Ming Hu

Nice point Priya. I agree with you and just want to add something to your first point that auditors should also be mindful of independence, they must be diligent in identifying and evaluating threats to independence and applying appropriate safeguards, that should be seen as an integral part of an auditor’s knowledge. For example, if there…[Read more]

Regulatory compliance could be costly for many organizations, but I also read an article about how to transform compliance into a competitive advantage. That was about ACI and Wells Fargo, the most important lesson I learnt from this article is about transforming compliance from a reactive task to a proactive repeatable business process, Wells…[Read more]

How is independence maintained when working for the company as an internal auditor?

Auditor independence is achieved through organizational status and objectivity:
Organizational status – the director of the internal auditing department should be responsible to an individual in the organization with sufficient authority to promote independence…[Read more]

In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?

Process blueprints describe business processes, including details about the activities in the process, the people who perform or know about the activities and their roles, the milestones that activities are performed in,…[Read more]

In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?

Process blueprints describe business processes, including details about the activities in the process, the people who perform or know about the activities and their roles, the milestones that activities are performed in,…[Read more]

Nice point Paul. I failed to take segregation of Duties into consideration, but it is a very important portion. Obviously, one who requests a change must not be the one who respond to that change. Besides, considering employee turnover, their roles and responsibilities, accordingly, should be redefined following the principle of segregation of duties.

In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?

1. What technical skills do you think are very helpful for an entry-level IT auditor?
2. Would mind sharing with us how you started you career as an auditor?
3. How could…[Read more]

What are the key components of SAP change management controls you would expect the auditor to review? Why?

Change request – Check the transparency and validity over change execution
Authorization change – Ensure every authorization-based change is reasonable, accurate and timely
Testing procedure – Whether the change has been tested befor…[Read more]

Nice point Abhay, take role-based authorization for example, it is a dynamic process based on employee overturn, specific requirements, or job change, so constantly audit is necessary for ensuring corresponding changes have been made, otherwise, the privilege may be misused and sensitive data may be stolen. E.g. SU03 Maintain Authorizations; Su20…[Read more]

Nice point. Controls are an obvious, yet necessary component to master data governance to assure the integration of master data into business process, by establishing solid control at the onset, these controls will monitor and audit the usage of the system in real-time in order to alert a data steward of any possible issues and/or exceptions.…[Read more]

Nice point. I believe that inaccurate data might not only cause difficulties in performing data analysis, but also may generate a totally wrong analysis result. We all know how important the data to an organization, the company relies on the results of data analysis to make decisions to design promotion strategy or provide customized customer…[Read more]

4. Which transaction do you believe is the most ‘Sensitive’ and therefore should have extra focus in an SAT (Sensitive Access to Transaction) audit? Explain

Access transactions are the most sensitive, because they enable users to create, modify or delete G/L accounts, therefore, access should only be granted to specific group of users for spe…[Read more]

3. Which is more of a risk to a company: inaccurate data or excessive repetitive data? Explain

Both inaccurate and excessive repetitive data can negatively impact your business. As for me, the inaccurate data would more likely be a risk.
Negative impact of the inaccurate data:
Losing customers – business have a small window of opportunity t…[Read more]

Nice post Paul, I like your example and what you mentioned “access management provides multiple layers of security”. Access management becomes more and more critical from data breach perspective, especially considering that we’ve heard so many news about how individuals lack awareness to protect them from cyber crime – their username and password…[Read more]

Thanks for your sharing. As you said, even someone knows the threat, they may still dismiss that cause they need to connect to it. I’ve read an article about tips on public Wi-Fi security, the most useful and simple one I’m following is that considering use your cell phone. If you need to access any websites that store or require the input of any…[Read more]

Nice point Priya, it is very important for users to set right wifi locations, home, public or work on your PC, The location you choose changes the firewall and security settings for your PC appropriately to keep you secure. For “home” network discovery is turned on and computers on a home network can belong to a homegroup. While for networks in…[Read more]

Twitter, GitHub and several other major websites are inaccessible for many users due to a distributed denial-of-service (DDoS) attack on the Managed DNS infrastructure of cloud-based Internet performance management company Dyn.

According to Dyn, the DDoS attack aimed at its DNS service started at roughly 11:10 UTC. The company is working on…[Read more]

Nice post Paul, I like what you mentioned “prioritization”. We’ve already known about how challenging the cyber security issues we’re facing, and there’s no an absolutely secure environment. So it is important for security officers to analyze potential threats and prioritize the right security measurements at the right time based on current…[Read more]

Thank you for adding details. Your post just reminded me that accounting knowledge as a necessity when I came to learn SAP. IT is a powerful tools leveraged by different departments, HR, finance, accounting, etc. So as a security guard, it’s not unusual for you need to learn cross-field knowledge to carry out your work.

Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain

SAP itself is very complex, it has about 1000 parameters, and most of them can affect security. When you install an SAP System, it goes with 20+ different services, each of them uses its own proprietary protocol and a set of…[Read more]