V OL U M E 3 , 2012Audit Process Featured articles: SOC Progress Report W WW . IS A C A. OR G Audit Evidence Refresher Communication—The Missing Piece And more... What Does Your Future Hold? Find Out at INSIGHTS 2012. An Exclusive Leadership Forum for Business and Information Technology Professionals 25-27 June 2012 | San Francisco, CA A unique opportunity to collaborate with fellow thought leaders on strategies for the effective integration of business and technology. Insights 2012 is the official launching pad of COBIT 5 for Information Security—each attendee receives a free pdf copy, a US $175 value! Limited seats available, register today at: www.isaca.org/2012insights-Journal KEEP YOUR CAREER ON TRACK Regis University offers a Graduate Certificate as well as a Master’s Degree in Information Assurance. With both programs, you have the option to take classes online or on-campus. Regis University is also designated as a Center of Academic Excellence in Information Assurance Education by the National Security Agency. MASTER’S DEGREE GRADUATE CERTIFICATE • Two year program • Can be completed in less than a year • Specialize in cybersecurity or policy management • Four classes (12 credit hours) The curriculum is modeled on the guidelines and recommendations provided by: • The Committee on National Security Systems (CNSS) 4000 training standards • The (ISC)2 Ten Domains of Knowledge • ISACA Our Information Assurance programs are grounded in security but also focus on delivering the essential combination of IT and business acumen — creating a link between the server room and the boardroom. The program can be taken on campus or completely online LEARN MORE RegisDegrees.com/ISACA | 1-877-820-0581 Distributed Databases for IS Professionals Steve Markey 27 Communication—The Missing Piece Danny M.1545 Fax +1. and Daniele Sgandurra. Read more from these Journal authors… Journal authors are now blogging at www. 2012 Journal ISACA ® Columns Features 4 19 Project Portfolio Management Aarni Heiskanen.. Suite 1010 Rolling Meadows. Ph. Ph. CISA. CISA. CPA 31 40 The ISACA® Journal seeks to enhance competitive advantage readership by providing Plus managerial and 52 experienced global Crossword Puzzle Myles Mellor authors.D. of its international 6 Cloud Computing: Cloud Computing as an Integral Part of a Modern IT Strategy Kai-Uwe Ruhse. Ph. CISSP. peer-reviewed articles you have come to expect from the Journal? Additional online-only articles will be available on the first business day of each month in which no Journal is released. CISA.1443 www. and Jim Littley CPE Quiz #142 Based on Volume 1. and Harmeet Kaur. CISA.org/knowledgecenter Follow ISACA on Twitter: http://twitter.com/42vbrlz Like ISACA on Facebook: www. CRISC. CIA Standards. CISM. Audit and Control Features Oracle PeopleSoft. Vasarhelyi. governance. MBCP SOC Progress Report Brian Vazzana. CPA 46 the proficiency and Haruspex—Simulation-driven Risk Analysis for Complex Systems Fabrizio Baiardi. Illinois 60008 USA Telephone +1. February. CITP. Singleton. i.isaca.isaca.isaca. August. CGEIT. 3rd Edition Reviewed by Shasikanth Malipeddi. and Maria Baturova 10 Information Ethics: Policy Vacuums Vasant Raval. 17 36 55 Five Questions With… Robert Findlay. CISA.253.253. CISA. CISA Audit Evidence Refresher Ookeditse Kamau.Volume 3. IT Audit Basics: Auditing Applications. CITP. The Journal’s 53 peer-reviewed articles technical guidance from noncommercial.isaca. April. ITIL Transitioning From SAS 70 to SSAE 16 Pritam Bankar. LJK Information Security Matters: This Should Not Be Happening Steven J.847. CISA.com/isacanews. Ross.org/journalonline. CISA. http://tinyurl.org .D. Part 1 Tommie W.e. October and December. CISA Book Review: The Operational Risk Handbook for Financial Companies Reviewed by Horst Karin. CEH Discuss topics in the ISACA Knowledge Center: www.. Tools and Techniques professionals involved in IT audit. Hash tag: #ISACAJournal Join ISACA LinkedIn: ISACA (Official).D. Siripan Kuenkaikaew. Online Features The following articles will be available to ISACA members online on 1 June 2012. PCI QSA.847. Goldberg. Book Review: Security. DBA 12 23 A Primer on Nonrelational. Ph.facebook. Silvia Romero. CISA. CISSP.. Visit the ISACA Journal Author Blog to gain more insight from colleagues and to participate in the growing ISACA community. CCSA. CITP.com/ISACAHQ 3701 Algonquin Road. CISA.D.. Guidelines. CIA. CISSP..org/journal/blog. CISSP.D. CISA. Ph. CISA. MBCS focus on topics critical to security and assurance. These articles will be available exclusively to ISACA® members during their first year of release. CPA Adopting Continuous Auditing/Continuous Monitoring in Internal Audit Miklos A. CGEIT. 2012 Prepared by Kamal Khan. S1-S8 ISACA Bookstore Supplement Journal Online Want more of the practical. Use your unique member login credentials to access them at www. Claudio Telmon. June. Computer Technology Merges with Street Smart Investigations. Experience it! Concurrent sessions focus on information technology.org for program and pricing details and use source code ISACA when registering. Bose. Security and Management of Smart Devices.500 delegates from 100+ countries. The World Bank. small audit shops. Georgia-Pacific Corp. anti-fraud and ethics. BS-2012-57 . New Cyber Security Threats. sessions. MIT. Using Scoring Technology to Detect Errors and Fraud. MA With more than 2. and more. Raytheon Co.. Topics of interest to IS auditors are Auditing Cloud Computing. Geek to Street . Harvard University.iia2012ic. and others. Houghton Mifflin Harcourt. Citibank (USA).THE INSTITUTE OF INTERNAL AUDITORS 2012 INTERNATIONAL CONFERENCE “Revolutionizing Internal Audit” July 8–11. The IIA’s 2012 International Conference will be the largest audit conference in the world with an unprecedented selection of speakers. GRC. tools and techniques. Six keynote sessions and 77 concurrent sessions will be led by industry experts representing many of the world’s most respected organizations including FutureWorld South Africa. and more. 2012 / Boston. and topics.. Visit www. financial services. what we really favor is prudent risk taking. CISSP. Ross has been writing one of the Journal’s most popular columns since 1998. security certification testing. MBCP.isaca. Quite so. ISACA provides quality advice and highly qualified professionals and has developed schemes such as COBIT. every software vendor provides voluminous advice on security. in a piece titled “The Train of Danger. CISA. Dormer says.Information Steven J. as well. If we understand the problem and have developed the solutions. • Software vendors may still be leaving ‘backdoors’ in their software just like they used to do in the 1960s and 1970s and these are communicated to a select few who then in turn leak the knowledge. That qualifier . We do pen testing. but we do look up to people described as risk takers. commercial security consultancies and anti-malware companies are ten a penny. Dormer. we do not value security. putting them together leads me to think that there is a general explanation.”1 In it. 2012 • Employees may be leaking personal data. The praise for risk taking is deserved because risk is rewarded with profit. which I would like to explore here. and you cannot develop a formal system that is secure’—so we have to live with it. He can be reached at stross@riskmastersinc. • Perhaps it is that we are pathetic at deploying security and most security software achieves little. • Alleged cyberwar attacks are fewer than reported and are being exaggerated for political reasons. are at risk.com. It is safe to say that everyone is in favor of security. • Software may be over-complex and too interconnected to be able to lock it down. Who can be against it? However. Dormer wrote: Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www. But. and choose the Comments tab to share your thoughts. then why do we still have the problem? Stan goes on to suggest some reasons: 4 ISACA JOURNAL VOLUME 3. I recently published my thoughts about hacking cyberattacks in this space.3 Perhaps we get the security our culture deserves. Ross. is executive principal SecurityMatters This Should Not Be Happening of Risk Masters Inc. quite so. There simply is not the same cachet for a person to be really secure. find the article. Jacques Barzun said we get the culture we deserve. And an individual or group permeates through all of this stuff like a knife going through butter! This should not be happening. I received a thoughtful series of messages regarding that column from Stan Dormer of Cheshire in the UK. Go directly to the article: IBM celebrated its centenary some months ago. We do not applaud risky business. as Mr. • Dorothy Denning2 may have been right—‘All software contains fatal weaknesses. The Culture We Deserve These are all plausible specifics. all the countermeasures we have deployed. I believe that cultural issues in our society and in our organizations are the greatest impediment to true security despite. The Problems Persist Mr. org/journal). Mr. I suggest. security data and security credentials to outsiders for gain. I gave my paranoia free rein and suggested that organizations are unprepared for the danger of such attacks and that security professionals. in particular. deploy ‘unbreakable’ cryptographic schemes…and we have the defense and other government agencies that employ some of the best security professionals on the planet. or at least we do not value it as highly as other attributes. He led me to see the problem from a few other angles. More formal methodologies such as SABSA accompanied by standards such as ISO 2700x abound. the VP has something to point to. Duncan J. 3 Barzun.org/topic-cybersecurity gets lost until markets crash. I am speaking of much more than a security awareness program.. Those bad things must happen often enough. Endnotes Ross. Wesleyan University Press.” ISACA Journal.• Learn more about. USA. we security professionals must do a better job of communicating the reality of the threats that our organizations face. it is easier to demonstrate that money invested in. Now. p. Crown Business. the leakers and the forces of nature do it for us. needless wars begin or a system gets hacked. Steven J. we) cannot say specifically what will happen. Selling Security To accelerate investments in security.. I promise to read and respond to those as well. But. 6 Ross. our willingness to spend almost always outruns the reality of the threats we face.5 In the competition for budgets. Jacques. Until we get the right security professionals doing the right jobs in the right ways.4 In the limited space of information security. It is often the case that the people responsible for security in any given organization are specialists in implementing and maintaining technologies. heck. a sales promotion will lead to higher revenue than it is to show that funds spent on security will result in lower losses. say. or at least out-of-the-ordinary bad things. nor when it will occur. We are only willing to pay for security when we are convinced that a bad thing will indeed occur if we do not provide enhanced protection. As a society. 77–80. xix (and the entire book. 5. Creating a Culture of Security. Dormer’s question. The Culture We Deserve. “The Train of Danger. discuss and collaborate on cybersecurity in the Knowledge Center. The Black Swan. if not sexy. 1 ISACA JOURNAL VOLUME 3. 2011 2 Dorothy Denning is a distinguished professor at the US Department of Defense Analysis Naval Postgraduate School and one of the most noted proponents of information security of our time. This too is a manifestation of our society’s perception—our culture—of security. Straightforwardly. then. for an explanation of the impossibility of prediction.isaca. particularly in these parlous times.6 Selling security calls for a different set of skills than managing or auditing it. Dormer. they (aw. which merely points out that there are threats in the world and that individuals need to do their part to combat them. we must sell security. but I do not believe that that is entirely the case. 2011. Nassim Nicholas. www. and a carefully crafted message that makes security desirable. there is often a response that “no one could have anticipated” that it could occur. 2012 5 . 5 See Watts.. You can also leave comments on the ISACA web site. USA. the answer to Mr. we have had no lack of Cassandras telling the world about potential dangers. their families and communities. Dormer’s last question to me will go unresolved: Are there other explanations [to poor security] that we’re not exploring? Author’s Note ISACA publishes my email address because I like to hear from you. that we simply do not care enough about security to pay for it? There is some truth to it. we pay quite a lot for security at the national. Is this. Jacques Barzun is emeritus university professor at Columbia University and one of the most noted cultural historians of our time. chapter 6. vol. ISACA. Steven J. Random House. Mr. close enough to spur us to action. for that matter). but when the cash does come in. 2011. 4 See Taleb. as I did from Mr. Everything is Obvious: Once You Know the Answer. p. big enough. This campaign should have spokespersons. When bad things occur. More shameless self-promotion. a warm and fuzzy mascot. we must do so rather than letting the hackers. 1989. I am suggesting a campaign that demonstrates the value of security not only to the company or agency but to individuals. they have been neither recruited nor rewarded for their ability to sell a concept. The CISO can only claim that something that might have happened failed to occur—an impossibly difficult position to defend. But. corporate and individual levels. the vice president (VP) for sales can no more predict which sales will be made because of a promotion any more than the chief information security officer (CISO) can tell which hack would be prevented by a new firewall. 2011. The deployment models section covers access rights and responsibilities. find the article. Additionally. http://csrc. and possible cloud computing scenarios must be deviated. Cloud computing is being labeled as a new Internet technology that provides cost-efficient and flexible infrastructure and applications to the business. the cloud can be located in Figure 1—NIST Visual Model of Cloud Computing Do you have something to say about this article? Visit the Journal pages of the ISACA web site (
[email protected]. is a senior manager at Protiviti Germany and is responsible for the German IT consulting team. However. This article describes real cloud computing project case studies. She can be reached at maria. PCI QSA. Maria Baturova is a consultant in the IT consulting team of Protiviti Germany with experience in governance. The service models section refers to software. platform and infrastructure decisions based on functional requirements and sourcing strategies. Figure 1 was developed by the US National Institute of Standards and Technology (NIST) and provides an overview of typical characteristics. risk and compliance. CISA. service models and deployment models.gov/publications/nistpubs/800-145/SP800-145. org/journal).de. there seems to be a gap between the technical possibilities and the practical usage of cloud services.pdf 6 ISACA JOURNAL VOLUME 3.ruhse@protiviti. He can be reached at Cloud Computing as an Integral Part of a Modern IT Strategy Examples and Project Case Studies kaiuwe.Kai-Uwe Ruhse. A typical choice is the private cloud that runs solely for one organization and can be organized and managed either by the organization itself or by a third party. Current cloud projects are still characterized as being in the testing phase and are mostly performed for IT services that are considered to be uncomplicated. Go directly to the article: Characteristics Broad Network Access Rapid Elasticity Resource Pooling Measured Service On-demand Self-service Service Models Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Deployment Models Private Community Public Hybrid Source: National Institute of Standards and Technology (NIST). and cloud computing. 2012 . which show that moving to the cloud is an important strategic decision for IT managers. The characteristics section summarizes relations and differences to existing IT services. Starting Points Different definitions and models of cloud computing exist and are often used as starting points for evaluations. and choose the Comments tab to share your thoughts. Even these projects show that challenges persist in the area of data security and compliance. The existing IT strategy must be reconsidered. This can lead to miscommunication between business and IT. In addition to integrating the cloud computing strategy with the IT strategy. those frameworks cannot replace detailed individual risk assessments and analysis of legal and compliance requirements. but also business units may increasingly use IT and the cloud without involving the IT department. Data Security and Legal Aspects The majority of discussions about requirements specifications in cloud computing projects refer to data security and legal aspects. which can lead to more time. In the case of outsourcing. Different national and international data protection laws define important requirements. processes and responsibilities to ensure control and accountability. and security monitoring. whereas specific requirements such as the Payment Card Industry Data Security Standard (PCI DSS) for credit card data define very detailed requirements. organizational IT governance aspects should be considered. depending on the classification of information stored. Cloud computing is an important part of modern strategic sourcing initiatives. which can lead to confusing legal situations for clouds. The basis for the project was an organizationwide strategic initiative covering all business departments and IT. www. locations of service providers. integration in processes and infrastructure. As a starting point of the IT strategy development project. log collection. Solutions can often be found in very detailed definitions of controls and responsibilities. The implementation decision for cloud computing must follow a structured approach that considers pros and cons and includes a comparison of the total cost of ownership. The described considerations can be summarized in a cloud computing strategy as part of the overall IT strategy to define the used service and deployment models. the European Network and Information Security Agency (ENISA)1.and cost-consuming efforts. transferred or processed. www. the existing old IT strategy was analyzed. evaluated and—once acquired—integrated with IT and business processes. who has access to which data and how to react in case of possible security incidents are at the top of the agenda.org/cloud-principles • Discuss and collaborate on cloud computing in the Knowledge Center. 2012 7 . different technologies need to be identified.isaca. especially in international organizations. as well as the corresponding operational and legal parameters. Within this initiative. However. user access rights. Service models like Software as a Service (SaaS) and Platform as a Service (PaaS) typically include those activities at the provider side. 2 or the German Federal Office for Information Security (BSI)3 provide a high-level overview. the nature. the level of control and responsibilities varies depending on the provided cloud service model. Frameworks such as those provided by NIST. To develop and implement an appropriate IT strategy. in the case of Infrastructure as a Service (IaaS). Strategic Considerations Strategic alignment between business and IT has become a key success factor to maximize value. Internal and external data security requirements must be considered. which should always be considered during the strategic planning of the usage of cloud services. benchmarking tools were deployed to analyze the current ISACA JOURNAL VOLUME 3. In general. IT not only enables new services and business processes. updated and integrated with the other business strategies to ensure proper business IT alignment and to increase IT awareness. For example. Questions such as where the cloud host is based. Standards such as ISO 27001 usually lead to organizational and technical changes.org/ topic-cloud-computing the organization’s own data center (on-premises) or in that of a different institution (off-premises). risk and benefits of cloud computing require strong SLAs in place to manage the interface among organizations. a cloud customer’s responsibilities usually cover the security platform configuration and maintenance.