Entries categorized as ‘regulations’
In the mail I received an early copy of the “2008 Report to the Nation on Occupational Fraud and Abuse” from the Association of Certified Fraud Examiners. The 2006 report has represented de facto standard for qualitative fraud calculations and risk mitigation efforts. While there is no substitute for reading the full report I will highlight the following key areas - Audience, Nuggets, and Action items.
Audience:
The report is written for those that have both fraud responsibilities within the organization and those who have assets worth being exploited. Therefore the audience I see (beyond the obvious Fraud professionals) includes:
- Chiefs - CFO, CRO (Chief Risk Officer), CAO, CIO, CISO
- Business Owners - VP, Directors
- Team Leaders - of small teams
Nuggets:
- 67 pages of facts sum up 959 cases of occupational fraud
- 7% of Annual Revenues are lost due to fraud (up from 6% two years ago
- In the U.S. that is approximately $994 Billion in fraud losses
- 25% of the fraud sample were a million plus in damages
- Tips identified 46.2% of all frauds
- Small Business suffers more frequently (39.1% of all frauds) and greater (nearly double that of a public company)
- Independent audit of financial statements was the most common control and nearly the worst in mitigating fraud (accountability of perception high error area)
- Most Effective Controls: Internal Audit, Surprise Audits, Management review of Internal Controls and Fraud Hotlines
Action items:
- Re-prioritize internal controls to address fraud
- Identify what roles are truly accountable for fraud detection (i.e., address the perception vs. reality conundrum)
- Emphasize training of employees of fraud (recognition) and the safeguards (whistleblower policies) and mechanisms (confidential hotlines)
- Institute a mature process that follows-up on all leads completely and objectively (damages of a fraud grow over time, so quick elimination of identified fraud has strong rewards)
- Establish Surprise Audits and mandatory job rotation
Again, this ACFE report is incredibly valuable and should be a cornerstone of any control environment. Segments may be adopted today and into the future. In addition, the ability to eliminate subjective values in risk calculations is tremendous.
Kind regards,
James DeLuccia IV
Looking forward to seeing everyone at the ACFE 19th Annual Fraud Conference next week in Boston. My session on Best and Worst IT controls is on Monday!
Categories: Compliance · IT Controls · ROI · Risk Management · audit · regulations
“Medicine rarely tastes good. The introduction of Sarbanes Oxley was, for many, accompanied by significant distaste for the idea. In the longer term, it does appear that those institutions exposed to the rigours of more exacting compliance regimes have made more progress with developing integrated governance and controls frameworks.
Financial institutions in the western hemisphere are ahead of their eastern colleagues. Our analysis shows only a quarter of financial firms operating worldwide have a reasonably integrated compliance and controls framework – all of these firms are from the west. These results suggest there is much to do in the Asia Pacific region both in continuing to create regulatory regimes and continuing to raise the quality of internal governance and control systems. “
A published research study by Deloitte, quoted above, highlights the importance of integrating compliance, governance, security controls, and risk management into a enterprise control environment. The economies of scale translate to approximately 2.5% difference in expenses incurred, and at current $78 billion in expense that is a material impact on any companies bottom line. In addition, “Banks, insurers and investment banks have all seen the costs for governance and control rise by around a third between
2003 and 2006.”
Check out the article here, and consider how integrated is your control environment? Have you eliminated the silos that manifest themselves over time? Are you leveraging the full value of your technology infrastructure, your licenses, your power consumption?
Always Curious,
James DeLuccia
Categories: Compliance · Sarbanes-Oxley · regulations
Sarbanes-Oxley is still of importance to U.S. firms, and is becoming more so as globally similar IT Control government initiatives come due (EU-SOX, J-SOX to name only two). To that affect, whenever I see some helpful information for firms I like to repost it. A nice crosswalk was done here that provides a comparison between the stalwart COSO model for Sarbanes-Oxley and ISO 9001:2000. The table provides a simple down to earth view highlighting what organizations should be considering in their governance programs, and specifically IT Control environments.
