
In addition, A company’s board of directors will comprise of individuals each with a different mind such as approach to taking and managing business risk, attitudes and actions toward financial reporting, and attitudes toward information processing and accounting and functions personnel.
What is the purpose of all auditors having some understanding of technology?
The important tasks of the internal audit is determining what to audit. Auditors must be efficient and effective in how you use your limited resources by spending your IT audit hours looking at the areas of most importance. IT auditing is an integral part of the audit function because it supports the auditor’s judgment on the quality of the information processed by computer systems. The IT auditors have some understanding of technology, and they can use computer-assisted audit tools and techniques, evaluate complex systems development life cycles, and assess information security and privacy issues which can put the organization at risk.
Question: What issues did you identify from this video.
The biggest issue is that the company employees did not know the importance and awareness of the security information and equipment. For example, A room required to be secured was left open. Employees leave their desktop without locking it or signing out. An employee put company computer in the car at night. The same level workers know your password, and employees did not keep password in a safety place and set password to use simply structure.
Q1 What are some current system-related risks that you have experienced in your organization?
I don’t have too much working experience, but I still known some system-related risks such as the leakage of company information by employees use their own company or external internet. Also, thumb drives are unsafely due to its easy will bring virus to company computers and easy to loss because it is small.
Q2 How does the control environment affect IT?
The environment control is achieved based on the organization`s policy, procedures and efficacy. Control environment is affect IT due it can establishment rules in an origination. Employees following the rule. As a result, Control environment will create a reliability IT processes and support a IT Infrastructure.
Q3 What is the purpose of all auditors having some understanding of technology?
Auditor job is carefully to check everything about business. In other words, the purpose of an auditor in an organization is accuracy and minimum error rate. Nowadays, organizations use computer system, such as ERP, and internet to do business and control the company. Thus, an auditor known more about technology skills will totally help them to do better working in an organization.
Q4 Week One You-Tube Video: What issues did you identify from this video?
The issues in this video is the company employees did not understand the importance of the company and their own security information and equipment. Some example is they leave to open the equipment room door, which everyone can take the stuff without any register. Another example is the employee leave the computer password at the table. As the result, everyone can use her computer to do anything in this company. The reason that cause those situation is due to company did not have any employees` training and any company institutional and standards.
I agree with you, However, I`m not sure about the employees rarely scan anti-virus detection software and browse insecure websites due to I known some of the anti-virus detection software is unsafely, it will steal the information, I more think about that company can support the anti-virus detection software to their employees, which is more safety.
I agree with you. The video show us some basic situations about information security in a company. Those situation is not a very big thing but always happened in an organization. And it will cause some big issue in the future.
What is the purpose of all auditors having some understanding of technology?
If auditors are not familiar with technology then it will not be possible to adequately audit the organization. Understanding technology used in an organization allows an auditor to identify risks and inadequate security protocols. For example, sensitive data maybe stored on a server with unrestricted access, or may not be encrypted. An auditor must be know to look for access controls, and determine what data is sensitive. Without knowledge or access controls to restrict user access, or encryption to protect the data, an effective audit is not possible.
Good point. We will discuss the skillsets required to be a qualified IT auditor.
When we assessing IT risks across the enterprise, risks associated with different geographic locations could be very different and should be considered accordingly.
What is the purpose of all auditors having some understanding of technology?
All auditors should have some understanding of technology as this can show credibility of the auditor. Else he can be fooled by the client into believing that the control he was suggesting was impossible to achieve and might not be able to refute or justify his course of action or even be able to build the conversation. He might not be able to suggest on the next course of action to mitigate or control the risk as he might not have a complete understanding.
For example an application auditor might be an expert in the application and able to audit and suggest good controls for the application to work properly. But not having knowledge in the other layers thus making it vulnerable to the attackers. While all auditors may not have all the answers, atleast having a overall idea of the functionality helps.
Binu,
That’s a good point that you have raised about understanding the technology in order to not get duped. I was thinking this in a different scenario where there is an insider threat, an employee, in an organization who is purposefully showing resistance to an auditor for gains. Thus, understanding of technology does help here as well.
Binu, you’re right when you say that the Auditor can be fooled by the Client if he doesn’t have sufficient understanding of the IT systems. PMs / Leads often try to sweet talk their way out of an Auditor’s finding if they even get an inkling that the Auditor might not have indepth IT knowledge. However, if the Auditor is technically sound, stakeholders would refrain from sweet-talking or manipulating their way out for fear of being called out by the IT Auditor.
1. How does the control environment affect IT?
According to COSO, “Control Environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. A strong overall control environment and attitude can lead to strong controls over decentralized processes and functions.”
When strong control environment is in place, the employees will:
1. know how to protect intellectual assets by IT technology
2. work within a internal control framework to enhance working efficiency by using IT process and IT infrastructure
What issues did you identify from this video?
The video illustrates the following IT controls
1. All employees must be properly trained of the security policies.
2. Protecting password- a strong password policy should be in place, should not be shared with co workers or written down or stored in places that are easily accessible.
3. Protection of PII or company data: Ensuring that the laptop is locked while leaving for a break to protect data breach.
4. Physical security of the laptop and thumb drives: Employees should make should that the data is protected while it is in their possession.
What are some current system-related risks that you have experienced in your organization?
One of the issues that I had seen was that IT technician and AD team had the access to reset the password of any user under them. But there was no way of knowing who had reset the password. Off course no would reset someone else’s password without the user’s knowledge but I felt that it was a risk and could be easily misused.
Please make a note and we should revisit this in a few weeks when discussing Windows audit. Ask yourself “so what”?
In fact, this can be a risk as the technicians can do “something bad” with the users credentials and get away with it.
During one of my internship, IT technicians were able to reset our printer passcode and were doing 1 to 1 session for people who wanted to change their passcode. The bottom line is that they were in possession of everyone passcode and were able to print anything with anyone passcode.
What is the purpose of all auditors having some understanding of technology?
“New technologies have changed how information and data is stored, accessed, processed and created, and who and where it can be accessed by.” All auditors have to have basic and fundamental understanding of today’s technology since having the required skills and knowledge will enable them to work with today’s technology advancements to carry out their job more effectively and efficiently.
“THE PROGRESS OF TECHNOLOGY AND WHAT EVERY AUDITOR NEEDS TO BE MINDFUL OF TODAY”
What issues did you identify from this video?
1. Passwords are set by workers’ name. Post-it notes with username and password allows co-workersto easily get access to others’ laptops and log into business site to looked at protected and sensitive information.
2. No strong passwords
3. Negative attitude or low awareness toward protecting business intellectual assets
4. Leave the desk without locking computers
5. Brings company’s financial data to home and place it in the car.
Good post Daniel!
Other than additional training for employees has to be in place to educate those employees, I think it is very important to train the upper management as well because they also have to treat information security seriously. And the management must show a serious attitude toward the restricted Information security policies for employees to comply.
I agree with you Priya.
A strong control environment can enhance reliability for the data being transferred within the organization. It basically is a system where all upper and lower level employees can work under the same IT governance to achieve its strategic objectives and safeguard its intellectual assets throughout the organization.
How does the control environment affect IT?
Control environment is the foundation on which internal audit is built. That is it represents the ethical value, corporate culture, operating style, management style, structure of the organization, policies and procedures in place. It influences the control consciousness of the people and shows the overall attitude of the people in an organization. If one is not aware of the control environment of the company, then auditor will not able to plan and audit or provide appropriate solution with respect to the companies objectives. Any decision related to IT Infrastructure should be made with the Company policies and standards in mind. An control environment helps in mitigating the risks to certain extend.
What you observed were the facts or symptoms of the issues. Ask yourself “so what” ? What’s the consequence?
Professor,
Because of the above findings, the audit failed and non compliance was issued for the project. This resulted into corrective action by project leadership including formal security training for the employees, applying controls such as email security so that no such kind (PII) data can be shared over the emails.
You mentioned the Board. When dealing with cyber security risk, large organization’s board members should have someone with adequate background to understand the issue.
How does the control environment affect IT?