• Read the Cloud Principles white paper and other cloud-related resources.isaca. contracts and service level agreements (SLAs).4 Project Case Study: Cloud Computing Strategy The following project case study illustrates the successful integration of cloud computing within the IT strategy. Data security especially requires a clear and welldefined specification of both cloud customer and cloud provider responsibilities. Plan VI. Step back. an email service was outsourced to a cloud provider. including cloud computing projects. risk management and compliance can be the most challenging aspects for current cloud computing projects. Execute Work the plan. Figure 4 provides a short overview as an introduction. such as the identification of potential cloud service providers. This ongoing process with an annual step-back phase ensures that the IT strategy. Within the first project. Learn Set goals that lead. concrete projects. were performed to start the implementation of the new strategy. step by step. strategic cornerstones and objectives were specified. Vision and Strategic Position (5–10 Years) Strategic Cornerstone and Objectives (3–5 Years) II. into specific actions. After that. However. IT services considered to be uncomplicated are often outsourced into a cloud as a test for future projects. “What Is the Six Disciplines Methodology?. Source: Six Disciplines®. state of the organization against industry and revenue peers.com/who-we-are/methodology. A top-down model was applied to break down general strategic approaches. At the beginning. Finally. Organize Innovate purposefully. the following two project case studies of an email and backup implementation project illustrate the relevance of data security and legal aspects for cloud computing—independent from the technical complexity of the service. Regular evaluation includes cloud services and cloud computing projects. Both examples show that in addition to strategic considerations.sixdisciplines.Figure 2—IT Strategy Development Approach Figure 3—The Six Disciplines Approach Mission and Values (10+ Years) I. 2012 Align systems. Therefore. the Six Disciplines approach5 was adopted to ensure ongoing verification and updating of the IT strategy. This included sourcing and cloud computing decisions. For the long term. Figure 2 shows that the generic mission and values were first broken down into vision and strategic positions. the described challenges and strategic considerations still lead to misconception within IT and business departments. interviews with key players were performed to collect business views and requirements and to get an understanding of the perception of the IT department within the organization. However. Strategy Decide what is important. Based on the results and the collected information. Since cloud computing is a fairly new field of providing IT services. Short-term actions. future targets were defined and used to develop ways to achieve them. programs and projects follow the right direction. Innovate III. In addition. Figure 3 provides an overview of the Six Disciplines cycle. including corresponding cloud computing decisions. the strategic decision that resulted from this project 8 ISACA JOURNAL VOLUME 3.” www. IV. and leads to changes and updates where needed. Project Cases: Email and Backup Clouds Cloud computing is a heavily increasing area of providing IT services.html was to start using the cloud with relatively small applications in private cloud environments. were integrated in the strategic programs and initiatives. Strategic Programs and Initiatives (<3 Years) Action (Now) V. a risk and opportunity . Manage the risk. Limited personal resources and physical space made the manual backup process less reliable and cost-inefficient. The analysis of legal requirements led to the decision to use a private cloud provided by a Swiss hosting company to ensure an acceptable data security level. The second project case study illustrates security concerns related to the use of cloud services for backup management. The usage of SaaS cloud services is currently common practice in order to carefully approach this new way for IT services. the old tape backup solution became difficult to manage. November 2009 3 Federal Office for Information Security (BSI). As a result. • Obtain legal consultancy.com 1 ISACA JOURNAL VOLUME 3. November 2009 2 European Network and Information Security Agency. The project was performed by an international organization with more than 100 entities worldwide. but also by their location. • Analyze the requirements (legal. An audit clause was included to allow verification of controls onsite. It is important to consider cloud computing as an integrated part of the IT strategy.). 2012 9 . As a part of the IT strategy. The provided services and the related SLAs were analyzed and changed as required. Security Recommendations for Cloud Computing Providers (Minimum Information Security Requirements). As in the first project case described. May 2011 4 Protiviti. • Draw up service level agreements. • Select a service provider. Cloud Computing—Information Assurance Framework. Germany. • Evaluate the asset. evaluation was performed. The described project case studies show that security and compliance requirements were identified as currently challenging aspects in practice. Risks and Recommendations for Information Security. legal aspects that had to be resolved first were identified. November 2011 5 Six Disciplines.sixdisciplines. • Project Case 1: Email • Project Case 2: Backup Evaluate the risk. A lawyer was engaged to identify important compliance requirements that were relevant in this context. compliance. data security. IT Governance Insights Germany—Sustainable Competitive Advantage Through IT Governance. functionality and flexibility emerged as the drivers of the project. it is also a new and flexible way of delivering IT services. The decision to move data or applications into the cloud must be well considered by IT management to ensure reasonable and secure usage of cloud services. etc. • Select a service model: SaaS. the decision for a cloud service provider was driven by the location of the legal entity and the location of the data center. a private cloud managed and hosted by a German provider within Germany was chosen. However.Figure 4—Cloud Client Cases Risk Evaluation and Management Select an asset. Cloud Computing—Benefits. Out of these considerations. the decision to replace backup tapes with an automated SaaS cloud backup solution was taken after consideration of the management benefits and business continuity aspects. To minimize security and compliance risk. Cost reduction. • Select a deployment model: private cloud. as well as to gain experience for further outsourcing initiatives into the cloud. Endnotes European Network and Information Security Agency. the security and legal concerns were identified as the most challenging part of the usage of the cloud. Due to the growth of sales and services in the past years. Conclusion Cloud computing is not just another IT trend. cloud providers are evaluated not only by their service levels and costs. One of the main challenges of the project was the different data security and labor laws worldwide. www. Go directly to the article: 10 ISACA JOURNAL VOLUME 3. in this sense. sort out and address. the approach to solving ethical dilemmas would be reactive rather than proactive.. be morally right. . is essential. a search engine) prematurely in relation to ethics.g. Collectively.1 J.edu. Independent of our roles as users or producers of information. the vision of ethics as an ongoing and dynamic activity. Nebraska. org/journal). our duty is to be well informed—that is. but to identify and correct the systemic attributes that could potentially trigger ethical missteps. for example. CISA. The coauthor of two books on information systems and security. and not those of Creighton University. Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www. according to Floridi. Creating a robot means creating the object (robot) with certain characteristics. scientists and others. a more sophisticated ethical analysis is required up front. and choose the Comments tab to share your thoughts. it is important for us to also accept the role we play as moral agents—in making permanent the values we choose. Any consideration of only one of these is microethics. USA). moral or otherwise. We. Vision of Ethics as an Ongoing Dynamic Activity In light of the rapid change in technology. 2012 IT can be molded or shaped. Moor suggests that with rapid developments in technology. First. his areas of teaching and research interests include information security and corporate governance. no matter how robust. our moral evaluations affect the informational environment (or space). and this may produce surprises leading to frustrations and costly cleanups.” which means create. Second. would not prevent ethical missteps. H. Thus. we are accountable for the faithful representation of our output. the number of ethical fallouts surfacing from objects of new technology would be fewer and of a less-damaging variety. to seek as much valuable information as feasible to do the right thing. The term “shape” has its origin in an Old English word “scieppan. As creators of these objects. in it. to the malleability of life (genetic technology). and. but rather more in the spirit of bridging the policy gap that the change creates. is a professor of accountancy Policy Vacuums at Creighton University (Omaha. the values of our choice—what is right and what is wrong—will be inherited by the object itself. A broad definition of objects. Facebook) or a strategic informational object (e. Luciano Floridi suggests that when considering information ethics. over time. And. Opinions expressed in this column are his own. Third. we should take into account all three roles. an application or a network of computers. when we accept the notion that our creations inherit our value judgments. much more collaboration is required at the design stage among ethicists. we are moral agents of the objects. Therefore. policy vacuums suggest “fighting fires” as the molded technology is embedded into a business model (e. According to Moor.isaca. could include software. a three-fold approach is necessary to bridge gaps created by the policy vacuum. any assessment of ethical dimensions of information is a frozen picture.g. through the created objects. He can be reached at vraval@creighton. these factors will help reduce the policy gaps. The thought of moral agency is important here because as moral agents who create these objects. and we should be transparent in our communication. For example. not a post mortem. As producers and communicators of information. a new approach to ethics is required. as IT professionals. what we need is an all-encompassing macroethics. documented and analyzed not just from a micro perspective (as in its impact on privacy of customer data). DBA. For example. Relying on a one-time exercise.Vasant Raval. He argues that the “logical malleability” of computers led to the so-called policy vacuums that require careful analysis to fill.2 He extends the argument to all kinds of technologies to suggest policy vacuums. we need to. The purpose would be to not just capture an instance of a possible ethical compromise. changes should be identified. we should be free from plagiarism. By nature. material (nanotechnology) and mind (neurotechnology). Any change over time can bring new ethical implications for us to identify. within our constraints and opportunities. As moral agents. privacy and confidentiality of personal information and democracy in access to information are part of our broader role in the information space. create numerous objects by shaping IT.. infrastructure. find the article. . For example. p. by the Electronic Frontier Foundation. Perhaps the time for this paradigm shift is now approaching…if we wish to avoid crises. 2012 11 .” Information Security Journal: A Global Perspective. www. “[T]he future offers very little hope for those who expect that our new mechanical slaves will offer us a world in which we may rest from thinking. 2008. Luciano. 2010 7 Wiener. 69 ISACA JOURNAL VOLUME 3. p. for example. however. said he “didn’t consider the privacy angle. discuss and collaborate in the Knowledge Center.” Information Security Journal: A Global Perspective. Editors: J. Cambridge University Press.D. J. Hanny suggests that a successful application security program will be fully integrated within the system development life cycle (SDLC). N. p. J.”4 Did Garg or Google fail to broaden the inquiry in designing or using the work-around? Sophisticated Ethical Analysis Up Front Consider web application security.”6 In contrast. instead of just getting the feedback on what went wrong. Van den Hoven and J. Weckert. Weckert. MIT Press.. it seems that we are not accustomed to integrating ethical analysis in information we produce. The Wall Street Journal recently reported that Google introduced a “work-around” code along with the Safari web browser to generate a scenario in which Safari would—contrary to its norm of automatically preventing installation of cookies—allow the setting up of a cookie on the user’s computer. the wider the accountability. 26–39 3 The Wall Street Journal. benchmarks and even accreditation standards in the arena of information ethics. the question: Who is responsible to fill the policy vacuums? It is a difficult question to address.. 17 February 2012. J. The Wall Street Journal reports that Anant Garg. The information technologist alone may not be able to broaden the inquiry to several other dimensions. 19: 336–342.Collaboration at the Design Stage The earlier in the value chain we address the conflict.org/knowledgecenter To quote cybernetics guru Norbert Wiener. H. 19:95–99.isaca. from requirements gathering to operations and disposal. the better the design of informational objects. in Information Technology and Moral Philosophy. communicate or use. • Learn more. thus. 1964. Cambridge University Press.. Here is an example. A2 5 Hanny. God and Golem. A1–A2 4 Ibid.”7 Endnotes 1 Floridi. p. Policy vacuums at the product-development or use level are likely to be the responsibility of the enterprise. Inc. Why We Need Better Ethics for Emerging Technologies.. Van den Hoven and J. Editors: J.3 And. D. p. in Information Technology and Moral Philosophy.5 A. Finally. the tactic would be to anticipate possible ethical vulnerabilities and address them even before the information object is created. who developed the work-around code. “Conficker: Lessons in Secure Software and System Design. “Building an Application Security Program. the policy vacuums in researching the technology could be a community effort.: A Comment on Certain Points Where Cybernetics Impinges on Religion. 2010 6 Sanders. and threat model every software feature. one can surmise that the earlier the information object is in the development cycle. Sanders asserts: “Consider security in every SDLC phase. Therefore. A. Google is believed to have caused some degree of compromise of the privacy of users. Information Ethics: Its Nature and Scope. A cohesive effort on all fronts by the community of organizations could lead to best practices. 40–65 2 Moor. 2008. This critical change in perspective should be implemented by engaging a collaborative group of professionals. including ethics. if management wants to gain assurance that a new application is performing as designed. or the audit team.isaca. This consideration is necessary to properly plan the audit. of risk associated with a particular audit. systems. it has Naturally. within the context of the audit purpose. is a risk. given • Map systems and data flows. test the mapping. that fact will drive the audit objectives and plan.D. 2012 Consideration of Purpose One of the key drivers of an application audit throughout the process is the conditions or circumstances by which the audit arose. review a steps: planning. may or needs to assess the impact may not apply. the The noted framework on the audit objectives. this space in volume 4. valueadded dealer of accounting Auditing applications is a common type of audit for medium and large companies. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995. does not actually meet the information • Complete the report. find the article. the purpose of the audit that was determined • Identify key controls. CPA. and choose the Comments tab to share your thoughts. possible • Include financial assertions. org/journal). previously. should occur near the beginning of the audit. especially when some of the applications are developed in-house. For instance. audit of applications. audit noted framework represents a represents a fair body of steps plan. what is driving the need for the audit? Is it a regular audit plan? Is it an ad hoc audit? The need is usually directly associated with the primary objective of the audit. once the risk scenarios are properly a role in most of the other steps. CITP.e. review tests. a large regional public accounting firm in the southeastern US. needs • Understand application’s functionality. (i. Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www. using microcomputers. A FRAMEWORK A process-oriented framework includes steps similar to the following: Consideration of Risk • Plan the audit.. Singleton is also a scholarin-residence for IT audit and forensic accounting at Carr Riggs & Ingram. There are some basic principles of auditing applications that IT auditors need to know and understand. Part 1 an associate professor of information systems (IS) at Columbus State University (Columbus. 