The immediate takeaway for readers is that focus on the human side of the business plays a massive role in the achievement of technology safeguards.
Thanks to the author (Sandy) for providing this work, and please add comments to other hidden gems out in the online community.
Best,
James DeLuccia
Categories: Compliance · IT Controls · regulations
The payment card industry security standards council released a publication today providing paths for organizations to take to satisfy the PCI DSS v1.1 Requirement 6.6. As has been consistent, the council has recognized that confusion existed and parties were addressing this mandate in an inefficient and in some cases ineffective manner. The council provides several options for addressing the risks defined in the standard. These options include:
- Application Code Reviews - (not necessarily MANUAL all the time), and can be achieved through any of these approaches:
- Manual reviews (granted not possible on proprietary systems)
- Automated Source Code Scanners
- Manual Web Application Vulnerability Assessment
- Automated Web App Scanners
- Independence and qualification of individuals performing effort (internal or external) remains necessary
- Integration of these controls should occur and are nicely described in the clarification document (Page 3)
- Highlighted in the “Additional Considerations” section on Page 6 and 7 there is an important note that not all alerts are cause for non-compliance and some deployments of web applications (use of cookies, unusual headers, etc..) may require an experienced individual to ascertain which are threats and which are not to the organization.
- Application Firewalls (WAF) - defined as a technology that inspects that packets and hence inputs crossing from an untrusted to trusted environment. In the PCI SSC own words:
- “…designed to inspect, evaluate, and react to the parts of an Internet Protocol (IP) message (packet) consumed by web applications, and therefore public applications frequently receive uninspected input.” (Page 4)
- The council is not advocating extra or redundant controls, but is ensuring that the packets are inspected. To this point they have highlighted that OTHER means of accomplishing and mitigating this risk are available such that “IT packet content adequately inspected (i.e., providing equivalent protection) by network firewalls, proxies, and other components do not have to be RE-INSPECTED by a WAF”.
- Page 5 has a few nice succinct bullets to describe the necessary functionality and inspection protocols highlighted (but certainly not forever set in stone) that must be included in Option 2 WAF.
A great document with lots of specifics to clear the air. Far superior than the information that was available after the ETA conference. There are some nice “Sources of Information” without links, so I have provided those to accelerate your efforts and research:
As always - add comments to enhance and improve our community and the controls under discussion.
Best,
James DeLuccia
Additional References:
Categories: Compliance · PCI DSS · Payment Card Industry Data Security Standard · regulations
The new book is HERE!!!
Here are two quick shots taken while opening up the first shipment of books! Below the pictures I briefly sum up the intent of the book. Of course, the major book sellers present it better, and you can read the entire back covers and inside flaps here.
A brief overview:
Over the past year and a half I have been putting together a book with the magnificent crew at John Wiley & Sons Publishing (a company that is over 200 years old - a point that makes sense if you skim my final closing chapter). I have had a tremendous amount of help from friends, colleagues, companies, and numerous industry and government enforcement groups. My family was especially kind while I put together the book - allowing me to lock myself in my office while I sought to simplify the book to ultimately become:
A global synthesizing of how society and business has progressed over the past 100 years to integrate information technology, and their relative importance to business. The work is based on an analysis of over 140 separate public frameworks, laws, audit reports, and numerous guidance documents plus personal experience auditing and assessing over a million systems around the world. This effort resulted in an identification of key principles that represent the best practices that globally competitive organizations must adopt to balance the risks and rewards of operating in the 21st century. An action plan is designed to enable businesses to evaluate their important controls and consider the next 100 years.
A great deal of time is spent exploring PCI DSS, NERC, SOX, FFIEC, and their related controls. Plus some interesting challenges related to virtualization, grid computing, and the implied reliability of the Internet backbone. Thank you for taking the time to visit and contribute to this forum, and your feedback and future comments on this site.
Kind regards,
James DeLuccia
Categories: IT Controls · Payment Card Industry Data Security Standard · ROI · Risk Management · regulations