A control environment is an established setting in which regulations and procedures are used and enforced by governing bodies of an organization; their main purpose is to influence the control consciousness of their establishment such as providing discipline and structure.
A few examples of a control environment influences can include but are not limited to:
– The organization’s skill set, integrity, and overall ethical values
– The philosophy and operating style of its management team
– The way management allocates power and responsibility amongst their employees
– The overall direction and attention of its organization
Control environments affect IT through management’s implementation of internal controls. The majority of IT applications and program control environments are mostly performed automatically, which are designated to ensure the thorough and precise processing of the data. However, internal controls in IT are substantially subjected to more risk due to the rapid emergence of technologies, as well as issues that affect business internal controls. IT management must take into account what is relevant to their businesses, as well as the technical environment. Despite the technological benefits brought by IT, control environments are faced with constant threats such as: malware, hardware impacts, EPR integration issues, application development challenges, and loss or corruption of data.
Annamarie,
My firm had the same issue that you raised in your post of the employees opening unsecured emails. That is how one of the employees in the Brazil branch had infected his machine with ransomware. Our solution was to implement strict rules onto the Outlook server and additionally implement an anti-spam software solution; it was Symantec, I believe.
Q Week One You-Tube Video:
What issues did you identify from this video?
1. Attitude of employees towards security policies
2. Employees have written down passwords and stored them in vulnerable places
3. Employees uses name as the password and shares the same with the person who is helping her set the password.
4. Employees use the password that is not secured to view highly confidential data of other employees.
5. Laptops are not physically secured.
6. Office spaces which have critical data is not physically locked.
Q : What is the purpose of all auditors having some understanding of technology?
For all the following reasons, auditors must have technical knowledge,
1. Auditors must be in a position to study the system and point out discrepancies. Unless they are technically sound they wont be able to find defects.
2. To save time and energy to have a smooth functioning audit
3. To run tools to retrieve audit data and verify audit data.
4. To establish respect in the audit and set the tone of the audit.
5. To perform a quality audit.
What issues did you identify from this video?
The video demonstrated numerous issues and occasions in which the employees disregarded the basic IT controls; even though the company had regulations in place. The employee’s lack of knowledge of the basic IT controls revealed numerous vulnerability issues when it came to controlling their information assets. A few examples are as followed:
-Leaving the restricted computer area open and unlocked
– Announcing person passcodes amongst fellow employees
– Bringing in external thumb drives and personal computers, in which may be infected
– Leaving company property unattended in public forum
Question #4 ) What issues did you identify from this video?
The You-Tube video we watched identified several issues within the company. The overall issue in this video was the lack of knowledge for the importance of security within an organization. One specific issue was a lack of physical security, the employees shared passwords or stored them underneath their keyboard making it very simple for another person to get into their protected data. The employees also never locked their computers as they walked away, making it easy for anyone walking by (employee or not) to gain access into the data on their computer.
Another specific issue was that there was lack of IT governance overall, there seemed to be no policy enforcement for handling data or the urgency to secure private data such as social security numbers. For example, an employee dropped a USB drive on the floor of a parking lot, the data was not encrypted and was easily accessible by anyone walking by.
Questions #1 ) What are some current system-related risks that you have experienced in your organization?
Current system related risks I have experienced in my organization are in certain roles you are given access to so much important data and there are no controls in place to moving that data onto an external device or requiring to encrypt that data as you are loading it onto that device. Therefore if I were to misplace that external device anyone would be able to access company information with very little effort.
Question # 3) What is the purpose of all auditors having some understanding of technology?
All business functions and processes use technology in way or another to perform tasks. When an auditor goes into a company to perform an audit they are required to analyze business functions. Therefore, to access these systems they require basic understanding of technology to be able to maneuver around their systems without assistance therefore keeping their audit controlled.
Question # 2 ) How does the control environment affect IT?
A control environment affects IT in many ways. It helps establish rules and IT governance therefore enforcing policies and helping maintain data integrity. If the control environment isn’t fond of IT or doesn’t see the importance of it the organization will likely have a smaller budget if any and lax policies for IT and therefore making the organization more prone to vulnerability. If a company’s control environment is pro- it security and it in general – they could possibly have a larger budget to place more measures in place and the whole company as a whole would most likely have stricter guidelines to follow to keep information secure.
Yes. implementing controls means to invest resources/spending. It’s a big chalkenge to management how to balance between making profit and maintaining a safe and sound control environment.
Smaller companies or organization whose primary aim is not IT can always out source IT services. Benefits being
•Saves costs
•Increaseds efficiency
•Focus on core areas
•Save on infrastructure and technology.
•Access to skilled resources.
•Time zone advantage.
•Faster and better services.
What are some current system-related risks that you have experienced in your organization?
During my time working for the City of Philadelphia, I have noticed numerous current system-related risk. One of the biggest issues were that majority of employees did not stress/ know the importance and awareness of security information. If I had to assign one huge system-related risk to the office, it would be data leakage. The extensiveness and volume of personal data collected by the City of Philadelphia, coupled with high turnover and a generally technically un-savvy employee population, enables a breeding ground of data loss. Similar to the video, unknowingly employees bring in external removal data hardware from home and plug them into the city’s computer USB ports, such as: cellphone charges, Fitbit’s, tablets, removable USB’s, cameras, etc.) just to list a few. Not only is this risking a threat of highly sensitive personal data to be at risk internally, but employees can easily copy data from the city computers to their personal devices. This threat enables viruses, theft, insecure practices, and neglect as a result of human error.
I agree. In addition all auditors regardless of the field they’re in should possess some technical skills so they can at a minimum operate the systems which they are auditing.
I agree, overall the lack of information security or understanding of security policy in the company was scary. Storing passwords in obvious places, storing highly sensitive data on flash drives in an unencrypted manner or simply not securing ‘highly secure’ areas shows the lack of policy enforcement.
Thanks Daniel. I think that the company lacks a information security strategy. There are things that the company could probably do to increase their information security, like: Inter-Departmental Cooperation, Educating Employees on the Importance of Information Security, and Developing a Proactive Approach to Information Security.
Great point guys. Actually, I think the biggest problem is that employees typically do not treat company owned assets the same way they would treat their privately owned assets. Something tells me that if the gentleman in the video who had his car broken into and laptop stolen, if that was his that he had paid for out of pocket it wouldn’t have been left in the car to begin with. The only strategy that I can come up with to prevent this type of mindset is to focus on regular education to change the underlying culture and how they view company assets, and more importantly the confidential data that can reside on the laptop etc, but also create some type of personal accountability policy where if the assets are stolen or lost that the person responsibility for the equipment woul dhave to reimburse the company for the associated cost, even though this doesn’t help with the retrieval of hte confidential data. Also, they should have to report the theft under a very tight timeline so that the IT group can use remote tools to wipe the equipment clean.
1. What are some current system-related risks that you have experienced in your organization?
Some risks related to my organization:
1. We print all account numbers and passwords to each person to use, for example, email account and password, internal public computer password and printer’s password.
2. All drawers are open in the office, and some drawers have sensitive information about the tenants and the company.
3. Sometimes people put checks and files directly on manager’s desk when manager is not here for the day or on Friday.
4. Some employees have all access keys to all apartments.
5. Sometimes there is no double check for parking payments.
6. Computer and software are not secured and with bare protection.
7. Etc.
There are lots of more risks that related to my organization and nobody cares (for now, I knew them). I would like to remind our manager for all these risks even for now, she feels safe for the risks above.
2: How does the control environment affect IT?
The control environment is the upper management’s attitudes and also refers to some other factors, including internal controls, integrity, organization’s structure, etc, which all affect IT. The upper management’s attitudes will influence in the internal control of an organization and it is important for upper management to understand and well manage internal control within and organization.
For example, within an organization, upper management will care about the attitudes and behaviors of all different employees, day-to-day responsibilities, and short-term and long-term goals of the organization.
Upper management also needs to know the importance of potential risks, building a secure organization. For example, the loss of key person’s flash drive and password. If management and employees within the organization do not care about the internal risks, the costs of the risks would be really high.