2012. data errors. such as mapping systems properly integrate/interface with other applications and data flows. an inability to Some of the steps. such as identified. determining objectives and user acceptance document (if one exists). and other similar risk. His articles on fraud. USA). Go directly to the article: 12 ISACA JOURNAL VOLUME 3. CGEIT. Others. the Alabama Society of CPAs awarded Singleton the 1998–1999 Innovative User of Technology Award. To follow the previous example. Georgia. the IT auditor financial assertions. Singleton. the IT auditor The remainder of this should examine the original article details the first three information requirements. IT/IS. For example. are comprehensive. infrastructure and • Avoid/consider complications. risk scenarios include a lack of functionality • Consider beneficial tools. audit scope and audit fair body of steps that should procedures. IT auditing and IT governance have appeared in numerous publications. That is.. allow for the effective audit of that should allow for the effective if lack of functionality applications. requirements).Tommie W. The remaining steps will be detailed in application and perform other similar procedures. its associated data. “ PLAN THE AUDIT Planning the audit includes the consideration of all the relevant factors that frame the purpose of the audit. the audit plan should take into account the control environment surrounding the application. If the primary purpose of the audit is auditing proper . sources. In 1999. While mapping or systems. is Auditing Applications. CISA. Singleton was president of a small. ” Consideration of the Control Environment Usually. A second key factor and driver is consideration • Determine audit objectives. errors and/or bugs. However. The IT auditor. to identify risk associated with the application and • Perform applicable tests. Ph. This two-part article describes one framework for performing effective audits of applications. etc. the controls might be application development controls or systems development life cycle (SDLC) controls. www. ” pre/postimplementation. etc. controls for testing the application are important. the objectives tend to be proprietary for preimplementation applications. The same could be true for certain purposes.functionality. Postaudits often follow a general set of objectives (see the Determine Audit Objectives section).org/genericapplication-AP • Read IS Auditing Guideline G14 Application Systems Review.org/knowledgecenter • Efficiency (related to development cost. the original authorization purpose. DETERMINE AUDIT OBJECTIVES The objectives are somewhat tied to the consideration of “ Mapping is one of the most effectual tools that the IT auditor has for any IT audit. one of the leaders or managers of the audit team will need to assess the competencies of the staff against the needs of the audit.isaca. In auditing applications. ISACA JOURNAL VOLUME 3. That means determining the relevant technologies and controls associated with auditing the applications.isaca. scope and procedures that are peculiar to that application and purpose. it is important to properly scope other IT that either affects or is affected by the application.org/G14 • Read COBIT and Application Controls: A Management Guide. operational performance.) • Alerts (if alerts are involved with the application) • Financial reporting implications MAP SYSTEMS AND DATA FLOWS Mapping is one of the most effectual tools that the IT auditor has for any IT audit. it is possible that an expert in Oracle will be needed to properly audit the application. the process. the controls and how they all fit together. Consideration of Pre/Postimplementation Sometimes the application audit involves a preimplementation application. It also empowers the IT auditor to best perform the steps in this framework from planning to reporting—that is. www. discuss and collaborate on IS Auditing Guidelines and Tools and Techniques in the Knowledge Center.isaca. A preaudit tends to involve proprietary objectives. In particular. if the interface involves Oracle. such as: • Interfaces to other applications • Source systems • Target/destination systems • Infrastructure or components thereof • Databases • Staging area/testing facility Consideration of Competencies As in all audits. Consideration of Scope A very important consideration in planning is to establish the boundaries of scope. operational performance.) • Compliance (laws and regulations. etc. integration with other IT.isaca. Experts believe that mapping can assist the IT auditor in gaining a thorough understanding of the relevant technologies. 2012 13 .org/COBITApplication-Controls • Learn more about. For others. contractual. but most likely. it will be a postimplementation situation. the objective tends to be one of those that are typical for audits: • Read Generic Application Audit/Assurance Program. it has a comprehensive impact on the quality of the IT audit.) • Effectiveness (related to meeting information requirements/ functionality. For example. www. www. As stated previously. Inputs include the source data. They also include intermediate data. audit days. Sources include the internal Figure 3—Mapping Processes and Data Flows Day 4 Day 6 RECONCILIATION OUTPUT Source data Source Data ABC application Data Transfer Accounting Auto Reconcile: Beginning Balance + Transaction = End Balance Reporting 14 ISACA JOURNAL VOLUME 3. IT auditors need to map the process and data flow using conventional data flow diagrams (DFD). Draft Reviewed by XX Final Data Update . and demonstrates how such a map may be useful throughout the audit and may assist in managing the audit. processes and data flows. Figure 1 shows one way to map the auditing of an application.g. error-checking system (IT-dependent) and manual review of CRM data before the target data are uploaded as a control in the flow of data and processes. the automatic reconciliation. risk area. For example. the timeline and process dimensions. Figure 2 shows a spreadsheet document that may be helpful in mapping risk. percent done. scope of systems and notes. e. A nonconventional diagram may serve as a better model for depicting processes and data flows. This process/data flow framework might be more effective if it is presented using the system model vs. determining what should be on the map or determining what columns should be used in a spreadsheet that depicts the mapping. 2012 Error Report: Manual Review and Correction CRM Report. reference.Items that should be considered in properly mapping the application include. systems flowcharts or Unified Modeling Language (UML). The particular schematic shown in figure 3 depicts controls in such a way as to make them clear and understandable. use cases. Documenting and mapping risk may involve items such as the risk. the matrix in figure 3 may serve as a better model because it incorporates the time/delivery as well as systems.. among others: • Relevant IT components (description) • The business owners or business lines • Change management policies and procedures • The role and impact of vendors • Business processes • Controls • Access and security administration These factors can guide the IT auditor in creating the map. procedures. objective. days to complete. such as the source data for the middleware application. .5 33% 1 Middleware 3 1. Security Evaluate logical access controls to the application and its folder. Objective W/P Ref. CO. Risk Data integrity Risk Area Evaluate data integrity checks and controls between inputs and outputs. inaccurate or incomplete data may cause errors in reports or accounting.. 2012 15 ..0 0% 1 Active directory. inaccurate or incomplete processing may cause errors in reports/accounting. N. N. Change management Evaluate changes to the application for appropriate approvals. Vendor Vendor. Operations Evaluate processing and documentation for appropriate controls on development and support.. tests and segregation of duties (SoD).1. CO.. stored procedures.1 2 Unauthorized or unintended changes to middleware may cause errors in reports/accounting. views..1.. CRM... Vendor .0 0% 2 INPUT: Source file PROCESS: Middleware OUTPUT: Target file/DB2..A. and error identification and resolution. Part II Ref. XYZ Birmingham DEF App CRM..3 4 Invalid. middleware 4 2.1. Part I Ref. SOC1/2 available John Security admin . facts are .. 1 Invalid. CO. error report FIGURE 2—Documenting and Mapping Risks. Controls include .Figure 1—Mapping Example Using Spreadsheet.A. Inherent Risk Control Risk Assessed Risk Notes 1 High Medium Medium–High To date.1. target . DB2 2 1. Audit Days Percent Done Days to Complete Scope of Systems Notes 1 0. 2 Medium Low Low 3 High Medium Medium–High 4 Medium Low Low–Medium ISACA JOURNAL VOLUME 3. Z/OS DB2 Z mainframe Nashville Figure 1— Mapping Example Using Spreadsheet.4 Procedures Figure 2—Documenting and Mapping Risks.2 3 Unauthorized access may cause unauthorized changes to middleware or target data.5 100% 0 Middleware. Part III Ref. Part I IT Description O/S DBMS DB Server Data Location ABC App Middleware designed to . CO. Part II Developed Maintained Owner Access Admin Change Control In-house In-house Sue Active directory . causing errors in reports/accounting... Notes Figure 2—Documenting and Mapping Risks. ” InfoSec Reading Room.sans. The ABC application example in figure 3 is fairly consistent with ETL. including automatic reconciliations and the error detection/correction routine). It is in these final steps that the bulk of the actual procedures and tests occur. contact
[email protected]/reading_room/whitepapers/ auditing/application-audit-process-guide-informationsecurity-professionals_1534 The ExamMatrix 2012 CISA EXAM REVIEW (Coming Soon!) Get noticed… Advertise in the ISACA® Journal For more information. www. “The Application Audit Process. www.” 2008. In the next issue (volume 4. It also includes any process documents being created for the process functions. screen information and other printed documents.com/ISJ or call 800. which basically describe the process data go through to get into the DW from various sources.7277 .272. transform and load).databases (DBs) and external providers of data—something not uncommon in data warehouses (DWs). et al. the remaining steps of the framework will be explained. The processing segment includes the processing function of the application (see figure 3.pdf SANS Institute. One of the key beneficial steps in this part of the application audit is to generate thorough and accurate maps or diagrams. Peter R. 2012 Other CISA Exam review courses are designed to teach you content.” ISACA Switzerland Chapter.org. CONCLUSION This article explains the first portion of the framework. ExamMatrix goes one level deeper by helping you to be a better test taker.org/docs/Auditing_Application_Controls. Certain processes are similar to those associated with DWs.. · · · · · Adaptive-Learning Software Over 1600 Questions CRM embedded in the course software Simulated Exam Mode Pass or Refund Guarantee To view a free demo video and to recieve your $50 ISACA discount visit: www.ExamMatrix. for example. “Guide to Audit of IT Applications. 2012). Additional Resources Bitterli. Processing logic is of particular interest in auditing applications. “Auditing Application Controls. Outputs also include the need to evaluate tools and templates being used to create those reports and screens. such as ETL (extract. 2010 ERP Seminars. Outputs include reports. as they are usually a chief component of data integrity and reliability.auditnet. 16 ISACA JOURNAL VOLUME 3. My advice is to keep abreast of the issues and keep skills current. a partnership and a conglomerate. He has worked in both the public and private sectors. His career has taken him to most continents. but my experience is that the biggest threats to organizations are IT-related. and has held positions such as information security manager and chief information officer (CIO). cloud computing could grow massively if location-of-data issues are resolved. Now. I see a lot of internal fraud through a lack of application controls. Too many managers do not understand their own data. CISA Robert Findlay has had a 30-year career in a variety of IT roles. a lack of trust in third parties to hold personal data securely and to be responsive to incidents. For companies to protect themselves. org/journal). Q What do you see as the biggest risk being addressed by IT auditors and/or security professionals? How can businesses protect themselves? A External technical risks are most often discussed.isaca. for a cooperative. finance. Q How do you think the role of the IT auditor/ professional is changing or has changed? What would be your best advice for IT auditors as they plan their career paths and look at the future of IT auditing? A The role of the IT auditor is far more risk-based than it was when I started. then. Similarly. Ireland and the United States. Robert Findlay. Part of this travel involved six months in the Caribbean Islands. regulations and agreements that apply to their businesses. programming. not just IT management—does not pay attention to laws. I like to investigate the contracts and the security of the third party. Similarly. long-distance hill walking and studying for a degree in international studies. He has taken some time off to travel extensively around the world. technical operating system reviews and database audits were the order of the day. management—of all kinds.. across a wide range of industries. they should review their data and set up a robust reporting system to monitor exceptions to policy and a compliance framework. including computer operations. and choose the Comments tab to share your thoughts. caused by developers of applications who are not pressed into applying strong validation. and in Central America. and I can see only slow progress in niche areas for this service in the short term. a good start is to read all regulations and contracts and set up compliance projects. Q How do you see cloud computing changing the way we do business? What are your thoughts on auditing cloud computing? A People are very reluctant to commit to Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www. while working largely in the United Kingdom. Go directly to the article: cloud computing because of data security risk. I see these concerns as an anchor on cloud computing. If they do not let me in. and concerns over moving to new providers if a change is necessary. project management. contracts do not exist. business and environmental risk. Consequently. ISACA JOURNAL VOLUME 3. 2012 17 . never mind applied them. At the same time. then I am suspicious of the control environment. It is rare that I come across any IT management team that has read contracts. As a result of this evolution. they must have enough technical knowledge to warrant a specialist position.. researching forts and castles across all the islands. Even less technical are the threats from poor governance. in most cases. find the article. IT audit and emergency project management. these issues should be the focus for auditing. he sticks to calmer hobbies such as marathon running. Personally.Five Questions With. IT auditors must understand it all: IT. but internal and often nontechnical. On this trip he was shot on two occasions and involved in half a dozen knife fights. Longer term. segregation of duties or good security reports to allow managers to review patterns of behavior. in fact. do not exist. discuss and collaborate on cloud computing. SAP and career management in the Knowledge Center. but recently you worked as an IT security manager for four years. The challenge was the scale and complexity of the review. from cleaning up the virtual private network (VPN) solution to setting up security in the SAP system. and what brought you back to IT audit? A My transition from IT auditor to IT security manager was driven by my own IT audit findings. courteous and. the PIR uncovered an incredible set of findings regarding the project that led to the dismissal of the chief information officer (CIO) and a two-year series of audits into every aspect of the project. However. and how did you face it? • Learn more about. In this case. . Sticking to the facts and being professional.Q A What has been your biggest workplace or career challenge. and the auditees fighting every finding and delivering personal attacks on a daily basis for two years. the reports that I issued were all accepted and new projects were launched. 18 ISACA JOURNAL VOLUME 3.org/knowledgecenter Q A large portion of your career has been in IT audit.isaca. I have found PIRs to be the most politically volatile reviews in each place I have worked. most of all. Finally. so I had to get into the technical arena to resolve a host of issues. I needed to broaden my skills or else become typecast in the SAP security space. 2012 The biggest challenge I faced was a specific postimplementation review (PIR) of a major human resources (HR) and payroll system project. Consequently. www. due to business pressures and the importance of the SAP project to the entire group. the role became too specialized and the risk became SAP-focused. management always makes great claims to savings from new IT systems—savings that. In general. How did you transition to this field. resilient led to great results for me and the business. The organization had no one to fix the issues that I had found. is an information systems (IS) and assurance services senior manager SOC Progress Report Four Things Learned in the Field with BDO USA. auditors need to be consciously aware that inquiry alone is not enough. CPA. 16 Service Organizations Controls (SOC) reports became effective on 15 June 2011. the service organization determines which report best fits its needs. Go directly to the article: The new Statement on Standards for Attestation Engagements (SSAE) No. however.7 just as they need to test the operating effectiveness of those controls where a Type II report is concerned. IS assurance practices at BDO USA. Their initial walk-throughs with respect to control design ISACA JOURNAL VOLUME 3. org/journal).2 SOC 2 and SOC 3 examinations and reports consider specific trust principles. the basic difference between a Type I report and a Type II report is that a Type I report considers the design of controls at a single point in time. Auditing under the old SAS 70 guidance. availability.Feature Brian Vazzana. an independent member firm of BDO International Limited. SOC 3?” Ultimately. but service auditors also need to make sure that they have an appropriate handle on what their potential clients need and expect. CISA. namely security. Perhaps the question should be: “To SOC 1 or SOC 2… or possibly. Illinois. service auditors concerned themselves with the design of such controls as of a point in time and. and depending on the information specifically processed by that service organization. USA. or is that customer base more concerned with the security. a different SOC may apply (see figure 1). 6 There are a number of subtle differences between the testing performed in conjunction with a Type II SAS 70 examination and report and that performed in conjunction with a SOC 1 examination and report.3. One nuance that is easier to miss is the consideration of the design of the service organization’s controls. then. processing integrity. now seems like a good time to reflect on a few things learned while performing these examinations. the fifth largest accounting services firm in the world. auditors need to understand the design of those key controls throughout the reporting period. As a forewarning. thus. while a Type II report further considers the operating effectiveness of those controls over a specified period of time. confidentiality and/or privacy of data and systems. Service auditors are undoubtedly considering this nuance and taking extra effort to document and understand control design at the service organizations. These reports (as well as the corresponding controls) are examined by independent service auditors and. As the first year of reporting under these new standards has completed.1 “I Want Your SOCs” “To SOC 1 or not to SOC 1?” That is the question. 4 Is the service organization looking to provide comfort to a customer base where the financial statements of those customers are impacted by the service organization’s controls.isaca. Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www. and Milwaukee. SOC 1 forces auditors to expand their thought processes. CITP.5. He manages the Chicago. A SOC 1 (SSAE 16) examination and report focuses on the controls established by a service organization that are pertinent to the financial statements of its user entities (customers). Because design concerns are no longer considered as of a point in time. find the article. Where user entities outsource certain business functions to thirdparty service organizations. 