Sean Patrick Walsh

I agree that network security is more critical too. First, SAP is a software package, and an intruder would have to gain access to the network, or a node on the network if the attacker is internal, in order to explain a vulnerability in SAP more than likely. So if network security is the primary focus then SAP security is a residual benefit to the…[Read more]

4. You’ve used various computer systems in your lifetime, carreer. System security is complex and often maligned as cumbersome, difficult, beurocratic, etc. Have you seen these problems in your experience? Explain

I have seen these problems when I was in the military. We had controls for access to bases, buildings, and individual spaces b…[Read more]

1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain

Not necessarily. I think businesses focus more on network security than they do on software security controls like those in SAP. I think the bigger scare for a…[Read more]

https://www.dropbox.com/s/m10gscv6283lxi2/Toshiba%20Contol%20Failure1%20-%20Copy.pptx?dl=0

A business may actually prefer to train personnel over hiring personnel already trained for one simple reason; to avoid bad habits. By training its personnel itself, a business can assure that its personnel are being trained to do something properly, or at least how the business wants something done, and prevent the personnel from developing bad…[Read more]

That is an interesting predicament. I wonder if they could gather data from vendors through solicitation and figure out how to baseline their own services with the information Vendors would probably have the best metrics and measurements because their business is the industry of supplying services, and because of that they would probably have the…[Read more]

I like the question you presented in “Will the supplier have the right to service-level bonuses?” Incentivizing the vendor to produce service levels beyond their minimum promised could be very beneficial to a business. The bonuses could even be more business conducted with the vendor as opposed to a traditional bonus of extra money. Even if the…[Read more]

I considered adding that, and should have with a couple exceptions. I think many companies outsource functions and processes because they didn’t have the experience needed to do the job themselves, so those businesses would not be “losing touch” with something it never had. Also, some businesses outsource functions and processes simply because…[Read more]

You bring up a good question. I think IT personnel should know some basic and important principles about the business area they are assisting within, but I think more in depth knowledge would probably be with a business analyst or project manager. The BA/PMP’s purpose is to fully understand the business needs for a function or process when it…[Read more]

Said,
I totally forgot about GAAP until I read your post. If a company was doing business in Canada, Brazil, or the EU for example, it would have to use IFRS standards instead. That difference could definitely create another step for a business when consolidating accounting report information quarterly and yearly in either the domestic…[Read more]

That’s a good question, and like just about any good question I suppose “it depends.” It may come down to how fast the business needs those IT personnel up to speed with the knowledge needed to know where to place controls. A business that needs those personnel immediately might market the job positions with that requirement. Whereas, a business…[Read more]

4. Outsourcing and SLA audit questions

– Is a proper policy set for vendor selection?
– Is a proper policy set for creating, maintaining, and updating SLA’s?
– Is the SLA reviewed by legal personnel prior to signing in agreement?
– Is the vendor audited by an external 3rd party independent auditing firm?
– Are results from independent…[Read more]

3. Explain common SLA issues identified by auditors

– Key Performance Indicators are not properly identified or set at a proper minimum level
– Control frameworks are not properly specified when required
– Regulatory compliance specifications are not set, or not properly set
– 3rd Party performance level assurance not available
– Penalties…[Read more]

2. What controls can be implemented to mitigate the risks associated with outsourcing?

Detailed and specific Service Level Agreements (SLA’s) can be implemented when contracting 3rd party services. The ability to audit controls, or agreement on a 3rd party external auditor under SOX 404, can provide assurances of controls to the business.…[Read more]

1. What are the benefits and risks of out-sourcing?

Benefits of Outsourcing:
Focus on core competencies
Ease of Scalability
Ease of Deployment
Lower personnel requirement
Save costs from infrastructure and hardware purchases/implementation
Lower costs for utilities

Risks of Outsourcing:
Data Security
Availability
Audit…[Read more]

3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

Taxes might be handled differently. The US has a sales tax, but isn’t applicable in every state, nor with every customer. When I was in the US N…[Read more]

2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

I think the IT personnel should understand basic finance and accounting principles. More…[Read more]

You bring up two very good points about the differences between a US domestic business and a multi-national organization. I know some countries mandate that earnings taken in those countries be kept within the borders of those countries for a specific time period, and reinvested there potentially, before they are allowed to be repatriated back to…[Read more]

You bring up a great point of deciding where to attack based upon whether you want money or goods. I propose there could be even a mixture between the two. Since electronic monetary theft leaves a forensic trail of the attack perpetrated to transfer the money, some attackers use goods as a source of the money. If an attacker wants to avoid taking…[Read more]

I totally agree! It’s interesting to think about a small startup though in this scenario. A new business, and a small one just starting out, would have a very limited staff to carry out its entire operation. With that said, I wonder what controls the business would implement, or even honestly could implement, with so few knowledgeable staff…[Read more]