3. What is the purpose of all auditors having some understanding of technology?
The main purpose of all auditors having some knowledge of technology is to reduce errors and risks, saving money and time for auditing works. The meaning of auditor is really straight forward, person to audit. So by understanding how the technology works, all auditors need to be trained on it. Nowadays, businesses and organizations rely on computer systems and technology to process and record works. And an increase of a number of software provides auditing jobs including financial audit, operational audit and IT audit, etc., so for all auditors, understanding technology is to provide more accuracy, time-saving and high-efficiency auditing jobs for all business and organizations.
4. What issues did you identify from this video?
The video shows good examples about risks within an organization:
1. Employees lack of basic IT knowledge.
2. Passwords wrote down on the desk, or at the back of keyboard, and no reminders from co-workers.
3. Ignore the signage on secured equipment room’s door.
4. Wrote down all secured information in flash drive and put it in the pocket and lost it.
5. Management’s laptop stolen by ignoring its importance.
6. Etc.
In the video, the main problem I concluded is the company does not have any trainings for security awareness and nobody cares about risks.
Right, I think that auditors need to know the technology so that they can recommend what fits with the company. Some technology will be better for certain environments and organizations. I think it becomes important at the beginning (recommendations), in the middle (setting up controls), and at the end (enforcing and actively participants in the company’s information security strategy).
IT risk is not purely a technical issue. Although IT subject matter experts are needed to understand and manage aspects of IT risk, business management is the most important stakeholder. Business managers determine what IT needs to do to support their business; they set the targets for IT and consequently are accountable for managing the associated risks.
Deepali,
The last risk of using unknown thumb drives occurred during my bachelors. It is so easy for an attacker to place a malicious flash drive on a table and possibility of someone picking it up and using it is more because who doesn’t like free storage? Issue is that the attackers are very smart and computer users are not sophisticated users.
Question 1: What are some current system-related risks that you have experienced in your organization?
System-related risks in my organization:
1. Some employees would like to write down the user name and code of their PC, which may allow others login to their PC.
2. Around 20% computers in the organization still using the Windows XP operation system with an old version antivirus software.
3. The organization don’t have an effective backup plan, most employees need to backup the data by themselves.
4. The employees often keep login on their PCs when they leave the office, which may cause information leak, and damage the information assets of the organization.
What issues did you identify from this video?
Some of the issues presented in the video were employees not caring about keeping information secure. They drop usb drives with important customer information unencrypted and easy to access with no pass code. Doors to offices were left open with no security for computers so that anyone is able to access important data. The laptop was left inside the car and got stolen. Employees where just negligence with the companies information. The company has to train employees on how important it is to keep information secure at all times and there has to be measures put in place to protect information so that only employees can access it. They could put pass code onto all devices so that the employee has to enter their information in order to access the companies information so that if it were to get stolen, the thief cannot access it.
What is the purpose of all auditors having some understanding of technology?
The purpose of auditors understanding technology is so that they can access information about the company that may be only available through their technology. Companies are using technology to store important information now a days and auditors must be able to understand and access these technology to follow what is happening and to make sure there is nothing fraudulent occurring. Auditors have to understand what their looking at and companies are adapting to more technology to house their information. So auditors must know what they are looking at and be able to navigate through different technology to find information.
Auditors “request” information from auditees. Howevr, auditors usually do not access data/information directly via accessing auditees’ production systems or applications. I will explain this briefly on Wednesday briefly.
Question 2: How does the control environment affect IT?
The control environment includes the factors that have important influence in establishing a policy or project to minimize the risks. It also stands for the understanding, attitude, and action about the internal control of upper management. The control environment ensures the efficiency of implement of the internal control.
If an organization has effective control environment, upper management will also have deep understanding of the importance of protecting information asset. From this perspective, management would like to invest more money in enhancing the reliability of information technology, and improve the technical environment in the organization like better servers, new version of antivirus software in every PC, and higher performance hardware.
Question 3: What is the purpose of all auditors having some understanding of technology?
Most of major public corporations today have millions of IT related assets like PCs, servers, and many other technical equipment. Without the common knowledge of technology, the auditors may not find potential risks which related to these technical devices. However, if all auditors have some basic understanding of technology, they can better audit the companies’ financial performance with the consideration of information assets. Furthermore, these corporations can also prevent IT-related risks which may cause huge loss in information assets. For example, without an effective antivirus software, hackers can monitor the internet traffic flow in and out through malware, and even copy the sensitive business information. If auditors have some knowledge of technology, they can find this potential risk and help the enterprise better protect its information assets.
Question 4: What issues did you identify from this video?
1. Employee underestimates the importance of properly training in basic information technology controls.
2. Employee writes down her system user name and passcode.
3. Employee shares his passcode with someone else.
4. Employee loss his USB which have sensitive information.
5. Employee loss his laptop because of lacking physical locked.
Thank you Prof Yao. That reminds me of of a question I had since long.
External auditors must definitely refrain from going into advisory mode. Do internal auditors also only recommend ‘what’ ?
In my experience, during the audit I used to be in a auditor role so that the auditees get the maximum chance to speak up and be crystal clear. However they always needed help to implement the suggestions to be compliant.
What are some current system-related risks that you have experienced in your organization?
From my experience working in Temple’s International Admissions Office, some of the system-related risks I’ve experienced are:
1. Inputting a wrong scholarship code for a student. An admission counselor may input a wrong scholarship code a student. The student may receive a higher scholarship that he/she is supposed to receive. If the mistake is not found out, the student may just skate by and receive the scholarship he/she shouldn’t have gotten. This will cost Temple to lose money.
2. Incorrect data entry. Not all applications are submitted electronically. Paper applications will have to be inputted manually into the system. A counselor may input wrong information such as e-mail address, contact number and address. Once an admission decision is made, the student may never know their decision since their contact information are all incorrect.
How does the control environment affect IT?
As the world is moving towards the digital age, control environment will have a huge effect on IT. Business process and information are now mostly digitalized and a failure in the IT system can cause a huge loss to the business. Controls have to in place to ensure internal or external threats do not cause a failure in the IT system.
What is the purpose of all auditors having some understanding of technology?
All auditors should have some understanding of technology because they have to know how a particular technology functions in a business process. Only by knowing how a technology function will an auditor be able to check if the technology is running properly or have vulnerabilities. It is also important for auditors to keep up to date with new technologies so they will not be obsolete once companies start adopting new technologies.
Week One You-Tube Video:
What issues did you identify from this video?
The main issue I identified from the video is the company or department culture to not take IT seriously. Most of the employees are negligent when handling IT leaving a huge exposure to threats internally and externally. The controls were not enforced enough to make employees understand the risk they are introducing by acting negligently.
What are some current system-related risks that you have experienced in your organization?
From my experience working in Temple’s International Admissions Office, some of the system-related risks I’ve experienced are:
1. Inputting a wrong scholarship code for a student. An admission counselor may input a wrong scholarship code a student. The student may receive a higher scholarship that he/she is supposed to receive. If the mistake is not found out, the student may just skate by and receive the scholarship he/she shouldn’t have gotten. This will cost Temple to lose money.
2. Incorrect data entry. Not all applications are submitted electronically. Paper applications will have to be inputted manually into the system. A counselor may input wrong information such as e-mail address, contact number and address. Once an admission decision is made, the student may never know their decision since their contact information are all incorrect.
How does the control environment affect IT?
As the world is moving towards the digital age, control environment will have a huge effect on IT. Business process and information are now mostly digitalized and a failure in the IT system can cause a huge loss to the business. Controls have to in place to ensure internal or external threats do not cause a failure in the IT system.
What is the purpose of all auditors having some understanding of technology?
All auditors should have some understanding of technology because they have to know how a particular technology functions in a business process. Only by knowing how a technology function will an auditor be able to check if the technology is running properly or have vulnerabilities. It is also important for auditors to keep up to date with new technologies so they will not be obsolete once companies start adopting new technologies.
Week One You-Tube Video:
What issues did you identify from this video?
The main issue I identified from the video is the company or department culture to not take IT seriously. Most of the employees are negligent when handling IT leaving a huge exposure to threats internally and externally. Eg. Employee leaving laptop in a room without securing it, announcing and leaving username and password in public, and losing flash drive which contain valuable company information. The controls were not enforced enough to make employees understand the risk they are introducing by acting negligently.