2012 19 . LLP. tested operating effectiveness throughout the period under audit. the SOC reports examine the controls present at the service organizations and consider how those controls are designed and operate. It Is All in the Design It is important to remember that both the old SAS 70 guidance and the recent SOC 1 and SOC 2 guidance provide two types of report options (Type I and Type II). Wisconsin. provide user entities with a level of comfort with respect to those outsourced functions. Among these various service organization reports. USA. availability and integrity of the data processed by the service organization? Depending on the service organization’s purpose and use of the report. and choose the Comments tab to share your thoughts. the auditor is probably more comfortable with the design of that 20 ISACA JOURNAL VOLUME 3. user entities’ management. Auditors visiting their clients well in advance of the end of the reporting period should be cognizant of the need to refresh their testing. and Illustrations allow service auditors to corroborate with various service organization personnel regarding the level or lack of control changes in a given reporting period. also compliance with the service organization’s statement of privacy practices) User entities’ management and parties understanding: 1) The nature of the service provided 2) The interaction of systems among the service organization. and the service auditor identifies that the control is designed as such via walk-through procedures and observation of the operating system’s password policies. processing integrity. Attestation Engagements AICPA Guide. If the service auditor has corroborated the service organization’s assertion that complexity enforcement is consistent with prior years by looking at prior-year examination documents. Reporting on Controls at a Service Organization Relevant to Security.8 Perhaps service auditors can use their understanding of previous control design to corroborate the level or lack of design change in the current year—to a greater extent than via inquiry alone or via inquiry and a walk-through at a point in time. availability. As an example. Processing Integrity. 16. subservice organizations and other parties 3) Internal control and its limitations 4) The applicable trust service criteria and risks/controls that address such criteria Controls relevant to security. confidentiality or privacy (if privacy. meanwhile. also compliance with the service organization’s statement of privacy practices) Anyone AICPA Guide: Service Organizations— Applying SSEA No. Not every service organization retains the same service auditor indefinitely. It Is Management’s Baby The new SOC standards have incorporated an additional requirement to the respective reports whereby management of the service organization is responsible for making certain assertions. confidentiality or privacy (if privacy. Whether or not this is the case. so those prior-year work papers may not exist. user entities. availability. processing integrity. Reporting on Controls at a Service Organization (SOC 1) SOC 2 AT 101. . The service auditor. the service auditor may want to consider the design of controls at multiple points in time rather than during one field visit. must perform due diligence to ensure the reasonableness of the subject matter of the engagement (to which management is asserting) in conjunction with the results of the examination. This roll-forward or refresh testing of controls serves to update the understanding of the design of key controls throughout the period and ensures that those controls are tested for operating effectiveness throughout the appropriate reporting period. Trust Services Principles. a service organization has represented that operating system password parameters require complexity in the current reporting period. That said. auditors will need to add audit steps to ensure that they have considered control design beyond inquiry and a walk-through at a point in time. 2012 USERS control throughout the current period than via inquiry and observation at a single point in time. Availability. SOC guidance does not allow service auditors to rely on prior-year controls as a means of assessing controls in the current reporting period. Confidentiality or Privacy (SOC 2) SOC 3 AT 101. Reporting on Controls at a Service Organization SUBJECT MATTER (SERVICE ORGANIZATIONS) Controls relevant to user entities’ internal controls over financial reporting User entities’ auditors. Attestation Engagements AICPA Technical Practice Aid. service organizations’ management Controls relevant to security. Criteria.Figure 1—SOC Reports Comparison REPORT SOC 1 GUIDANCE SSAE 16. a service organization can freely distribute the report. and the assertion should be clearly segregated from the rest of the text in the document. it must then provide a similar assertion from the subservice organization’s management. 2012 21 . as well as examine the subservice organization’s entity-level controls. Furthermore. including via a publicly displayed SOC 3 seal linked on its web site. www. if the service organization relies on a second organization (a subservice organization) to perform some services. however.isaca.isaca.org • Learn more about. • The controls related to the control objectives provided in management’s description must be appropriately designed as of a specific point or period of time to achieve those control objectives (and those control objectives and related controls must be operating effectively in a Type II report). but when might a SOC 3 examination come into play? A SOC 3 examination operates in a manner similar to that of a SOC 2. Effectively. given possible confidentiality concerns by subservice organizations. management should not consider its assertion finalized until that period is completed. the SOC 3 report must consider the design and operating effectiveness of controls over a period. Current and prospective customers can then access the report via this SOC 3 Report: SysTrust for Service Organizations seal. scheduled for release in July 2012. To SOC 3 or Not to SOC 3? I started this article musing over preparing a SOC 1 examination vs. First and foremost. Otherwise.10 service organizations must either operate all of the key controls relevant to the report or they must include any key controls that have been ISACA JOURNAL VOLUME 3. a SOC 2 examination. the manner in which the assertion is presented in the report is subject to interpretation. signed and printed on company letterhead. While the text of the overall assertion is given robust coverage within the guidance provided by the American Institute of Certified Public Accountants (AICPA). it should be evident that management made its assertion in conjunction with the audit standards. does not exist. It is interesting to note that there are certain limitations to SOC 3 reporting. When must management make these assertions? Given that these SOC reports cover a defined period. provides a more limited discussion of the service organization’s systems. the service organization must provide a description of such outsourced services in its report. • Management must select the criteria used in making the previous assertions. the report is written for a broader audience and. Carving out the subservice organization’s controls and simply acknowledging the services performed may prove the more efficient manner by which service organizations complete these reports. of which service auditors and service organizations need to be aware. Then. others may simply provide the text of the assertion with an electronic signature and keep a formal copy on file. the audit guidance expressly forbids carveouts of controls within a SOC 3 report.• Watch for ISACA and AICPA’s joint guidance of SOC2. www. thus. management does not assert to the operating effectiveness of the controls over the course of the entire examination period. While it is a best practice for the service organization to actively monitor its controls and draft its assertion over the course of the examination period. service organizations cannot simply write the assertion on day one and ignore it for the remainder of the period.9 Furthermore. Some service organizations provide a formally executed document. depending on whether a Type I or Type II examination and report is performed. management must attest to the following: • The description of its systems must fairly present those systems designed and implemented as of a specific date or period of time. unlike SOC 1 and SOC 2.org/topic-ISAE-3402 What assertions must management make? Considering SOC 1 reporting specifically. SAS and ISAE 3402 in the Knowledge Center. Service organizations must take care to ensure that controls are operating over a reasonable period before considering a SOC 3 report. a Type I report option. discuss and collaborate on SOC. in which controls may be attested to on a particular date. the service auditors must examine this assertion in conjunction with the audit. Ultimately. the manner of presentation should be discussed and agreed upon by the service organization and service auditor. If the service organization describes the outsourced controls in its report. Endnotes 1 This article is based on the experiences of the author. 2011 5 Op cit. Service Organization Control Reports: A Closer Look at SOC 2 & SOC 3 Engagements. American Institute of Certified Public Accountants. May 2011.outsourced to subservice organizations. By doing this. both service auditors and service organizations provide greater value to these respective reports and greater comfort to their recipients.. Reporting on Controls at a Service Organization (SOC 1). or Privacy (SOC 2). May 2011. April 2011.03 and 1. AICPA Guide: Reporting on Controls at a Service Organization Relevant to Security. is on those organizations to monitor and ensure the operating effectiveness of the key controls they design as well as to attest to such effectiveness. Meanwhile.16 (a) & 1. American Institute of Certified Public Accountants. March 2010. particularly if such organizations rely on a third party for data processing or network hosting services. paragraphs 1. With this in mind. John F. American Institute of Certified Public Accountants. Katcher et al Share Ideas Expand Your Network Connect to ISACA Young Professionals All Over the World www. 2012 .16 (b) 6 AICPA Auditing Standards Board. paragraphs 1. 16. Ultimately.org/ypgroup-journal 22 ISACA JOURNAL VOLUME 3. paragraph 16 8 Ibid.isaca. preface 10 Op cit. service auditors need to remain diligent in ensuring that they are not simply adhering to the old SAS 70 approach to auditing these controls.10 3 American Institute of Certified Public Accountants. paragraph A43 9 Op cit. 2 American Institute of Certified Public Accountants. April 2011. American Institute of Certified Public Accountants. paragraph 1. Hudson. a company must operate its controls independently and effectively over an established period in order for a SOC 3 report option to be viable or to convince a subservice organization to provide an assertion with respect to any outsourced controls and allow the service auditor to test those controls at the subservice organization. paragraph 7 7 Ibid. David Palmer. The onus. AICPA Learning Center. Audrey. a SOC 3 report may not be the preferred route. Availability. thus. Conclusion The new SOC standards provide service organizations with expanded opportunities to provide comfort to their customers with respect to data security.06 4 Katcher. if service organizations are finding that the above issues are present. Confidentiality. An unqualified SOC 3 audit opinion merits the SOC 3 seal.. availability and the like. AICPA Guide: Service Organizations—Applying SSAE No. but considering those subtle nuances that the new guidance provides. the ability of service organizations to publish a SOC 3 report may be limited. Statement on Standards for Attestation Engagements No. Processing Integrity. however. 16: Reporting on Controls at a Service Organization. Suzanne Nersessian. Open Database Connectivity [ODBC]. FlockDB. which could upset the organization’s state of privacy compliance as the data may be spanned/sharded across multiple jurisdictions.0 technologies. Go directly to the article: A Primer on Nonrelational. 2012 23 . Big data. Although non-RDBMS have been around for the better part of a decade. • Non-RDBMS differ from RDBMS in the way that they treat data.. Concurrently. GraphDB. Data Definition Language (DDL). CouchDB. auditing (logging) or configuration management are the weaknesses and threats with non-RDBMS. find the article. allow for enhanced system scalability and elasticity (i. Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www. Hibari. how to assess their risk posture. Examples of these database implementations include NoSQL (not only SQL) offerings such as Cassandra. While it lacks basic access controls.g. opportunities and threats (SWOT) for the enterprise. and has more than 11 years of experience in the technology sector. authentication... He frequently presents on information security.. Distributed Databases for IS Professionals A new paradigm is among us. He is also an adjunct professor and the current president of the Delaware Valley (Greater Philadelphia) chapter of the Cloud Security Alliance (CSA). many now use a DML platform called NoSQL. which often leads to a considerably lower operating expense (OpEx). sharding). such as Couchbase. e-discovery and information governance. includes the aggregation of an organization’s traditional. distributed database management systems (non-RDBMS) are now growing in popularity. nonrelational. their popularity has grown to the point at which information systems professionals should become familiar with their architecture and use. elasticity (called sharding3 in the non-RDBMS world). cloud computing. for example. As shown in figure 1. modularity. and choose the Comments tab to share your thoughts. Java Database Connectivity [JDBC]). The differences between non-RDBMS and RDBMS include: • Data in non-RDBMS are distributed across multiple computers. • Most non-RDBMS have moved away from using Structured Query Language (SQL) for Data Manipulation Language (DML) calls. modularity.1 Non-RDBMS are becoming the preferred database architecture for organizations using Web 2. as defined through Oracle. non-RDBMS are now reaching critical mass in industry. information privacy.0 technologies due to the open-source nature of these platforms.g. Leading technology service providers (e. • In non-RDBMS. metadata) and social (media) data. Markey holds multiple certifications and degrees. and individuals and companies consume those provider offerings.Feature Steve Markey is the principal of nControl. and how to secure them. project management. portability and interoperability while using non-RDBMS platforms with Web 2. as this new technology platform provides a different set of strengths. NoSQL solutions. portability and interoperability as strengths and opportunities. Twitter) have begun to use them. weaknesses. USA.0 programming language focused on dynamic content) or web services/ service-oriented architecture (SOA). large enterprises are using non-RDBMS to augment their existing RDBMS investments for storing and analyzing big data.e. which leads to cost savings because organizations do not have to invest in traditional relational database software licensing and/or local hardware. such as Ruby on Rails (a Web 2. read. log data. tables in a distributed database system (DDS) are referred to as domains/namespaces. Non-RDBMS Value-add Once thought of as a technology solely for academia. Non-RDBMS provide enhanced elasticity. sensory (e. It is important to understand how non-RDBMS differ from relational database management systems (RDBMS). updated and/or deleted (CRUD) from/to non-RDBMS through an application programming interface (API) call vs. • Non-RDBMS require an operating API service to be running as opposed to a database server instance. ISACA JOURNAL VOLUME 3. This article provides an overview of this technology.isaca. • Data are created. or metadata. MongoDB and SimpleDB.g. a database connection (e. is not as easily queried as in RDBMS. a consulting firm based in Philadelphia. Pennsylvania. org/journal). an idea of the security vulnerabilities inherently found in these technologies and guidance on how to remediate those vulnerabilities.2 Beyond cost savings. Along with the cloud and mobile devices. organizations can expect to experience enhanced scalability. and they can easily build applications using the non-RDBMS technology. This theory states that relations exist between attributes and entities. Cloud service providers (CSP).. FlockDB. such as Cloudian’s. Hibari).. Livemocha and LOUD3R) for an extremely fast time to market. Users Web Servers Database Scales Out Just add more commodity web servers.Application Scales Out Just add more commodity web servers. . CouchDB.4 Non-RDBMS consumers connect their NoSQL databases to web applications by using third-party products such as Cloudian’s (see figure 2) or writing their own.com/sites/default/files/uploads/all/whitepapers/NoSQL-Whitepaper. Cassandra).g. 2012. non-RDBMS users can save on capital expenses (CapEx) and operating expenses (OpEx). such as Amazon.5 Finally. which is based on the Graph theory. DynamoDB.pdf By running an API service. document-oriented (e. NoSQL Database Technology. Non-RDBMS Types Non-RDBMS. The closest relative to the relational database for NoSQL implementations is the key-value flavor. specifically NoSQL implementations. SimpleDB).6 For example.com Application Response Time Figure 1—Couchbase Shows NoSQL Scalability Users Source: Couchbase. while document-oriented flavors store web-centric documents in the format of either JavaScript open notation (JSON) or XML-based documents.couchbase. System Cost No SQL Database Servers Application Response Time Load Balancer System Cost www. are counting on this. GraphDB) and key-value databases (e. a married couple is related by their marital status...g.g.g. MongoDB. Column-oriented/tabular flavors use database tablelike structures without the joins often found in a relational implementation. which is used by various start-ups (e. an entity/table. http://www. 2012 tabular (e.wellsfargo. Flipboard. Amazon’s Web Services’ (AWS) portfolio includes an offering called SimpleDB. which uses primary keys such as in an RDBMS but without a table.g. can be broken down into four categories: column-oriented/ 24 ISACA JOURNAL VOLUME 3.. which is an attribute/adjective vs. Kehalim. there is the graph database. graph databases (e. Shinya. which leads to increased risk. the Payment Card Industry Data Security Standards (PCI DSS) and the US Health Insurance Portability and Accountability Act (HIPAA) should also be cognizant of the fact that non-RDBMS provide limited logging for auditing and accounting purposes because the logs are built predominantly for debugging. 2012 25 . which in today’s highly regulated and litigious society can be a burden too high for many organizations to bear. additional vulnerabilities can be found from a process standpoint. Organizations that are obligated to comply with. These vulnerabilities can be caused by a lack of documented and/or implemented security review tasks within the software development life cycle (SDLC). Authentication for non-RDBMS is also limited. Beyond the known portability limitations. these smaller entities often lack a documented and secure SDLC. the onus is on the programmer to ensure that users are authenticated on the front end of the system (e. they have their challenges. there are often control gaps from a security standpoint. because small start-ups are the most prevalent users of this technology. for example. Therefore. www. therefore. web application firewalls [WAF]. including: • Lack of uniform standards across non-RDBMS. Data that are distributed across multiple locations are a problem in themselves. eXtensible Markup Language [XML] firewalls and database firewalls). Finally. Additionally. because most DAST will not pick up the nuances of SQL injection-based vulnerabilities for non-RDBMS. Examples include a proper segregation of duties for development and production environments.. it has been found that. Whether an organization adapts these processes to remediate known vulnerabilities. affecting portability • Lack of supported authentication methods • Limited consumer-level logging/monitoring support • Limited support for dynamic application security testing (DAST) by vulnerability assessment tools • Incorrect belief that NoSQL-based non-RDBMS implementations are more secure than RDBMS Non-RDBMS using NoSQL are still susceptible to input validation vulnerabilities such as SQL injection. these vulnerabilities can be remediated relatively quickly. organizations should know that there will be limited portability of the implementation between non-RDBMS implementations/providers. such as Microsoft’s Security Development Lifecycle (SDL). mysite/login. it is important that the source-code check for input validation occurs at both the client and server side. a prebuilt database to connect to via ODBC/JDBC. with some education and awareness. A large part of this problem stems from the ability of a developer to sidestep the traditional role and/or need of a database administrator (DBA) to design and build a logical/physical RDBMS. The largest challenge found in non-RDBMS is their distributed nature. as there is no standard for nonRDBMS. With their often limited budgets and staff. However. Cloudian Non-RDBMS Challenges Although non-RDBMS are becoming increasingly popular..php).g.g. there are ways to mitigate the risk ISACA JOURNAL VOLUME 3. a formal SDLC process that incorporates security thought leadership.Figure 2—Cloudian’s API Software Solution for Accessing NoSQL Databases Clients Networks API Cloudian Client APIs Platform Layer Cloudian Platform Database Layer NOSQL Data Store with HyperStoreTM Source: Motohashi. and this issue can be exacerbated if the location of a specific record cannot be determined when it is needed for audit. or they can be due to a lack of a separation/segregation of duties. Remediation can be done in a timely and cost-effective manner through process and technology-based controls/safeguards. Several other vulnerabilities can be found within non-RDBMS. The cause of this is the reliance on the API calls vs. e-discovery or forensic purposes.7 or implementing various firewall implementations (e. or whether it implements technological solutions. Case Studies. an organization may implement a WAF or an XML firewall as a preventive control while using non-RDBMS. Once the risk assessment is completed.microsoft. iPod touch or iPad. 2012 Enjoy the ISACA Journal app on your Android phone or Kindle Fire! ® Visit the Apple. it is crucial that they keep their options open for the best system to use for storing these data.. Nathan.g. 1 • Learn more about. As non-RDBMS grow toward critical mass. com/solutions/case-studies/ 5 Hurst. it is important to know how they work. if any.php 7 Microsoft.com/security/sdl/default. Visual Guide to NoSQL Systems.com/cloud/2011/04/5-graph-databasesto-consider. As organizations collect data in staggering quantities.0 applications or augment RDBMS for managing big data.org/knowledgecenter found in implementing non-RDBMS. an organization needs to do a cost-benefit analysis (CBA) on using non-RDBMS while incorporating the necessary controls to safeguard data. October 2011.nahurst. Adam. 15 March 2010. Conclusion By completing a CBA.com/cloud/2011/01/how-twitter-usesnosql.pdf 3 Wiggins.com/us/products/ database/big-data-for-enterprise-519135. www. www. how they differ from RDBMS platforms.Endnotes Finley. Klint. This decision is more important now than ever.readwriteweb. Google. www.php 2 Dijcks. an organization can make an informed decision about whether or not to use non-RDBMS. How Twitter Uses NoSQL. SQL Databases Don’t Scale. Member Only Access . Oracle: Big Data for the Enterprise. Kindle Fire. the manner in which they are treated should change. and who is best suited to use them for collecting and processing data. conducting a risk assessment and understanding the vulnerabilities found within this platform. http://aws. 5 Graph Databases to Consider.com/past/2009/7/6/sql_databases_ dont_scale/ 4 Amazon Web Services. For many organizations. non-RDBMS now exist to either support Web 2. http://adam. iPhone. the data stored in non-RDBMS are sensory (log) data from multiple sources. 26 ISACA JOURNAL VOLUME 3. http://blog. www. a go or no-go decision can be made to determine the risk appetite for non-RDBMS. This assessment should also determine which data. as organizations must realize that data are their lifeblood. Technical controls/ safeguards can also be used to remediate the risk introduced when using non-RDBMS. The non-RDBMS data store is then used by security information and event management (SIEM) software packages for analytical purposes (e.oracle. Hence. Oracle. In the end. and as data grow. Specifically. may be stored in non-RDBMS.” www.aspx. Search “ISACA Journal” to download the FREE app for your Android phone. The largest remediation strategy should be to do a risk assessment before using non-RDBMS. “Microsoft Security Development Lifecyle.amazon.com/visual-guide-to-nosql-systems 6 Finley. 6 July 2009. SQL and other databases in the Knowledge Center.readwriteweb. 20 April 2011.isaca. discuss and collaborate on Oracle. Jean-Pierre.heroku. Klint. how they can be used within an organization. trend analysis for detecting security incidents). 2 January 2011. and Amazon Appstore. including skill and experience and. often.isaca. an advisory services and professional development firm. CGEIT. Auditing skills and ability are extremely important. which may inadvertently lead to rumors that can damage the credibility of the auditors and/or the audit departments. CIA. In the IT audit world. It has been said that interpersonal skills are more important than auditing skills in this profession.1 Internal audit is comparable to the sales group inside an organization. Clarity/coherence—This may seem obvious. it is important to paint a complete picture so that all facts and circumstances are understood. The need for auditors to constantly sell their value highlights the importance of refined communication skills. meetings. Concise—Many people are familiar with people who like to use long words and sentences to project intelligence. complete and accurate work papers in addition to compelling audit reports are important throughout the audit process. without a high level of communication. including five as a chief audit executive/ audit director at two diverse companies. Furthermore. but clear and coherent communication is not as easy as it seems. Complete/correct—Communication is a fine art. are well constructed and clear. Conversational—An adult’s comprehension tends to decrease significantly (during training) when a speaker talks to the audience rather than with the audience. 5. risk management and regulatory compliance firm. Such negative methods by auditors will not contribute to success in building long-term relationships with auditees. To be successful. the progression of many managers up the proverbial audit ladder is stymied due to one significant distinguishing factor: communication skills. In the audit and risk management profession. Comprehension and listening significantly decrease if people do not see how they are personally involved in the communication. Additionally. for example. The elimination of space killers and a focus on useful words is key. Some best practices and key areas of communication include: • The 7 C’s of communication • Professionalism • Miscommunication • Mode of communication • Conflict management • Active listening The 7 C’s of Communication Communication. the focus is on oral and written communication. This commands more attention and better responses. Communication should be accurate and honest. It is important to personalize each experience and make each individual connect. Captivating—Communication must be interesting and engaging at all times. it is easy to generate fear. For auditors. conference calls. find the article. Additionally. Compelling language that encourages action should be utlized. 4. Irrelevance should be eliminated. CPA. When speaking to nontechnically oriented team members. 2. Concise communication keeps audiences engaged and interested. and choose the Comments tab to share your thoughts. however. People must be engaged and feel comfortable enough to speak their mind. He has the rare experience of leading or being an integral part of year-one US Sarbanes-Oxley Act compliance efforts at three companies. being in the right place at the right time. phone conversations and instant messaging. 2012 27 . often producing the opposite effect. Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www. Goldberg has more than 13 years of audit experience in the Dallas and Fort Worth. is Communication—The Missing Piece the professional development practice director at Sunera. CCSA. Go directly to the article: Career progression in any field is dependent on many factors. via emails. some security and IT auditors tend to use fear. uncertainty and doubt as methods of enforcement. there are many high-quality people vying for the same roles. is the foundation of all business. The 7 C’s of communication provide a checklist for making sure that all forms of communication. attempt to find the answer and move forward. all ability is for naught. org/journal). an international corporate governance. he founded SOFT GRC. Goldberg. and logic must be embraced. area.Feature Danny M. ISACA JOURNAL VOLUME 3. in that audit must constantly sell its value and role. auditors must establish face-to-face relationships with auditees and develop a level of trust. emails. he has assisted in leading the establishment of three internal audit/Sarbanes-Oxley departments. CISA. The 7 C’s of communication are:2 1. It is okay for people to admit that they do not know something—admit it. 3. Communication should be focused—with no question about the intention or the objective. including meetings. reports and presentations. USA. Texas. Prior to joining Sunera in January 2011. the focus on these new modes of communication has decreased Generation Z’s 28 ISACA JOURNAL VOLUME 3. case of an ongoing audit. 2012 ” Conflict Management Confrontation4 can be a healthy exercise when the parties in conflict are transparent and honest.isaca. Facebook. but many conversations are better conducted in person or over the phone.. There are many different modes of communication. Twitter). Auditors must not assume anything. and email. Email is People who assume let the assumption take over the overused. Proper management of this communication can determine the successfulness of an audit. but nothing can replace face-to-face conversation.6. but to call the sender conversations. especially in younger generations. not one-way.isaca. Generation Z relies heavily on text messaging and emails. however. Courteous—Communications are most effective when they are two-way. Concrete—One should communicate with specifics and certainty. Assumptions can take on a world of their own. “ Mode of Communication The mode of communication can significantly change the tone and meaning of communication. In the affected by the mode of communication. conversation and. Communications that involve back-andMiscommunication forth conversation should be done in person rather than via Miscommunication is the number-one cause of unnecessary email. auditees may take audit findings or recommendations personally. For auditors. regardless are bred from assumptions and are Communication should be of who is copied on the email. Emotion tends to weigh down healthy and straightforward communication and the comprehension of what is being communicated.g. communicated in person. Emotions and sarcasm are difficult to interpret via email and on smartphones. Professionalism One of the major issues with interoffice communication is the separation of personal and professional points of view. In certain instances. Many employees. The auditor should remain focused on the issue and the root of the problem. • Discuss and collaborate in the Knowledge Center. Generation Z3 is well-versed in communicating via smartphone and social media (e. Communication should be professional. do not fully comprehend the Emotional conversations should not take place via email. Many miscommunications and discuss the situation offline. conflict. Technology has enhanced the speed of communication. thus. Email and texting are sometimes used as modes to avoid in-person conversations. it is best not Auditors should ensure that to communicate significant findings via personal feelings should not communications to auditees are clear. but it has also decreased the effectiveness of communication. 7. kept at a professional level.org/conferences in-person communication skills. personal feelings should not affect communication. All employees should be guarded when communicating via smartphone. Anything that could be significant they should avoid miscommunication as affect communication. LinkedIn. held at various ISACA conferences in 2012. but friendly and approachable. must If an emotionally charged email is received. tend to use the wrong form of communication.org/knowledgecenter • Attend the Communications Workshop. and not all conversations are effective via email. communication. . eliminating as much ambiguity as possible and keeping communications direct and to the point. Communication should be kept at a professional level. communication must be kept on a professional level and emotion must be eliminated as much as possible. discussions of audit findings will have some form of confrontation. In most cases. or construed as personal should be much as possible. It is important to remember that communication should not be taken personally in the workplace. www. www. it is best not to keep an open mind and must be open to respond via email. Silence is and follow up on any concerns when the opportunity arises. When discussing an audit issue. The points outlined become emotional when there is and must focus on the content and below can be applied to any type a lack of focus on the real issue. ensure that the conversation is the primary until they believe they have sufficiently made their case. This creates • Avoid interruptions. give ample opportunity for the other parties to the conversation at hand. Confronting issues head-on breeds confidence listen and comprehend. After the initial statement is and confidence. When issues are avoided. If the the audit group. do not know before the confrontation what resolution they want. confrontation is Conclusion meaningless and tends to be emotional. and focus on the words and there is two-way communication. between audit and conversation deteriorates into a blame management. make an initial statement and optimized listening: then stop talking. Eye contact is important because it breeds trust will never resolve an issue. regardless of how personal a conversation. In general. jump to conclusions. many want to state their case and not stop multitasking. One-way communication meanings. It becomes a blame game with any conflict. arguing is never valuable or effective. This is against human nature. Auditors must be good listeners and and trust in management. Without a known resolution. including those within a multitude of excuses. lay out the facts and be straightforward. during • Ignore phone calls during a conversation. audit interviews • Make the initial statement. assumptions can take on a world of Listening is a major part of communication. convince auditees that change is necessary is to present the audit skills and talents are very important. and is capable of becoming a good auditor. Confrontation—due to meaning of a conversation. or among auditors and game. Conversations can become relatively meaningless and the other hand. preferable. The best way to Communication is key to an organization’s success. If an auditor cannot recommendation. the other party in the conflict feels that they devalued when combined with multitasking. must focus on the content and meaning of a conversation. It takes effort to their own. assumptions arise. ” ISACA JOURNAL VOLUME 3. discuss the statement and give their viewpoints.“ • Focus on the real issue of the Most people inherently do not like Auditors must be good listeners confrontation—Many confrontations confrontation. When participants lack strong listening skills. 2012 29 . are being railroaded and belittled. Conflict is healthy when • Look at the other person. of conflict. On focus. As Active Listening discussed previously. or more. and abstain from confrontation. keep an open mind statement is. auditees—can be optimized by undertaking the Refocus on the primary objectives of resolving the issue and following steps: alleviating concerns that the issue will reoccur at a later date. • Concentrate on the flow and back-and-forth of the • Know the desired resolution prior to the confrontation— conversation rather than focusing on bits of information or Many pointless confrontations occur because the parties past parts of the conversation. through showing an understanding of their perspective and interpersonal and communication skills are as. Regardless of what is said. It can be difficult not to resolving a confrontation. • Personally confront the issue—Lack of transparency breeds distrust. and not everyone idea as theirs. On the other hand. The following points can enable more confronting an issue. Maintaining eye contact keeps the focus on made. The listener may hear something • Avoid arguing during the confrontation—No matter what that takes comprehension away from the remainder of the is said during a confrontation. a back-and-forth communication that is more effective in • Resist jumping to conclusions. take a break or a deep breath and eliminate blame. the auditor can lead auditees in the direction of the important than general audit capabilities. then stop talking—When lose their value. Via significant dialog with the auditees. ideas. but it can be achieved with training and effort. please see: Mind Tools. 2 There are many variations of the 7 C’s of communication. All the internal and IT audit talents in the world are deemed relatively useless when the auditor lacks the ability to effectively communicate the goals and findings of an audit. 1 Key Performance Indicator. “Confront. com/news/200610sevencs.effectively communicate a finding or recommendation.” www. visit: www.” www.org/certification-journal 30 ISACA JOURNAL VOLUME 3. For additional examples. Auditors who strive to advance into managerial roles need strong communication skills to take the next step. See Merriam-Webster.isaca.php.” Infinisource Payroll. in turn.com/pages/article/ newCS_85.htm. and Reynolds. “confrontation”) is not implicitly negative. “The 7 C’s of Communication: A Checklist for Clear Communication. the solution will fall on deaf ears.merriam-webster. Auditors must become optimized communicators. 4 The definition of “confront” (and. Registration for the December exams opens in June. Roger.mindtools. This is the missing piece for many auditors. and should not assume that the people with whom they interact are not optimized communicators. 3 A term used for individuals born between approximately 1990 and 2000. 2012 . Registration opening soon! Next Exam Date: 8 December 2012 For more information regarding ISACA’s certifications.com/dictionary/confront. “Seven C’s of Good Communication. http://abcopayroll. Endnotes This statement is based on the author’s experience and his discussions with other audit professionals. 2012 31 .3 The Institute of Internal Auditors (IIA) clarifies the differences between the concepts: “Continuous monitoring is management driven and continuous audit is audit driven.D. and an IT auditor with PricewaterhouseCoopers. Silvia Romero.g. Fortune 250 CAEs preferred US-centered auditing. notifying the auditor of deviations. is an assistant professor in the Department of Accounting..Feature Miklos A. the Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA) published a joint report on CA. How expectations regarding the adoption of CA/CM highlighted in a chief audit executives (CAEs) survey conducted by PricewaterhouseCoopers (PwC) in 20075 were realized is discussed using the results of a study conducted by CARLAB. allowing AT&T to use data captured automatically by telephone switches. Thailand. USA. Ph.”4 This article examines how internal audit has progressed with the implementation of CA/CM. with a system implemented at AT&T to monitor billing data in real time.D. Jim Littley is a principal at KPMG LLP’s advisory services practice. and choose the Comments tab to share your thoughts. as was the need to train personnel in areas such as control. 