Q 1) What are some current system-related risks that you have experienced in your organization?
A 1) I worked as a Lotus Domino Server Administrator for a short duration at IBM. Notes Architecture is great when it comes to security, it has 7-layer security so it was almost impossible to break into one’s Lotus Notes or access a database that one wasn’t authorized to access. The company used a large number of applications that were hosted on Domino servers and were accessed through Lotus notes. Often, when an employee moved to a different role or team, the PMO or employee themselves had to request for their access to be revoked to account-specific databases. But it was commonplace to forget getting one’s access revoked due to the sheer number of databases that were used on a daily basis. Managers didn’t always get reports on what databases their reportees had access to so they couldn’t coax the employee to get their access revoked and although “Continued business Need” verification activities were carried out, they were usually quarterly or half-yearly activities which meant that many-a-times an employee had access to a system he/she should not have access to, for several months before the access was automatically revoked. This is a system related risk due to manual controls being in place as someone without the need to know, has access to client information.
Most of the companies have a “provisioning” process to grant, change and revoke user access. Howvere, as you described, the process could heavily rely on maual. In this case, what companies usually do to mitigate the risk?
Professor Yao,
You’re right in saying that normally companies have a provisioning process for access related requests. Where the process is manual, there is usually a point of contact that is in charge and accountable for ensuring that there is no unauthorized access to systems and strict access control practices are followed. Also, passwords for server ids or those having privileged access are regularly changed and stored in secure repositories which greatly reduces instances of unauthorized access. For Projects that are smaller in size, the PMs receive a list of their reportees who have access to the systems and PMs are responsible for requesting access revoke requests.
Q 2) How does the control environment affect IT?
A 2) Control environment lays out the foundation of Management expectations from the employees. It aims to draw employee attention to how the IT systems must be used and how easily they can be exploited leading to adverse business impact. When management stresses on the awareness of following correct IT security practices, Employees are more mindful or conscious of their own actions when facing a situation where a security measure could have failed and there by leading to fewer security incidents on the IT systems and in turn lesser expenditure fixing those incidents which would mean less operational costs.
Rightly said Abhay.
Computer users are not not sophisticated users and due to this fact there is a need to provide formal training to all the employees within the organisation so that such incidents can be avoided.
Abhay & Deepali,
Correct. And that formal training should be up-to-date periodically because hackers/attackers are always finding ways to attack our precious information assets.
Q: What issues did you identify from this video?
A: I was actually shocked by this video, it brought up great points that we should be aware of in working environment. Employers should provide training for their employees in timely basis and inspire knowledge of how to secure information assets into employees. In the video, employees were negligent and didn’t have a sense of how important it was to secure their PII and companies assets. Following are the mistakes that were demonstrated in the video:
1. Keep personal password in place where can be easily access by others
2. Share password with others on the phone in public
3. Leave computers open without locking it or logging out
4. Lost USB drive that has all the customer data and sensitive information saved, didn’t have a backup copy
5. Did not lock the door after accessing computers that have restricted data
Great list of risks! In my organization, we are actually facing similar risks. I would like to point out #3, I think one of possible suggestions you can give to your co-workers is have them put checks and files in a sealed envelope , and put down it was attention to your manager, so it will reduce risk of checks and files being stealing from someone else and it will also protects tenant’s private information. Of course, the best and safest option would be hand deliver them to your manager in person.
Also shredding important documents after use would be a good idea and should be encouraged.
I totally agree! Especially when working with sensitive and confidential information, such as phone number, home address and SSN, etc .
Binu great addition. While working for the City of Philadelphia, I noticed that some employees would not shredded court documents, background checks and discovery which contained a substantial amount of sensitive personal information. The lack of this act not only puts at risk the defendants and victims but hinders the agencies reputation and confidentiality policies.
According to The Top 7: How To Reduce Manufacturing Human Error, “Human error is responsible for more than 80 percent of failures and defects” .
This article contained some beneficial insight to the issues of human error and the ways to combat them in a logical manner.
http://learnaboutgmp.com/the-top-7-how-to-reduce-manufacturing-human-error/.
I know in the company I worked for, we would put the checks in envelopes and put them in locked drawer if the man. We had cases when check disappear and it was a total hassle to explain it to customers who had to rewrite new checks. That definitely didn’t make the company look good.
Thank you for you suggestion Wenting!
Good summary, How about leave the laptop and other sensitive doc in the vehical?
Thanks for pointing this issue out Professor Yao, I forgot about that one.
We should never leave anything in our vehicle, even something that might not worth that much money like clothes. People might break your car window for anything that they find suspicious.
Therefore, everyone should be very cautious and do not leave anything valuable in the car. They best practice would be don’t leave anything visible in the vehicle, we never know what the robbers want.
Good observations. You explain the “risk event” or fact. Risk means what can go wrong? e.g. what’s wrong with still using Windows XP? let’s discuss during the class.
Professor Yao I believe Fangzhou meant to point out the issue with using an older version of Antivirus.
Fangzhou, I agree that if the systems are using an older version of the Antivirus and not regularly updating the Antivirus definitions it is a security risk as the system is prone to newer types of attack despite running an Antivirus software. In my previous Organization, we had a tool on every laptop or desktop that would list each type of system related non-compliance if any like
1) If power on password was set
2) Whether latest version of Antivirus and Firewall software was installed and running with updated Virus definitions.
3) Whether whole-disk encryption software was installed and functional
4) If Local databases were encrypted or not
5) If there was any Peer-to-peer software installed
6) Whether screen-saver option was activated with a specific time interval.
These greatly helped in establishing strict system controls.
I believe that as we find solution or fixes to one set of malwares or virus, there are n number of viruses and malwares created and injected into the network everyday. We might not be able to generate a foolproof security system that cannot be affected by viruses/malwares. But we can have Intrusion Dection and Prevention systems in place to mitigate the risk.
Detection*
Good point. Remember the OPM data breach in 2015? tone at the top is the key…we will deep dive this when discuss information security. That’s something keep all of us up at night.
Yes, I completely agree with you professor about the “tone at the top” to ensure accountability at all levels of the organization.
Additionally, I do remember the OPM data breach. They discovered that the personnel data of 4.2 million current and former Federal government employees had been stolen. Yes indeed that is something very unsettling.
Agree!
Good points. Let’s think what are the most important thing in IT PMO/management? How can they get help to beef-up the control envrionment?
Today, I believe IT PMO is more significant than ever since; IT resolutions are characteristically a combination of altered hardware, traditional licensed and open-source software, and services from diverse sources. Subsequently, this multifaceted combination of IT obliges the skills of a project manager who can harmonize the on-time completion and execution of IT projects that are within the financial plan, while meeting their company’s quality standards.
IT PMO can help beef-up the control environment by establishing and guiding an integrated internal control framework. A few examples being:
– The development of a satisfactory control environment
– Communication and enforcement of integrity and ethical values by implementing control activities in the form of policies and procedures to ensure compliance
– Conducting risk assessments
– Oversight by providing effective communication throughout the organization
– Assurance to competence
Overall, success of the IT PMO are contingent on how effectively each of these elements function and how well they coordinate and integrate with each other.
I guess the management should identify the teams or projects working on PII and specially limit the capabilities of those machines by pushing security patches or using encryption tools.
In my previous company, we had 2 factor authentication used for securing client information especially for ODC’s other that the regular bit locker encryption on the HDD and making sure that all external drives where disabled: DVD/CD , USB drives. And no electronic devices were allowed in those secure environment. And once the project was completed after the necessary information was taken the machines were formatted and reimaged.
Symantec is a great tool but it consumes a lot of processes on the local machine making it very slow.
Same principle applys to internal audit. You will indetify control deficiencies, and recommend “What” need to be done, e.g. the need to develop a disaster recovery plan; However, it’s management’s responsibility to actually develop such plan. Then, as an IT auditor, it’s your job to evaluate the design adequency and operating effectivness of such plan. We will disucss this futher through out the semester.