10 Demand factors for CA/CM adoption include increasing data complexity and volume. The Development of CA/CM Reports on implementation of CA/CM systems are found as early as 1991. IDEA CaseWare) for continuous control monitoring. Expectations Regarding the Future of CA/CM During 2007–2012 PwC conducted a survey11 in 2007 among CAEs of Fortune 250 companies and thought leaders within the auditing community. On this subject. New Jersey. ISACA JOURNAL VOLUME 3.. web-based reporting. CISA. systems with different levels of CM were starting to be developed in the industry (e. find the article.9. with some controls implemented in locations at an international level. ACL. Ph. The system identified failures and data errors through analytic tools by comparing input data with benchmarks. Academic and professional interest in CA/CM is evidenced by the large number of articles published. a doctoral student in accounting information systems. He is KPMG’s global and Americas leader for continuous auditing and continuous monitoring services.7 The key characteristic of these data was their completely electronic nature. Vasarhelyi. the occurrence of events underlying the subject matter. The analysis of the results of both studies provides evidence on the stage of CA/CM adoption by internal audit organizations. The need to find leaders in international centers was highlighted. Go directly to the article: Adopting Continuous Auditing/Continuous Monitoring in Internal Audit Continuous auditing/continuous monitoring (CA/CM) has long been studied in academia and is widely discussed in practice. was a financial auditor at KPMG.2 CM is a process implemented by management to ensure that business is operating effectively. is the KPMG professor of accounting information systems and director of the Continuous Auditing and Reporting Laboratory (CARLAB) at Rutgers University. Law and Taxation at Montclair State University. prevalence of electronic transactions.8 At the same time. org/journal).6 The CARLAB study includes the results of in-depth interviews conducted with nine companies that have implemented some form of CA/CM.isaca. New Jersey.1 CA can be defined as the assurance that independent auditors provide simultaneously with. • Fortune 250 CAEs pointed out the need to determine whether audit should be centralized or conducted from satellite locations close to operation centers. risk management and IT audit. requiring effective rapid error detection. and user demand for more frequent information. The purpose was to determine both the factors that would reshape internal auditing in the future and how CAEs envisioned audit in 2012. In 1999. The resulting low-latency error detection provided higher audit quality. USA. CM is a process used as part of the control structure part of the COSO monitoring role. Siripan Kuenkaikaew. Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www. The results show the following main factors: • Fortune 250 CAEs found it important to consider the importance of the increase in risk produced by globalization. CA is part of the assurance process an aspect of audit. The US Sarbanes-Oxley Act of 2002 (section 404) also includes provisions regarding management’s assessment of internal control and reduced disclosure time. It also allowed the audit to be conducted more efficiently and effectively since the auditor had greater flexibility in the search for evidence.. or shortly after. CA/CM was rarely continuous or in real time. given that auditor demand was and is increasing in the areas of technology and regulation. at that time. to a state of continuously optimizing the use of technology on an as-needed basis. One of the companies analyzed in the study has implemented system- . 2012 • Learn more about. Internal audit was expected to go beyond a static and cyclical approach. and that it mainly encompassed manual operations done more frequently than traditional audits. Among the important skill sets needed for auditors. with different degrees of automation. It requires a considerable investment and access to data that must be supported by senior management. One of the interviewees reported: “We had some challenges [with the IT organization to get data] but generally not. access to data is usually limited because data extraction requires management approval and is performed by external parties. The biggest challenge really is the time it takes to get it. with additional duties attributable to auditing offshore operations. CA/CM requires a large degree of data analytics.isaca. • Other factors included auditing IT. auditing executive compensation.org/knowledgecenter • Internal auditors were interested in the adoption of CA/CM as well as adoption of more automated audit tools and electronic working papers • Access to data was still limited • Most audit tasks were performed periodically • IT audit resources and capability were inadequate for CA/CM • The emergence of many audit-like organizations was confusing assurance ability CA/CM Acceptance and Adoption The CARLAB study found four key factors affecting adoption. risk assessment. The results of this study indicated that: • The adoption of CA/CM was still in its initial stages 32 ISACA JOURNAL VOLUME 3. and information technology were highlighted by the respondents. CA/CM Adoption According to a CARLAB Study The CARLAB study reports the results of interviews with auditors in large companies in different industries. • Interviewees predicted the development of CA and/or CM. and fraud detection and investigation expected to generate greater responsibilities for internal audit groups as well. discuss and collaborate on continuous monitoring/auditing and risk assessment in the Knowledge Center. The team chose semistructured interviews.” Few companies with high levels of CA/CM adoption have automated and secured systems for data extraction that auditors can access. and data acquisition takes time. data mining and analysis. www. and training and education of management and staff. According to respondents. with technology having the greatest impact. complying with regulations. The team visited nine leading internal audit organizations to conduct face-to-face interviews with 22 internal audit managers and 16 internal audit staff members. Each affects the perceived usefulness and ease of use of the technology: 1. They also expected auditors to be better able to react to warnings and conduct more targeted audits. The survey found that the main challenge was the lack of staff capabilities because traditional accounting and auditing skills were not sufficient to perform a quality audit within CA. Managers must also coordinate and supervise the friction and timing differences that are generated by audit via exception reports. as auditors are now able to audit the whole population instead of a sample of the transactions. Data analysis could generate in-depth audit results. rather than a structured survey.• Respondents envisioned internal audit providing risk and controls assurance. Auditors must able to conduct data analysis and assess complex IT environments. Management support: CA/CM is perceived initially as an expensive and risky endeavor. • Respondents suggested auditing the enterprise risk management (ERM) process. internal auditors would be able to integrate technology in the future to assist with data extraction and analysis.12 However. to capture the participants’ perceptions of CA/CM adoption. and is the main advantage of CA. The report also explained that. Nobody likes to test 50 things over and over again. Data access remains a key challenge. CA/CM requires high levels of investment in technology and training. it is a win-win. which hinders some companies’ adoption of CA/CM. There are substantive differences in the level of training at the companies interviewed. information-sharing and repeated procedures. it is necessary to provide adequate training to audit staff. In addition. These rotational programs contrast with the need for CA/CM auditors with a more specific and deeper process and system understanding.” The involvement of managers in the adoption of CA/CM is fundamental. 4. Regulatory compliance/audit-like organizations: The US Sarbanes-Oxley Act of 2002 (section 404) includes provisions regarding management’s assessment of internal control and reduced disclosure time. One of the interviewed companies suggested an approach to leverage IT knowledge within the audit department: creating a domain expert in each area and implementing an IT rotation program within the internal audit department. our audit can focus on how we are going to deal with the exceptions. indicated that “…To the extent of last year. It was thought that this program could reduce the need for outsourcing and increase the level of knowledge transfer. the business auditors should be happier. 100 percent of all the testing that [the external auditor] would have performed for [Sarbanes-Oxley] is performed by the company. Employee competence: CA/CM necessitates a higher competency threshold (skills and technological knowledge). It requires all public companies operating in the US to comply with this act. although the interviewees do not identify cost as a barrier for the adoption of technology. they will not be willing to risk investing in it. internal audit. 2012 33 . The study found that many audit-like functions. 2. The Sarbanes-Oxley compliance benefits realized by CA/CM encourage its adoption by regulated firms.” However. the CARLAB study classifies the interviewed companies into four categories based on adoption maturity. Costs: Managers perceive high set-up and implementation costs. CA/CM facilitates Sarbanes-Oxley compliance by enabling review and reducing time needed for performance. It is possible to achieve this goal by hiring experienced auditors. Basel III and SarbanesOxley. The internal audit department of one company that developed automated tools to aid internal audit work. 3.monitoring tools. Then. Several of the interviewed firms have rotational programs that roll nonauditors through an audit function for 18 months in order to enable them to acquire a wider scope of business experience. which most often had heterogeneous tooling. especially repetitive and high-volume tasks. Audit management mentioned: “What we need to do is work with them to get them where they are continuously monitoring. Some provide one or two training courses. Although it was not mentioned as an impediment. Because internal auditors and managers are responsible for monitoring internal controls. task automation may be hindered by the existence of legacy systems. The second stage (emerging) includes early adopters who automate existing audit practices that are easily and simply automatable. Ultimately. a tactic cited by interviewees as the preferable approach. which vary across companies and even across divisions within the same company. If managers do not perceive CA/CM as useful. Although there is no explicit relationship between the internal audit and compliance functions. actually lacked coordination. Its adoption has substantially affected internal audit departments of the respondent firms. Once users appreciate ISACA JOURNAL VOLUME 3. compliance. Levels of Adoption of CA/CM To evaluate levels of CA/CM adoption. fraud. including Sarbanes-Oxley compliance tasks. The full adoption of CA/CM does not seem to be possible without knowledgeable personnel who are competent with technological tools. they must access databases and systems.” Auditors could monitor controls continuously and receive benchmark reports. The first stage corresponds to traditional auditing with periodic reviews. These functions had titles such as internal controls. Each company interviewed has a specific division to monitor and ensure compliance. The internal audit departments try to automate test tasks. One of the internal audit managers stated that he considered the implementation of the technology- aided audit as a win-win solution for both the organization and auditors: “…We want to use the computer more to audit than before… Clearly if you can get both. to increase auditor satisfaction and reduce latency. while others tailor training according to the auditor’s needs. manual systems were included in the analysis and testing was not done in real time. Data access—The level of access of internal auditors to the firm’s data systems 4.the benefits of those processes. characterizing the third stage (maturing). Audit objective—The scope of audit undertaken by CA systems 2. there are opportunities for development in the future. Figure 1—Levels of Technology Adoption in Leading Internal Audit Organizations Full Continuous Maturing Emerging 34 ISACA JOURNAL VOLUME 3. 14 Companies’ adoption levels are measured along the following seven dimensions: 1. CA is extended to other areas of the audit. but was done more frequently than in traditional audits. In the final stage. Analytic methods—The degree of technical sophistication of analytical procedures that internal audit performs Figure 1 shows the results of the evaluation of the participating companies according to their performance in the defined seven dimensions. Although the first study reports high levels of adoption of CA/CM at the time of the survey. all audit processes are automated (CA). Management of audit function—The organizational relationship among IT internal audit.and resource-intensive because it may require some process reengineering. Consequently. Comparison of the Expectations for the 2008–2012 Period and the Evolution of CA/CM The PwC CAE survey presented expectations of the evolution of internal audit in the five years immediately following its conclusion. although the interviewed companies have certain levels of CA/CM. Audit and management overlap—The extent to which internal auditors rely on IT systems intended for use 6. The survey predicted an increase in the levels of audit automation through technology adoption. There was some progress toward these expectations according to the CARLAB study. This extension is more time. 2012 Ins ur an ce 2 nk Ba 1 nk Ba 2 ch Hi -te ch -te Hi er um ns 1 4 3 Co Co ns um er er um ns Co Co ns um er 2 1 Traditional .13. finance audit and other compliance departments 7. Audit automation—The degree to which audit processes are automated 5. It can be observed that most of the companies are seen in the early stages. Audit approach—The extent to which audit outputs shift from periodic to continuous 3. they are just in the initiation phases. This means that. with auditors engaged in analyzing results and exceptions. ranking from a traditional audit model to a stage in which CA/CM is emerging. . forthcoming 2012 7 Vasarhelyi. 2012 35 . Kogan. A. Both surveys found interesting factors that affected the implementation of CA in companies. K. Interviewees in the CARLAB study expressed the importance of training. M. 13 Alles. CARLAB. the CARLAB study reports that Sarbanes-Oxley adoption has substantially affected the internal audit departments of the companies.” Canada. the CARLAB study classified the manual audit process and periodic audit as a traditional audit. This survey predicted an increase in CA/CM in the ensuing five years. Furthermore. A. X.. A. especially in IT and data analytics—areas that are the core of CA. Currently. Baldwin. CA/CM remains in the initial stages of adoption. G.. Although it found a high rate of CA adoption. A.” Journal of Emerging Technologies in Accounting. PricewaterhouseCoopers 12 The benefits and application of data analytics in CA are mentioned extensively in Vasarhelyi M. producing a different evaluation of CA/CM adoption. “The Survey of Audit Analytics. Vasarhelyi. CARLAB. G.” Auditing. Institute of Internal Auditors. M. Other important factors mentioned were management support. 2007 10 Chiu V. Monitoring and Risk Assessment. It is important that managers react quickly to alerts. M. level of access to data. A. Dai. there is demand for faster and better assurance.” Working Paper. M. Accordingly.. Brennan. 7 January 2012 11 Op cit. Vasarhelyi.. C. CARLAB Working Paper. D. Institute of Internal Auditors Research Foundation.. Littley. J. “Continuous Auditing Research Report. 2010 15 Op cit.” Working Paper. 7.” International Journal of Accounting Information Systems. May 2010 2 Canadian Institute of Chartered Accountants (CICA) and American Institute of Certified Public Accountants (AICPA). The reason for not including them as full continuous audit adopters was that they had only partial audit automation and some key monitoring on a regular basis. Participants in both surveys also mentioned that cost was not the major challenge for CA implementation. Liu. All in all.” International Journal of Accounting Information Systems.. 2. there are different definitions of CA. evolving responsibilities of auditors and a globalization effect relative to the auditing role. G.. M. A. Endnotes 1 Vasarhelyi. F.. R. Most of the companies in the CARLAB study were classified in the emerging stage of CA adoption. they defined monthly and quarterly audits as frequencies of continuous audit. With a different approach. J. varying the understanding of CA. Wong. describing systems in place that include rotation of auditors (as anticipated by the PwC study). J. G. “Continuous Assurance for the New Economy. “Location Independent Audit. M. since the initial work at AT&T in the early 1990s. Vasarhelyi and Halper ISACA JOURNAL VOLUME 3. 2006 14 Teeter. M. regulatory compliance and audit technology. Alles. however. Continuous Auditing: Potential for Internal Auditors. Williams. J. “On the Development and Influence of Continuous Auditing Research. Global Technology Audit Guide: Continuous Auditing Implications for Assurance. Q. One of the major factors was a lack of staff capabilities. T. 1999 3 Coderre. “A Review and Analysis of the Existing Research Streams in Continuous Auditing. 2003 5 PricewaterhouseCoopers. Parker. and that CA efficiently supported Sarbanes-Oxley compliance. Halper. Kuenkaikaew. M. vol. and that CA/CM helps with Sarbanes-Oxley compliance by facilitating review and reducing time of performance.” A Thought-leadership Paper for the Institute of Chartered Accountants in Australia. “The Continuous Audit of Online Systems. Alles. Another expectation for the future is that internal audit responsibilities related to Sarbanes-Oxley would remain level or decline over time. “Continuous Monitoring of Business Processes Controls: A Pilot Implementation of a Continuous Auditing System at Siemens. a large number of participants in the survey reported that they performed audit manually. “Internal Audit 2012—A Study Examining the Future of Internal Auditing and the Potential Decline of a Controls-centric Approach.. There are opportunities for the development of CA. given current access to substantially automated audit technology. A Journal of Practice and Theory. Conclusions CA/CM has been discussed in the auditing profession for many years. volume 4.. 2005 4 Warren Jr. and that employees are prepared to use the available tool set.” 2007 6 Vasarhelyi. Brennan. 1991 8 Op cit. CICA and AICPA 9 Brown. number 1. “The Acceptance and Adoption of Continuous Auditing by Internal Auditors: A Micro Analysis. S.15 The survey conducted among CAEs in 2007 examined the levels of application of CA in business. no. 2012. A.” Rutgers Business School. D. A.Another issue encompassed in the predictions and found in the CARLAB study is the need to increase training of employees and managers.. When audit evidence is thought of. reviewing only the password policy (e. then when receiving documents. and has worked as a senior IT auditor at Deloitte. org/journal).isaca. Sufficiency refers to how well the evidence addresses the control activity in its entirety. it is deemed sufficient during the planning stage.Feature Ookeditse Kamau. which is intended to ensure that evidence is gathered sufficiently to address the control. and if there are any signatures.. For example. where she is working as principal auditor–IT audit. One should also verify the source of the information. has more than five years Audit Evidence Refresher of experience in IT audit. documentation of audit procedures (test of controls) and audit evidence evaluation. Reliability.g. CISA. For instance. Audit evidence is a component of the audit program execution process. Go directly to the article: 36 ISACA JOURNAL VOLUME 3.g. Audit evidence supports the conclusions of an auditor during the audit process. minimum password length. if the evidence is for the period under review (e. simply put. one should inquire who signed off. Such changes will take precedence over the policy set at server level. minimum password age in days) might not be sufficient evidence for this control because although password policy is set at the server level. as depicted in figure 1. CIA. Figure 1—Audit Program Execution Process Audit Objective Identification Control Selection Audit Procedures Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www. It attests that management follows the right procedures to account for the internal controls within the IT environment. it is advisable to corroborate the inquiry with an independent source. find the article.2 Relevancy relates to applicability of the evidence. for example:3 • Inquiry—Inquiry alone is regarded as the least creditable audit evidence. the system administrator has rights to change password settings for each user. . If inquiry is the only way to get the evidence. Different types of audit evidence are gathered during the audit process. control selection. is how trustworthy the evidence is. usually the first two ideas that come to mind are professional skepticism (not to take things at face value) and paying attention to detail. 2012 Audit Evidence Evaluation The quality of audit evidence is determined by its relevance. reliability and sufficiency. She recently joined the Office of Auditor General Botswana. one can corroborate the inquiry with the users of the applications. This is especially true if the source of the information is from the auditee who performs or supervises the function about which one is inquiring. year-end). when testing whether password controls in a Windows 2003 server are set to be strong. and choose the Comments tab to share your thoughts. the information systems (IS) auditor should additionally review: • Users without passwords • Users whose passwords have been set to never expire Users who have not changed their passwords or logged on in days exceed the company’s policy for password change.1 which starts with audit objective identification. Although inquiry is the least creditable when carrying out control adequacy testing. it is imperative to review the contents and pay attention to the dates. Written information is more reliable than oral. Therefore. and original documents are more reliable than photocopies. Some of the changes that can be made include setting the user to access the network without a password or setting the user’s password to never expire. apart from the review of the password policy.. If one is auditing proprietary software and the IT officer has no access to the source code and cannot demonstrate from the system configurations that there were no upgrades carried out in the year under review. Using figure 2 would enable confirmation of the recordings. and Tools and Techniques in the Knowledge Center. Guidelines. The intention is to free up server space. audit evidence is derived from the system configurations.• Confirmation—Audit evidence that is from an external independent source is more creditable than evidence from an internal source. the auditor should spend some time with the auditees. • Observation—It is suggested that observation should be carried out by two auditors. For example. This form of audit evidence can be used when verifying the adequacy of a control. observation is key in establishing segregation of duties. For example. They usually record the backup results in a spreadsheet that they retain to show that the control has been operating throughout the year. and compare it to the asset register. • Inspection of records—The reliability of the records depends on the source. It is important for the auditor to confirm the calculation formula where possible with an external party (e.org/knowledgecenter The information in figure 2 is less reliable than if the system administrator had saved the results in PDF format in a folder and recorded the data only for monitoring purposes. in the majority of IT audits.. ISACA JOURNAL VOLUME 3. This will afford the auditor the opportunity to see exactly what is happening. an auditor could confirm that the system can successfully recover the backup by observing system administrators as they reperform the recovery procedures and recording the results.g. An example of such a form is depicted in figure 2. • Recalculation—This form of audit evidence is reliable because the auditor reaches the same conclusion as the auditee by independently carrying out the calculation. Figure 2—Example of a Control Operation Form Month: February 2012 Backup Daily Results Day Status Comments 1 Successful None 2 Failure The files that failed to back up were for user folders and. creditor’s balances and debtor’s balances) by sending out confirmation letters to external independent sources such as banks and vendors. www. In addition. one can scan through the loan book for amounts outside the stated range. therefore. or product ID.isaca. When auditing. where possible. not what should happen. if there is a maximum or minimum loan amount. have no implication. • Inspection of tangible assets—This type of evidence involves verifying the existence of an asset and the condition of the asset. It is important to record the asset name or model. Configurations obtained by an auditor through observation of the system or via a reliable audit software tool are more reliable than data received from the auditee. 2012 37 .g. using a government web site to verify pay-as-you-earn [PAYE] calculations).4 This is to corroborate what the auditor observed and to avoid instances in which management refutes the findings of the observation. most system administrators would rather purge backup status results every three months due to system capabilities. 3 Successful None 4 Successful None 5 Successful None Tasked performed by: BK Task reviewed by: RS • Learn more about. For example. discuss and collaborate on IS Auditing Standards. Most financial auditors confirm balances (e. However. • Scanning—This form of audit evidence involves searching for large or unusual items to detect error. Information obtained directly from the system is more reliable than information obtained from the system and then customized by the auditee. • Reperform—This form of audit evidence involves verifying an activity by reperforming the procedures carried out.. serial number. Sampling Sampling is an audit procedure that tests less than 100 percent of the population. the system should apply the same formula to the rest of the population. and summarization of vendors by amounts paid. the frequency of the control and the effectiveness of the design and implementation of the control. Generalized audit software can be embedded within an application to review transactions as they are being processed. • Data interrogation—This is a process of analyzing data usually through the use of computer-aided audit tools (CAATs). • Benchmarking—This is a process of comparing an IS department against a similar organization or a well-accepted standard in the industry.8 It is assumed that if a program can execute a task—for example. but is not limited to.7 There are different types of sampling methods that an IS auditor can apply to gather sufficient evidence to address the audit objectives and the rate of risk identified. • Questionnaire—This is a process of gathering data by allowing the IS personnel to answer predetermined questions. duplicate numbers). Dumpsec (free). • Extraction of system parameter—This is a process of reviewing system configuration and user account details through the use of manual or utility tools/scripts. Commonly used nonstatistical methods are haphazard and judgmental sampling. comparisons of ITIL process maturity framework (PMF) reports. the following factors should be taken into consideration to determine the sample size:9 1. to 38 ISACA JOURNAL VOLUME 3. and exception reports showing variances or anomalies are produced and used for further audit investigations. IDEA examiner. and review of daily IT procedures. testing one instance is sufficient for the rest of the population. Information gathered through this process has to be corroborated through additional testing. Sampling methods can be statistical or nonstatistical. The sampling size applied depends on the type of control being tested.Techniques of Gathering Audit Evidence The following are possible techniques for gathering audit evidence: • Interviews—This is an interactive process of gathering data by asking the IS personnel open and closed questions. • Manual controls—Depending on which sampling method an IS auditor uses to calculate the sample size. 2012 get administrator access on a Windows 2003 server. successfully calculate a car allowance due based on a base percentage of an employee’s salary— and the program coding has not been changed. It is important to determine the right person to interview who has knowledge of the process of the area being audited. developed in-house or obtained off the shelf on the market. the IS auditor can read system manuals for the system being audited for guidance on how to retrieve system configurations and user accounts manually. server monitoring procedure .5 COBIT® maturity model assessments and the newly introduced COBIT® Assessment Programme6 reports.g. Statistical sampling involves deriving the sample quantitatively. the error is extrapolated to the rest of the population. For example. Microsoft Baseline Security Analyzer (free). The risk associated with control 3. gaps on invoices/purchase orders. The same is true for the reverse. the IS auditor would follow this procedure: Start > administrative tools > active directory users and computers > built in > select administrator > right click > select properties > select member. review of user authorization access forms. The frequency of the control occurrence Examples of manual controls include review of audit log monitoring. Some of the tests include journal testing. ACL CaseWare and in-house-developed visual basic scripts. Examples of benchmarking evidence include. Type of Controls and Sample Size The following are the two types of controls: • Automated controls—Automated controls generally require one sample. Therefore. if the system incorrectly calculates the allowance. The available software includes.. The most commonly used CAATs method involves downloading data from an application and analyzing it with software such as ACL and IDEA. Nonstatistical sampling involves deriving the sample qualitatively. The statistical methods commonly used are random sampling and systematic sampling. Sekchek . This technique is usually used to collect data during the planning phase of the audit. Alternatively. but are not limited to. application input and output integrity checks (e. Reliance placed on the control 2. which are available either freely online. www. 13th Edition. Richard E. Adam. www.. Evidence Collected and Sampling Method Control Evidence-gathering Technique Evidence Collected Sampling Method Data owners authorize user access and user rights on the systems. as this is an automated control (As noted previously.Figure 3—Examples of Controls. • Interview • Extraction of system parameters (automated/manual) • User policy and procedure • User listing report with user creation dates • User access request form/emails showing management approval Random selection Users have unique IDs.org/Research/ Standards/AuditAttest/DownloadableDocuments/AU00326. additional testing may be required on some systems. 2007 2 American Institute of Certified Public Accountants (AICPA). www. Irvin N. p.org/standards 8 Rajamani. loss of reputation and loss of clientele. 2010. A 2nd Internal Edition. Eilifsen..” Deloitte.aspx 7 ISACA. Regularity Audit Manual. • Interviews • Extraction of system parameters • User policy and procedure • S ystem configuration/screen prints for the password policy No sampling. the technique that can be used to gather evidence and the sampling method that can be used. com/view/en_CA/ca/services/ceocfocertification/ c1fcfa9d452fb110VgnVCM100000ba42f00aRCRD. IT Standards. Auditing and Assurance Services.isaca. and Tools and Techniques for Audit and Assurance and Control Professionals. org/Knowledge-Center/cobit/Pages/COBIT-AssessmentProgramme.isaca. COBIT Assessment Programme. www. G10 Audit Sampling. 122-127 4 Gleim. 2010 3 ISACA JOURNAL VOLUME 3. 2012 39 . It is important to ensure that the audit evidence obtained from the auditee is of high quality and supports the understanding of the IT control environment. Failure to collect quality evidence may result in the auditor or company facing litigation. Forlag: McGraw-Hill. Conclusion Quality evidence collected during the audit process enhances the overall quality of the work performed and significantly reduces audit risk. 3 February 2012. http://ovum. Auditor’s Guide to Information System Auditing. “Certifying Automated Information Technology Controls: Common Challenges and Suggested Solutions. Evidence-gathering Techniques. CIA Part 2.aicpa. AU Section 326 Audit Evidence.com/2012/02/03/the-itilprocess-maturity-framework-can-help-identify-improvementopportunities/ 6 ISACA.) Privileged roles (administrator) have been granted to appropriate personnel.htm 9 African Organization of English-speaking Supreme Audit Institutions (AFROSAI-E). Baskaran. • Interviews of relevant IS personnel • Extraction of system parameters • Data interrogation • User policy and procedure • User listing report from the system • ACL/IDEA report showing results obtained •M anual Excel sheet showing results obtained Random sampling or an IS auditor performing a 100 percent review of the population by finding duplicate user IDs using CAATs (ACL/IDEA) Systems are protected through strong passwords.pdf asmund. “The ITIL process maturity framework can help identify improvement opportunities. 2009 5 Holtby. Endnotes 1 Cascarino. Figure 3 provides examples of IT controls. Guidelines.” Ovum. John Wiley & Sons. Extraction of system parameters • Policies and procedures • User listing/role reports • Job descriptions • A 100 percent review of the population by extracting users with administrator rights using CAATs (ACL/IDEA) • Random sampling and help-desk functions.deloitte. • Technology is an end in itself. Proper subsequent appraisals 40 ISACA JOURNAL VOLUME 3. • Organizations are unable to manage the totality. the choices made at the next phase are crucial. org/journal). This feedback is necessary to improve the project portfolio management process and the project evaluation criteria. and effect on. including: • Unified concepts and a consistent management model • A management process in which the project portfolio has a designated task • Tools that enable the management and project organizations to communicate the status of planned. there is a desire to implement new technologies quickly even if they lead to incompatibilities with the corporate architecture.Feature Aarni Heiskanen. neglecting to confirm the utilization of the results. find the article. LJK. He has 10 years of experience in strategic portfolio management and has consulted for several global organizations. but hard to finish. and starting a new project is easy.com. Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www. there are too many projects going on at once. if a project does not have sound starting points.isaca. during and after a project.” then project portfolio management answers the question “Do we have the right projects?” Heiskanen can be reached at aarni. 2012 that compare the results to the stated objectives should be included in development projects. Project Portfolio Management as a Solution to Program Problems Project portfolio management (PPM) is the management of an organization’s development projects as a totality that systematically and consistently implements an organization’s strategy. A program or project portfolio explains how an organization is implementing its strategy with projects. current and completed programs . Heiskanen is a codeveloper of Thinking Portfolio®.heiskanen@ thinkingportfolio. Projects are easy to start. project team and steering group. even a good team could fail to save a project. Development Projects Usually Fail. which leads to a project that solves the wrong problem or solves the right problem in the wrong way Project Preparation For a project to succeed. Roles and rules are missing in the organization. Project Selection The reasons for project failures can usually be ascertained by determining what has happened before. • Decision makers finance their own pet projects. These choices include the selection of the project manager. • Management lacks a coherent way to align projects with strategic objectives. Why Is it so Hard to Identify the Right Projects? Problematic project choices are often structural. is a partner at Thinking Business Project Portfolio Management Group. If product management answers the question “Are we managing the projects correctly?. Go directly to the article: Implementation Plan An inadequate implementation plan is the final factor that can sabotage an otherwise successful project performance. there is a tendency to focus on the next project. Unsuccessful projects are often caused by: • Poor planning • Lacking or fuzzy project ownership • The lack of a business case • No explanation of the project’s affiliation with. the corporate architecture • Inadequate preparation. Except by Chance Although an increasingly larger part of organizational development takes place in projects. Factors that can lead to bad decisions include: • The organization sees the project as a solution for all challenges. • Management lacks criteria to evaluate projects. an online tool for project and asset portfolio management. and choose the Comments tab to share your thoughts. making it impossible to render feasible decisions. only one out of four development projects succeed. There are prerequisites for successful program management. the lack of an overall grasp often results in overlaps and inefficient scheduling. Appraisals are a way to educate management on how to set effective goals and how to ensure that those goals can be achieved through projects. After a project has been completed. However. Terms Related to Project Portfolio Management When an organization is considering using project portfolio management. Operational process/transactional programs. the inclusion of programs in the portfolio and the balancing of the portfolio. www. improved information quality and availability 4.org/valit Manage strategically.isaca. service or result • Project portfolio—The entity formed by the projects. The criteria should be sufficiently comprehensive. the concepts of program and project are identical in terms of their content. which develop business processes and their information management while cutting costs and increasing productivity 3. in a group. Informational programs. Massachusetts Institute of Technology (MIT)’s Peter Weill lists four main criteria for IT programs imported to the project portfolio. for example. Portfolio criteria are suited to classification and evaluation. Results Organizations that have adopted project portfolio management as a tool have been able to reduce the percentage of unsuccessful programs. strategic or tactical. The concepts and exemplary definitions associated with project portfolio management include: • Strategy—A plan concerning long-term goals and choices. standardization and integration 2. but at the same time universally applicable to facilitate the satisfactory depiction of all types of programs. they can be financial. which develop an organization’s information and communication technologies (ICT) infrastructure and target. Manage the totality. www. Infrastructure programs.isaca. a competitive advantage or market growth ISACA JOURNAL VOLUME 3.org/topicproject-program-portfoliomanagement-p3m The Project Portfolio’s Administrative Tasks The project portfolio’s management consists of the specification of the portfolio. which management has specified as a strategy and that create. for example. for example. as well as the means for their implementation • Program—A coordinated group of projects generating benefits and operational efficiencies that could not be achieved if the projects were being managed separately • Project—A fixed-term endeavor undertaken to achieve a one-off product.Figure 1—Principles of Project Portfolio Management • Read The Val IT Framework 2. The term “program” presented here represents an aggregate consisting of several projects. 