Just to add my experiences to the conversation. Internal Auditors will generally have a higher knowledge of “How” management might make changes to a control since they usually work for the company and have a great amount of knowledge of the organization and its business. On the flip side, external auditors, whether financial or IT, will more than less just report on a lack of effectiveness within the audit report. Therefore, Internal Auditors might be more inclined to provide “How” they should resolve an ineffective control, which might not show the most independence.
I assume in this case, you referred to “clear text” passwords. If it’s the case, that’s definetily a concer. All passowrds, systems and applications, should be encrypted.
What are some current system-related risks that you have experienced in your organization?
I want to share my experience regarding system-related risks when I worked for a grocery store. In my work, we had our own ERP system that we used for ordering merchandises, receiving invoices, monitoring sales, and expenses, etc. Although the system has functions including monitoring credential data, everyone from bottom operational employees to store manager was able to access it with one same passcode. In other words, it didn’t have a segregation of access. And whenever the manager changed the passcode (the system required users to change a passcode periodically), he wrote it down on a sticky note and put it on the side of the monitor so that he didn’t have to inform his employees every time when he changed the passcode. To do a right thing, my job had to have different access codes for each level of employees.
Daniel, I agree with you. But I think everyone should have a unique access code, I believe it will reduce the risk even more. However, all employees including the manager should have training on the importance of secure information assets for personal and business. It’s not a good idea to leave sensitive information such as pass code in public, a person like delivery guy or janitor who might steal the sticky notes or copy down the pass code very easily.
Do you think wrong data entry is a IT risk?
Hi, Binu
You raised a very good and interesting question. I think it can be consider as human error threat.
Data entry errors or omissions could impact data integrity significantly, and there will be lesser extent data available. One possible way to reduce human error threat is to have a second person double check the data entered.
Binu,
I would agree with Wen Ting. While it might not be a big risk, data integrity is not an issue that organizations want to overlook. That is why in many applications, controls are implemented such as edit checks which can essentially check reasonableness when entering data. For example, a computer system might not allow you to attempt to enter a social security number with more than 9 digits or enter two accounts that share the same name and address. Might seem like a simple control for a small risk, but in the long run it can make processes more effective and efficient.
Great insight Paul, I didn’t think about data integrity risk.
Data increasingly drives enterprise decision-making, but like most things, it must undergo a variety of changes and processes to change from raw data to something more usable.
However, data integrity can be compromised. The data integrity practices are an essential component of effective enterprise security protocols. Here are a few examples on how data integrity may be compromised:
– Human error, whether malicious or unintentional
– Transfer errors
– Viruses/malware, hacking, and other cyber threats
– Compromised hardware
As many of our classmates have commented, yes, I do believe incorrect data entry is an IT risk. I think that IT in general is merely a tool that we use in order to simplify business and smoothen business process. People create IT system and people operate IT systems. The room for human error is always present as long at people are behind the IT systems.
To expand on my workplace example, although we try our best to avoid data entry error, it is sometimes unavoidable. We sometimes receive application that may be in different languages and the conversion to English leaves room for error. On occasions, students themselves may input wrong spelling of their address or email address and even if we entered it exactly as written, we have no way to tell if it was correct or not.
Mansi,
Great post. it was a pleasure to read your post that you pointed out the control environment actually helps an organization spend less expenditure fixing incidents which could happen because employees are not mindful or conscious of their own actions against security management. An implementation of controls is often considered to be an extra/unnecessary expense because it does not give organizations/entities/companies direct profits. However, we have learned so many lessons from precedents like security breach of Target. Costs to fix those incidents are humongous.
Q: What are some current system-related risks that you have experienced in your organization?
A: I have experienced some system-related risks in my organization while I was working at a small CPA accounting firm
There are some physical threats such as employees wrote down their log in passwords in sticky notes and put on the desktop screen, and employees leave computers open without locking or logging out. Any unauthorized person can easily have the access to our computers.
Also, I have seen many employees visit unsecured websites at work and download stuff that they are not aware of, it is risky because hackers are able to accessing our network via the website that employees were viewing and hackers can gain remote control of our computers through infections such as viruses.
Another risk that I experienced in my organization is infrastructure failure. We relies on internet connection to keep contact with clients and update our work progress through Insightly CRM. There are couple times that the internet connection was down and we couldn’t getting contact with clients because we use Google voice. Therefore, we could miss out some new opportunities of serving clients and it could also slow the progress of work.
What are some current system-related risks that you have experienced in your organization?
In the auto commercial insurance I used to work for, information security was crucial.
Dealers would send us daily a list of their drivers with their name, driver license number and social security number as well as their addresses to do process MVR (motor vehicle report). Because we ordered the MVR from third party companies, every time we had to share the drivers lists we had to encrypt the files and put a password on them before sending via email.
Also we had the ability to access loss runs from other companies, however, the password was as weak as 12345. I often questioned myself about how secure and risky that was.
As a small office we only had one “tech “ person responsible for any application crash or software issue, what would happen if that key person were not there? I see that as a huge risk.
There is also the physical security risk, camera were installed at every cubicle corners, we had to log off computer the minute we left the desk even if it was to go to another cubicle, at least this is what we were supposed to do. Unfortunately, I have seen a lot of people, myself included failing to do so, underestimating the actual risk.
What is the purpose of all auditors having some understanding of technology?
All auditors need to understand technology because it is the “center” of most organizations, nowadays. Rare are organizations that are not paperless. Businesses store data in computers and communicate using technology. Therefore, failing to have a basic knowledge of IT is a problem especially for an auditor whose job is to look for errors and system failures. As mentioned in the book It auditing “ It auditors might help review some of the general application controls […]. However, the financial auditors should have the knowledge and be in better position to understand what sort of data integrity controls […] are necessary for that particular business application” (pp 24)
It would even save the IT audit department time to focus on other matter if all auditors understand basic technology.
How does the control environment affect IT?
Control environment emphasizes on the security of an organization. Per definition it is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. In other words, it sets the tone of an organization. Therefore, it “define” IT function within the organization and how it should be managed. For instance, control environment can determine whether ornate a specific IT system should be implemented in an organization.
Q: What is the purpose of all auditors having some understanding of technology?
A: The purpose of all auditors have some understanding of technology is that in today’s society mostly everything is paperless, we all use computers to store information and we rely on these technologies heavily. It’s very important that the auditor have at least some basic understanding of technology and how to function them.
In addition, Auditors use technological tools for data analytics to get a deeper understanding of client’s business and financial statements, also monitor and track audit remediation and follow-up, etc. According to a survey report, electronic workpapers are internal audit’s most commonly used IT tool worldwide, with 72% of respondents reporting at least moderate use.
Source: http://www.journalofaccountancy.com/news/2015/aug/internal-audit-technology-201512855.html
What issues did you find out in the video?
This video shows employees’ lack of awareness about information security. For instance at the beginning, the girl, Rebecca mentioned that she doesn’t think they were at risk.
Additionally, there is the problem of physical security. A room that supposedly had important document/information was supposed to remain locked. Unfortunately it seems like employees did not care despite the fact that there was a sign on the door clearly saying that it should be locked. The lady who wrote her password on a post note and put on her computer screen, or even the other one who taped her password under her keyboard are proofs that employees in this company are very negligent and careless. This video is the perfect illustration of employees representing information security vulnerabilities for their company. Proper training and education is needed throughout organizations to minimize mistakes like these.
Internet reliability is so dangerous. And I dont think there is a way to guarantee that it will always work. I’d think companies should have a “plan b” should the internet connection fail right?
You are right Brou, nothing really can be guaranteed. However, I think for my company I will probably suggest my manager to add in a regular telephone line that does not need internet connection. Maybe by adding in telephone line will help to reduce the risk, and we are still able to work with clients when internet service is down.
I dont think that employees lack basic knowledge of IT, because if that was the case they would be working on a computer to begin with. I think it is more about negligence and lack of awareness about the important of information security.
I agree with Brou. In the video the employees weren’t aware abut the important of information security, and they didn’t take it seriously. Therefore, they should have training on how to secure their information assets, I believe they have sufficient basic IT knowledge to work with technologies.
Yulun,
Thats a very good list of common workplace security risks that most of us would have seen. It’s easy to overlook and miss these, especially Printer controls as employees tend to give a print command and collect the document later. We should always use Confidential print option if the printer supports it.
Desk drawers are often left unlocked and even conference call pass codes are written on white boards.
Tailgating is another common workplace security risk where employees undermine the harm that can be caused by giving unauthorised access to visitors.
What are some current system-related risks that you have experienced in your organization?
Working as an external IT auditor, one of the system-related risks was that of having confidential client information lost or stolen. As an intern, it was stressed to us that securing client information was to be one of the most important tasks that employees must follow. Some of those policies included not leaving your laptop unattended, use secure networks or a VPN, use a strong password, and not downloading any software from a potentially malicious website. A major or minor breach where client information was stolen could provide serious consequences. If the information was valuable enough, a firm can potentially be litigated against for damages. Not only that, a firm can lose significant number of clients if word gets out they are prone to losing client information.
How does the control environment affect IT?
The control environment has a big impact on the way IT is structured. Since IT is aligned with a businesses’ main functions and management, it makes perfect sense for those controls to being integrated into its information systems. One example of a control is utilizing an approved vendor list when making purchases. The control around this is that vendors are already approved due to either providing a certain discount or making sure no employee is benefiting from these transactions. If the ordering process is utilized using information technology, then a control can be implemented into the system where an order can’t be placed if the vendor selected is not on the approved masters list. Therefore, depending on management’s attitude towards controls, an organization’s IT can have controls implemented into the systems or have none at all.
What is the purpose of all auditors having some understanding of technology?
In my opinion, auditors need to have some understanding of technology since more or less, technology is the center of an organization. Decisions are made, financials are kept, and business functions are performed using technology most of the time. Therefore, especially financial auditors, need to understand technology because if they can’t trust the technology to provide reliable financials, how can they rely on the financial documentation to perform an audit. Likewise, from a financial audit standpoint, understanding technology and IT controls within an organization can determine the amount of audit work they have to perform to reasonably assure the accuracy of the financial statements. If an organizations IT controls are well-designed and effective, then a financial auditor will not necessarily have to perform as much work since the risk of material misstatements is lower. Conversely, if IT controls are not well-designed and effective, then a financial auditor will have to do more substantive testing to identify if there is a material misstatement or not.
What issues did you identify from this video?
In the video there are some obvious issues in regards to IT controls. Employees were using easy passwords, leaving passwords out for everyone to see, not physically securing computers and much more. However, it seems the main issues is lack of basic knowledge in information security within that organization. This is a clear example of how the control environment either has no controls in place or where the “tone at the top” is not spread throughout the organization. When you watch the video, you can clearly see that employees have no respect for the computer security policies implemented. This can be seen as just mandatory compliance by the everyday employee and not necessary to their job. However, in a good control environment, employees should be told that they have a responsibility in protecting the organization’s data by following these easy to do security policies.
Hi Deepali,
I would strongly agree that there are many benefits of how auditors can use technology. One of the points that you made was the use of data analysis tools when performing an audit. One of the tools that is more popular is that of ACL which I fortunately have had the experience of using. One quick example of how an auditor can use those tools is when performing an audit to make sure that employees are not listed on the approved vendor list. Instead of looking back and forth making sure there are no duplicates, using ACL can simply pick up those users and identify if any employees are on the vendor listing. Therefore, just from an efficiency standpoint, it is really important for auditors to have a good understanding of technology.
That’s a good point! Indeed, the data analysis tools are very useful for auditors. Besides, with the understanding of technology, auditors will not limit their mind in financial reports, but also the information security and the effectiveness of protecting organization’s information assets. For example, an auditor with technical background can identify the loophole in organization’s backup plan and other IT related risks, and better protect the information assets of corporation.
I agree with you, you explained the compliance of the IT Governance. The company also need integrity, and confidentiality. It is the foundation for all other components of internal control, providing discipline and structure. The control environment sets the tone of an organization, influencing the control consciousness of its people
Great addition Wenlin! I completely agree with you and thanks for your input.
Those issues seemed data leak. As though employees’ desire to share data is not enough of a threat to proprietary information, many business professionals want access to data from anywhere they work, on a variety of devices. To be productive, employees now request access to data and contact information on their laptops, desktops, home computers, and mobile devices. Therefore, IT departments must now provide the ability to sync data with numerous systems.
Hi Jaspreet,
You bring up a good point how budget has a big impact on the control environment, especially in regards to IT controls. As Binu has stated, you can always outsource IT services to reduce the costs of setting up a properly controlled IT environment. However, I think now more than ever it is important to make business’s management aware of the business risks associated with not having a sound IT control environment. One just has to look at the huge data breaches such as Target and Home Depot, and ultimately how that significantly affected their profits and business. One could argue that by having a higher IT budget and setting up proper controls could have potentially prevented those breaches. While it might be tough to sell, I believe damage to an organization’s image is one of the biggest risks in terms of not having a properly controlled IT environment.
I agree, a ruined reputation is worse of all.
A control environment is the cornerstone of the internal control system, it supports and decides other elements. In an organization, the control environment represents upper management’s attitudes, awareness and actions towards controls and focus they have on IT controls. The “Top-Down” approach to control are most often use in the organization environments, it means that the managements set the tone for the focus of and adherence to controls.
A good control environment will include communicating ethics, employing good staffs who have positive influence, participation and professionalism. Also, management’s philosophy and operating style is very important in a good control environment. A Control environment makes decision on whether a IT system should be implemented in the organization.
Q3 What is the purpose of all auditors having some understanding of technology?
A3 It is important that Auditors have some understanding of technology for below reasons :
1. When Auditors have a technical know-how of the system they’re auditing they are well versed in finding how the system can be broken into and what kind of risks the system is prone to. This way technical knowledge aids in fulfilling their primary role of identifying issues and non-compliance within an IT system.
2. It would become difficult to manipulate the system or dupe the Auditor if the he/she has good understanding of technology.
3. Auditors report their findings to the Senior Management. If the Auditor does not have technical knowledge, he/she might not be taken seriously and may lose face if his findings are negated.
4. If the Auditor lacks understanding of technology, he/she will spend a considerable time in getting to know the system. This would result in reduced time and efficiency in actually auditing the system. If the audit is to last 2 days, and half a day is spent in understanding the technology, the results of the audit might be affected as sufficient time was not spent in auditing the system. This way, poor understanding of technology would lead to lost productivity and poor quality Audit.
In the video, I found that the general attitude of the employees towards workplace security is very lax. The security risk issues i could identify are listed below :
1) Non-seriousness about workplace security Training
2) Laptops are not physically secured using a Kensignton lock
3) Passwords are being shared over phone and with co-workers and even displayed at desks or unsecured locations. Poor choice of passwords that are not strong enough.
4) Leaving laptops and desktops unlocked when away from the computer.
5) Leaving reports and other sensitive data unsecured
6) Carrying sensitive business critical information on portable storage media that is not encrypted.
7) Leaving laptops unattended in cars.
Great point about the shared password being too simple, Alexandra. I too have often encountered that some of the shared passwords were not meeting the password requirements. Firstly, there should be no password sharing encouraged and in situations where is is absolutely necessary and unavoidable, the passwords should atleast be difficult to guess, crack or remember.
As a managed IT support services company, we have seen many different system-related risks at many different organizations, requiring our company to bring the client’s system up to a healthy state. This includes an audit of the entire system to identify hardware, software, and data storage.
One system-related risk we recently seen at organization is files saved to the local hard-drive vs. the cloud and/or servers. To reduce costs, some organization only purchase a limited number of remote log-in licenses from their software providers. Employees who don’t have remote log-in capabilities aren’t able to access the system outside of the office. This results in employees saving sensitive information on external drives and/or personal pc’s. This poses many risks. The external device may be lost or stolen, may become corrupt, or modified without other employee knowledge.
The honest reason this runs ramped is the management. Management puts the employees in a position that makes it more efficient to work remotely, but fails to equip the employees with the necessary resources to allow for remote access. Remember, the employees are smart, that is why you hired them. They will figure out a way to finish the work due by the end of the week.
In these days, business continuous to introduce new technologies to meet internal and external business needs. and meantime, new technology also brings in new risks. What do you think management should do before implementing the new technology?
Liang,
I believe a technology board should be created. It could be call Company XYZ technology council. The council could be created of seasoned employees who may be looking for a promotion or capable of handling the added responsibility. Once the board is generated, the team will structure company specific technology strategies to advance the organizations mission statement.
Each member will be given a specific assignment or teams will be created based on technological needs. An evaluation of the different solutions will be reviewed by the council and changes will be implemented, if needed.
The problem is that many SMB’s are not in a position to hire an entire IT staff, or dedicate employee time to a council. Many times we are the “council” reporting different solutions to the C-Level Executives and/or Business Owners.
Mansi,
I came up with the same conclusion. The employees in the video are much too lax about an controlled environment. This seems to be the case with several clients we on-board.
When we interview employees on how they utilize certain technological system, there are always a few who will roll their eyes when it comes to internal controls. Everyone wants access to everything, as fast as possible, but doesn’t realize policies are put in place to reduce risk, not out of spite toward the employee.
In my opinion, it is laziness, but if this is really an issue preventing you from completing your job, express your concerns and a new standard may be written to satisfy your request.
Forgive me but I am not quite sure how to address you, so if Brou is wrong, please don’t feel bad about correcting me.
Brou,
I agree that IT is the “center” of most organizations. I refer to IT as the “central nervous system” of an organization. It is used to communicate to each department and is pivotal in the daily function of most operations.
It is important for auditors to understand technology because management is smart and may be tempted to use technology in a malicious way, for the benefits of certain stakeholders. An auditor should know some of the more common schemes, but staying current on new threats and tactical procedures will help identify the crooked employees.
Not to mention IT procedures are outlined in most compliancy reports.
Q: What issues did you identify from this video?
A: The video shows how critical it is to provide professional training to staff to awake their awareness and attitude toward information security so as to achieve it, without proper training, there’s high risk for an organization to suffer from valuable information disclosure due to staff’s unintentional misbehavior. There’re 3 points from this video we should pay close attention to:
1. Create a physical secure environment. To organization, personal identification, password verification, etc, should be applied to ensure that important stuff is only accessible to authorized group but not everyone. To staff, take care of your own devices, protection measures described above are also greatly needed to prevent information disclosure once you lose those.
2. Be aware of surroundings, Don’t talk about sensitive information such as your password in public.
3. Back up. To deal with potential information loss.
Although much of what’s shown in the video was internal, such as co-workers gaining unauthorized access to private information and theft within the company, the actions shown in the videos also exposes vulnerabilities to external threats. For example, if a contract worker such as cleaners were to come across all those information and devices. Who knows where the company’s sensitive information may end up.
What are some current system-related risks that you have experienced in your organization?
Systems related risks are related to networks, systems, or user’s device, each of these component pose potential risk to IT environment.
– Misconfigured or none-patched systems, firewall or user device may be exploited.
– Applications without proper security integrated architecture and RBC may be exploited.
What is the purpose of all auditors having some understanding of technology?
Auditors will need to ask for some reports and section of certain logs and they should be able to interpret of those reports. Example: Auditor may ask to get list of users with root access on ERP Data Base servers or get list of networks on firewall perimeter and list of ports open between all of them. The auditor should be able to make sense of these information and be able to understand some of this information.
I fully agree. Auditors are unable to do their jobs unless they understand what it is they’re testing. It only makes sense that an IT auditor needs to have a good grasp of IT terms, processes, systems, etc. else they would be unable to do their job effectively. Really, I would argue that all (IT, financial, business, etc.) auditors have some kind of familiarity with technology since that is the vector through which most business takes place nowadays.
How does the control environment affect IT?
The control environment intended to give acceptable level of assurance regarding business operations effectiveness, business operation efficiency, proper functional/financial reporting, and adherence to applicable laws and regulations. IT is in the heart of the internal control process.
IT Organization and Control Process interdependence
– IT organization may need to change reporting structure to align with control requirements and IT standards/frameworks used in environment.
– IT organization will need to Have systems/data appropriately classified to determine data classification and risk tolerances.
– Does IT organization have appropriate skills/knowledge to achieve business objectives.
– Does IT risk assessment run routinely to identify gaps and missing regulatory requirements fulfilled.
– What are future technology changes that might impact control environment, and develop systems configuration guidelines and review them regularly.
– Does IT organization employ separation of duties in line with control polices.
Mansi, I agree with you completely.
Auditors should have some understanding of technology prior to performing the audit. According to Professor Yao’s comment in one of the previous posts, auditors usually request information from company or someone who is being audited and they do not access data/information directly via accessing auditees’ production systems or applications. I think even though they do not access information through auditees’ production or applications, they should still have the knowledge on technology to make determination of whether the information provided are reasonable. Time management is very important in order to have an efficient audit.
Q: What are some current system-related risks that you have experienced in your organization?
A: As a salesman interned at China Telecom in summer, I have experienced some system-related risks in my organization. All of us interns were untrained, the safety index of our hard devices was quite low, U-disks were non-encrypted, laptops could be lent out easily, Besides, some of us usually worked in public without wariness. One of my colleagues, also an intern, unintentionally deleted a portion of her client-related information without any back-up, fortunately, it hadn’t cause any damage to organization.
Q: How does the control environment affect IT?
A: Control environment is the foundation for all other components of internal control, it affects IT by providing discipline and structure to deploy the definition, installation, configuration, integration and maintenance of organization’s IT infrastructure. In the meantime, IT could also affect control environment conversely, some information technology, such as Network Information Service (NIS), may very helpful for improving organizations’ efficiency of control environment. So, control environment, and IT, these two are mutual promotional and complementary.
Q: What is the purpose of all auditors having some understanding of technology?
A: IT-related tools have been proved powerful and sophisticated for auditors to conduct audit, auditors may use features or services provided by these tools that command large amounts of system resources (memory, processing cycles, and storage) to gain deeper understanding of target organizations. For example, Advanced technology in data science can be applied to perform more effective audits. Audit data analytics methods can be used in audit planning and in procedures to identify and assess risk by analyzing data to identify patterns, correlations, and fluctuations from models. These methods can give auditors new insights about the entity and its risk environment and improve the quality of analytical procedures in all phases of the audit.
Source: http://www.journalofaccountancy.com/issues/2015/apr/data-analytics-for-auditors.html
Q1 What are some current system-related risks that you have experienced in your organization?
Based on my past experiences, the most ways about the system-related risks are external attacking from the hackers. Moreover, workers sometimes might unintentionally leak the information such as using their own devices to copy the information for working or transiting.
Jiefei, I absolutely agree with you that one of the biggest risks to an organization and it’s technology systems are its own employees. All controls regarding system configurations and access can be in place and functioning perfectly but if a user doesn’t understand what they can and cannot do with regards to the IT systems they use, or they do not understand how to do it correctly, they can pose one of the biggest risks for security breaches, loss of information, and infection of systems by malware. One of the best ways to reduce risk is to train your people when you hire them, and then provide constant follow-up training every year.
Q2 How does the control environment affect IT?
The control environment creates series of working rules. Those rules will regulate and guide the IT what things is ok to do and not ok to do. Therefore, IT is actually highly affected by control environment since it has to follow the rules.
Q3 What is the purpose of all auditors having some understanding of technology?
Auditors work for check and examine everything for the origination is right. Their job is actually check and prevent the happen of the potential errors. A lot of companies currently use applications such as SAP and ERP for the internal auditing. So understanding technology will help auditors improve their efficiency as well as perform better working.
Q4 Week One You-Tube Video: What issues did you identify from this video?
1. Employees have low awareness about the security policies.
2. Employees write down the password and share the password with the person who helps her set the password.
3. Employees lose USB drive which has customers’ sensitive information and they do not have a backup.
4. Employees do not lock the computer after he left and he do not even lock the room door.
What is the purpose of all auditors having some understanding of technology?
Many of the processes used today to conduct all sorts of business are done through technology. Medical systems are computerized, banks keep financials online now, not through paper, and most large transactions occur over the internet. An IT auditor would obviously need a firm grasp of different technologies and the roles they play in order to test IT systems, else how would they do their jobs? A financial auditor also needs to understand technology systems because large business conduct transactions and hold financial info in online applications. An auditor testing a hospital’s HIPAA compliance needs to understand how medical records are stored and the IT controls around keeping that information secure. When everything is based off technology, a basic understanding of that technology is required.
How does the control environment affect IT?
The control environment creates a guide of sorts, for how to interact with IT systems, administer to them, and work with them while maintaining the integrity and security of them and the business at large. Most “work” is performed using a computer. As such, almost all employees interact with IT systems at some level. For this reason, there need to be controls in place to ensure interaction is done properly and in a way that is beneficial to the company. This is where controls come in.
Access controls exist to ensure only the users who require certain access have it. Physical entry controls exist to make sure only those people who should have access to business technology (servers, computers, data center access, etc.) have it. Configuration controls exist to make sure the application or system itself is configured to function how the business intends for it to function. Controls are how IT systems and the people who use them are forced to comply with the agreed upon standards of use.
Thank you for your response Mansi. I looked some replies and some other people also said desk drawers keeping unlocked is a big issue for many organizations. I would like to suggest that every employee needs a private lock for his own drawer, for the reason that some secured information or checks can be secured safely.
I like your #2, laptops needs to be secured by using Kensignton locks, Mansi.
I would like to say that maybe in the video, people there are employees and upper management thinks they are safe to be there.
What are some current system-related risks that you have experienced in your organization?
One of the more interesting risks we’ve experienced with our IT systems is the increasingly available SaaS products. We have access to the application layer of such systems but the DB and OS layers are owned and controlled by the company who owns the product. As such, we are relying on their system of controls for the security of those layers. While we do receive SOC reports for such companies, were one of those companies to have a finding in their SOC reports, we would be unable to do very much about it besides assess the finding and decide if the risk would be too great to continue using the product. Often, even if the risk is fairly high, switching to a new system is neither simple nor a short undertaking, and so care must be taken first when choosing such a vendor, and then with the types of information we are willing to store using their systems.
Another issue we’ve been facing with some of our business units are homegrown IT systems that were not built with the capabilities needed to audit them. They may be unable to product the required reports, or the configurations cannot be set to SOX compliant standards (which is what they need to be in my business). As such systems come into scope, we’re having to work with the business units to either modify current systems to be able to support these requirements, or help them find new technologies that will meet their needs, as well as be SOX compliant. In the meantime during this process, the business remains uncompliant and the risks that are associated with that are present.
How does the control environment affect IT?
As we have watched the video in class, IT would be exposed to be vulnerable without setting up proper controls. The control environment is a huge deal to utilize IT safely and efficiently. In my last job as a Technology Consultant, employees in the building were not able to install or delete files,programs, etc. without our consultant’s admin power. It was one set of a control that precludes unauthorized personnel from manipulating data. On the flip side of that, since users didn’t have an ability to install programs even like simple java updates, our consultants had to go their rooms every time they needed a help with installing/updating/removing. It was sometimes very inconvenient. The control environment is definitely necessary; however, it can also slow down the business process.
How does the control environment affect IT?
The control environment affects every aspect of Information technology, including
1. Hardware – What type of equipment should be used and the preferred vendors
2. Software – What operating systems are used, How each department is utilizing and accessing the software
3. Data – Where is it stored? Who has access to it
4. Network Design – What is connected to the network. Are there multiple networks WAN and/or LAN
These are a few areas that controlled environment would affect, but the next step is to test and conduct an audit to determine if all approved software and equipment is being utilized. The Audit will break-down each device, the I/O’s connected, and the software installed on the machines.
The controlled environment will also affect the recovery process in the event of a disaster. How will you handle different recovery’s? Will employees have access to data file recovery? What employment level will handle system imaging & bare metal restores? How is traffic routed if a network interruption occurs?
These rules or Governance “ensures… enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitor performance and compliance against objectives” (CISA Chapter 4.2, P.255) The rules will be overlooked by the Management who, “plans, builds, runs and monitors activities… set by the governance body”.
What is the purpose of all auditors having some understanding of technology?
The purpose of all auditors having some understanding of technology is because most business operations are conducted using some sort of technology. It could be a computer, tablet / smart phone, or even traditional hard-set phones (Working on VoIP).
When we look at the definition from Merriam Webster Dictionary, an Audit is a “detailed review of something”, because of the IRS, many think of finances when they use the word audit. Most business “somethings” revolve around technology and having an understanding of the way technology works is the only way to get a “detailed review”
There were several issues with the video that are common in many SMB’s around the world. There seems to be a stigma that the IT department is responsible for stopping technology threats, but everyone should realize they are a big piece to IT security.
Issues with video:
1. Password protection – Passwords should be unique to the individual and updated regularly. Password should remain confidential with the user.
2. Supply Closet lock – Inventory process should be created, with a sign-out and return forms filled out by the individual
3. External devices – External devices should be password protected. The data allowed on these drives should be labeled, maybe “sensitive” or “community” and controlled.
Tamer,
You mention “may need to change reporting structure”, and I think you are right. The thing about a controlled environment is that it is ever changing. Advancements in technology happen so fast, if you are not one step ahead, then you are two steps behind the bad guys.
Staying active with industry associations will give you the upper hand when keeping control of the organization.
The purpose of IT auditors having some technology understanding is since many of the infrastructure and environments that they will be performing audits on are highly technical it’s good have an idea of what that environment should look like and the associated components to help identify any gaps in the design that can be called out. I’m sure this is used to identify any type of vulnerabilities in the existing design to isolate and bring to the forefront any egress and regress points that someone may use to penetrate the network or database. It is also critical to understand the network architecture solutions from a business, performance and security design perspective as referenced in CISA Review Manual, Section 4.6.1 Enterprise Network Architectures (pg. 277).
The biggest issue that was exaggerated in the video is also what I believe is the biggest vulnerability to any organization, and that would be the end-users. It was very well noted that the end-users not buying into the security policies, as shown in the video by users writing down their passwords and keeping it under their keyboard or better yet on a post it note attached to the monitor of their workstation. This goes to show the end-users either don’t understand, or don’t care, about the very real threats to the organization by having such careless or carefree attitude towards security. In my experience in both IT and in the Sales department for a infrastructure and technology company is that this is a very real issue even with it being exaggerated as it was in the movie to drive home the underlying point. You can work to develop the most secure network system there is by purchasing all of the firewalls, IPS, IDS and additional security devices and solutions from Security Solutions Providers but it is only as good as the end user. From what I’ve read and seen, it appears that social engineering is the most full proof way of a motivated hacker to gain unlawful entrance to a private system or subsystem. This is why there is always a physical security and social engineering portion of every penetration test that I sold while I was at Verizon.
Risks can be broken down into 2 categories, internal and external. Of those 2 categories of risk that IT systems faces, they are 100% of the time business issues while only sometimes (even though a majority of them are) technical in nature.
Some of the internal risks that are faced are users not complying with security policy as outlined in the video we watched where they do not keep their passwords to confidential systems and databases private. Many instances users will either re-use passwords that they use for other systems or they will write down their passwords and not keep it in a safe spot that only they have access to.
Some external technology related risks are the “usual suspects” so to speak including malware, viruses, Trojan horses, and phishing techniques from parties outside of the organization looking to gain entry or get confidential data. These are the technical risks, however, it is important to note that when analyzing a business continuity plan or disaster recovery planning they need to account for external threats that are non-technical, i.e. natural disasters etc that have the potential to take your entire data-center off line. This leads people to create geographic redundancy in both their network design to maximize availability to business critical resources.
The control environment affects IT by helping limit the exposure to threats as well as minimizing what they need to review when troubleshooting issues i.e. if a certain application is unavailable for whatever reason. If the end-users were able to install whatever they wanted to it would create a chaotic environment with potential issues coming from every corner.