2012 41 . Strategic programs. for example. which generate solutions related to management and communications that also aim at. the first practical and necessary step is to standardize the conceptual terminology to avoid any possible misunderstandings. • Discuss and collaborate on project portfolio management in the Knowledge Center. Success happens when a project’s operations have reached a sufficient level of maturity throughout the entire organization. in which the strategic objectives are common and the projects share the use of the same resources In many organizations. Portfolio criteria change with strategic changes. the advantages of scale. • Unified concepts • Consistent management model • Process and framework • Tools © 2011 Thinking Portfolio Figure 1 shows what is required from the organization for successful project portfolio management.0. Evaluate using consistent criteria. which are shown in figure 2:1 1. Specification of Evaluation Criteria Portfolio criteria are measured as expressed by an organization’s strategy or as estimated variables. Information related to the project’s tracking. on the other hand. their risk. a changing business situation. The person submitting new program proposals describes and classifies the program 42 ISACA JOURNAL VOLUME 3. One or Many Portfolios? Project portfolio management sets no limits on the number of portfolios. One way to think about portfolios is to see them as views of the entire program and project stack. After a program has been described. personnel and growth). applications and technology. Balancing the Portfolio The owner of the project portfolio evaluates the program proposals. for example. Figure 3—Prioritization Decisions • Terminate • Suspend • Mothball Active Projects • Continue with changes • Continue as planned Project Portfolio • Discard • Mothball Project Proposals © 2011 Thinking Portfolio • Start with changes • Start as proposed One of the project portfolio’s success factors is that it offers the possibility to suspend programs whose continuation would no longer be sensible as a result of. a portion of its data remain unchanged. the organization’s snapshot and the resource situation require prioritization decisions that can be made for new and ongoing programs (see figure 3). an important criterion is the relationship of the program to various architectures: corporate. 2012 according to the aforementioned criteria. for example: • Basic program or project information. budget. The number of proposed programs in an organization generally exceeds the available resources that would have to be deployed to manage them. financial results. Tactical criteria include assessment factors related to risk. Financial criteria include. processes. classification and evaluation.g. Strategic criteria. for example. The organization can weigh the programs according to. Some companies handle all programs in a single portfolio... the decision to suspend a program can be extremely difficult because it is often based on assumptions instead of knowledge. deviate from them or even require entirely new architectures. while others prefer to assemble the programs in several portfolios. customers.Figure 2—Project Portfolio Based on Main Objectives • Increased control • Better information • Better integration • Improved quality • Cut costs • Increased throughput Informational Strategic • Increased sales • Competitive advantage • Competitive necessity • Market positioning • Innovative services Infrastructure Transactional • Business integration • Business flexibility and agility • Reduced marginal cost of business unit’s IT • Reduced IT costs over time • Standardization © 2011 Thinking Portfolio Many companies classify programs according to their focus by utilizing balanced scorecard (BSC) perspectives (i. quality or customer satisfaction. informational. composition of steering group. is updated regularly. for example. The program can rely on existing architectures. time schedule. payback period. return on investment (ROI) or turnover effect. size or resource allocations. project’s key personnel • Decision-making situation • Program’s users—organizations or processes • Program’s means of implementation • Program results • Tracking information Portfolio Inclusion Portfolio inclusion entails the program’s description. For example. Without the portfolio. From the standpoint of ICT programs.e. e. an . owner. Specification of Other Descriptive Information Other possible program-related descriptive information can include. unless management decides otherwise. If the program is extremely significant and comprehensive. program-related or independent projects are being processed. Figure 4—Project Decision-making Process Describe and evaluate the project idea. strategic planning. a documented business case should be required for any program whose addition to the project portfolio has been proposed. roles. and a program decision must be made. In any case. ISACA JOURNAL VOLUME 3. In budgeting processes. Project Portfolio Start-up The project portfolio’s start-up is not just a management tool for procurement and teaching. Although the writing of a business case is the task of the program’s future owner. Initiate the project.g. a so-called anniversary clock.ICT infrastructure development project is in the information management portfolio. while others can be considered mandatory. e. phased start-up. Stop developing the idea. for example.g. targets and commitment to them 2. Program Process Development programs can originate from different starting points (see figure 4). The project portfolio can be joined to this planning system at various points. the project portfolio provides information concerning ongoing and planned programs. that repeats annually. and add to the portfolio.. Certain projects are discretionary. Planning of management model—The way in which portfolio management is linked to the organization’s management processes. the program decision can also mean a permission to draw up plans for projects associated with the program. the management of resources and decision making 3. Management commitment and targets—A clear justification for the project portfolio’s start-up. information management functions as a pioneering operational model and example to business operations. The project portfolio also provides data on the use of key resources and strategic implementation. Write a business case. In that case. Integration With the Organization’s Planning System In many organizations there is a planning cycle. but is simultaneously a part of a certain development program affecting the entire company. Start-up Tasks The start-up of the project portfolio entails the following five main tasks: 1. ICT upgrades are now a part of almost all business development activities. according to the portfolio model. Project is not added to portfolio at this moment. Evaluate results. necessary support and instructions Many companies have begun using the project portfolio in connection with ICT programs. this could mean the management of all common group projects and their resources. its approval may require a decision by the enterprise’s or a group’s board of directors. such as projects arising as a result of revised legislation. What is more important is to bring the entire organization to a level of maturity at which the desired competence level for portfolio management is possible. and report it to the portfolio/ manage the portfolio.. Revisions © 2011 Thinking Portfolio Program Proposal The writer of the business case presents it to members of the organization (e. the parties eventually benefiting from the results of the program should participate in its formulation. management team or steering group) so that they can make a decision concerning the project portfolio. In practice. OK? Evaluate the business case. budgeting. Organization—Required tools. tasks and decisions 5. In a group. The business case must be evaluated according to the project’s portfolio inclusion criteria. In any case. Description of management process—Parties. OK? OK? Make a project plan. 2012 43 . If ongoing. Specification of project portfolio—Portfolio inclusion criteria and other portfolio information 4. the decision-making group can make the start-up decision. When planning strategic implementations. the project portfolio is an essential tool because organizations often develop their operations through projects. 2 C 1. 5 Demanding Normal A 2. The reports generated from the project portfolio are not just lists of monetary amounts or person-workday quantities. 2012 8 projects 900 Expansion to developing markets 450 2 projects Most energyefficient operator 180 1 project Learning organization 175 2 projects Project person-days and number of projects by main strategic goal © 2011 Thinking Portfolio Completion A completed program or project is not deleted from the project portfolio. Visual presentations provide a quick overall view of the portfolio from different viewpoints. Within a certain specified time. but its simultaneous use by the user and organization requires special arrangements. 5 projects 1.Management of Approved Program or Project When the program or project has obtained start-up permission. The executive group tracking the progress of the entire portfolio can intervene in the progress of a project if its implementation begins to deviate from the original plan. The project portfolio depicts an organization’s strategy. certain situational and predictive information must be reported in the project portfolio. its results must be evaluated and compared with the targets stated in the project portfolio. Reporting during the project period is naturally the task of the project manager or program manager. program proposals. Tools for Managing the Project Portfolio The project portfolio’s management is not solved with tools. The table’s row describes a single project and the columns describe its classification. evaluation and basic information. Figure 5—Project Distribution by Strategic Goals Best customer experience in the industry Productivity in 2012 +20% The Project Portfolio as a Communications Tool At its best. Examples of overviews are shown in figures 6 and 7. as well as the values of the selected quality indicators. Within a specified scope. Communications should be clear and understandable. 5 B 1. 44 ISACA JOURNAL VOLUME 3. Many begin using the project portfolio by simply assembling it with a spreadsheet program. At times.250 Figure 6—Example Annual Cash Flow Effect of Projects in Portfolio 2010 + 2011 2012 2013 Returns + Savings 2014 Net Cash Flow 0 Project + Investment + Maintenance Cost © 2011 Thinking Portfolio Figure 7—Example Risk. the project portfolio promotes an open management culture. These data typically relate to budget and schedule realization. but the project portfolio’s information must be communicated to management in some way. but with a different status. Profitability and Budget of Projects Chart Very demanding E 1. project situations and results can be open to the entire organization. it may be necessary for the executive group to prioritize programs and suspend or terminate a program or project before the date originally scheduled. It tells where the organization is headed and how it will get there (see figure 5). 0 Project/Budget Average Profitability High . The table is a flexible tool. 5 Low © 2011 Thinking Portfolio D 0. The reporting schedule matches the steering group’s meeting times. 5 Risk Level F 0. It continues to be included. There are only a few independent project portfolio programs on the market. Managing the IT Portfolio: Getting More Value From IT Investments. CA Register today at: www. A few commercial project portfolio applications—most of them extensions of project management programs—exist.isaca. Peter. one must keep in mind that they are meant to be used by management and. An Exclusive Leadership Forum for Business and Information Technology Professionals 25-27 June 2012 | San Francisco.Many organizations have implemented a project portfolio according to their own specifications based on a modified database. Endnote Weill. 2004 1 What Does Your Future Hold? Find Out at INSIGHTS 2012. must be intuitive and easy to use. It improves the success rate of projects because it introduces a managed process of turning ideas into projects and projects into business results.org/2012insights-Journal ISACA JOURNAL VOLUME 3. 2012 45 . thus. Microsoft Solutions Forum. USA. browse and report on the project portfolio’s content simultaneously and concentratedly. In such cases. Organizations using PPM make good use of their resources and are able to invest in opportunities that matter the most in their future. When selecting tools. multiple users have the opportunity to edit. Conclusion PPM helps align projects with the strategy of the organization. National Research Council (CNR). He is a member of the ISACA Milan Chapter. First of all. Italy. as this may result in leaking information on internal processes. Pisa. The risk posed by each threat agent is a monotone. CISSP. The analyst can use the probability returned by Haruspex to compute the resulting risk. an organization relies on the expert performing the assessment to evaluate the probability that the threat agent successfully implements a complex attack. Usually. Haruspex computes this probability as a function of elementary factors that can be more easily evaluated in an assessment. because the external and internal factors that can affect the success probability are too many and too difficult to evaluate in the case of IT systems. Italy. in general one can assume that the risk posed by a threat increases with the impact of an attack implemented by the threat and/or the probability that the threat can successfully implement the attack.. intelligent threats (or intelligent threat agents) trying to violate the security policies of an organization are usually considered. Italy. Each step corresponds to a simple. Furthermore. given how fast things change in IT. it is a methodological framework with supporting tools intended to evaluate the probability that an intelligent threat can select and implement an attack against a system that results in an impact. the reputational damage).. the agent reaches its final goal. find the article. and choose the Comments tab to share your thoughts. even large sets of experimental data on successful or attempted attacks are of little use and often refer to a too small and heterogeneous set of systems. e. Each agent has some goals to achieve (e. this evaluation will be subjective and disputable. for example. increasing function of both the impact of his/her attacks and the probability that these attacks are successfully implemented. according to the adopted definition. is a postdoctorate researcher at the Institute of Informatics and Telematics. or elementary. but it remains a common practice for organizations. However capable this expert may be.3 A rather more complex problem is the evaluation of the success probability of an attack by an intelligent threat agent. some system components to control) and aims to minimize the effort to achieve these goals.isaca. Claudio Telmon.g.4 each requiring several steps. Daniele Sgandurra. and to evaluate and select effective and cost-effective countermeasures to reduce this risk. The agent implements complex attacks.Feature Fabrizio Baiardi is a professor in the Department of Computer Science at the University of Pisa. While this decomposition simplifies the evaluation of the factors that influence the success probability of attacks. experimental data for complex attacks are usually not available because organizations are not willing to share them. The evaluation of the impact of an attack may be difficult (consider. Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www. CISA. a loss. attack against a single system component. It may be adopted in various risk assessment and management frameworks to evaluate the probability that an intelligent threat agent could successfully implement a multistep attack. Haruspex Methodology Haruspex deals with the aforementioned problem by applying a divide-and-conquer approach that decomposes the probability of interest in its components and deals with each of them separately. instead. org/journal).. the vulnerabilities they can exploit and the assets to be protected.g. is a freelance consultant in ICT security and risk management. Go directly to the article: 46 ISACA JOURNAL VOLUME 3. The Haruspex methodology is not focused on a detailed definition of risk. by composing all the simple attacks.D. In other words. The framework should be paired with others to discover these threats. Ph.2 When dealing with IT security risk. 2012 The Problem A well-known problem with risk evaluation in IT security is that the estimation of the probabilistic component of risk is currently very difficult and highly subjective. The problem of interest cannot be solved in terms of experimental data. it introduces a problem: how to define and implement the . for the owner of the systems. He also cooperates with the University of Pisa’s Department of Computer Science on the same topics. Haruspex—Simulation-driven Risk Analysis for Complex Systems Haruspex1 is a risk evaluation methodology defined and implemented by the research group on risk management in the Department of Computer Science at the University of Pisa. and proper methodologies are available. Dotted arrows represent the initial (legitimate) access rights for the threat agent. Haruspex deals with this problem by implementing a simulation of threat agents and the attacks they implement and by collecting the relevant statistical data from the simulations. after successfully compromising an administrative component through a spear-phishing attack. provided that they have gathered the required privileges. In this diagram. The proposed model can also represent users as further components that can be attacked through such methods as spear phishing.) The combination of many solid arrows represents the complex attacks that may lead the threat agent to DB2. www. attack paths through the system are represented with solid arrows. 2012 47 . ISACA JOURNAL VOLUME 3. the threat agent can access the public web application and send email messages to the system users. solid arrows represent legitimate interactions between components. Mail Threat Manager Admin User The threat agent can acquire new access rights to components in two ways: • By attacking a component—This requires the discovery of a vulnerability in the component and enough resources.5 These channels are also those the threat agents exploit when attacking one component from another. involves attacking a manager component with spear phishing.7 • By deploying the access rights of an already compromised component (e. In this perspective. just a few paths are shown. a threat exploits a vulnerability in the web application and. “legitimately” accesses DB1. Figure 2—Attack Paths Against a System Webserver webapp DBMS DB2 DB1 escalation Remote Exploit Weak Password/DBMS Exploit Internet Phishing Manager Admin User Threat Local LAN Exploit In a complex attack. the name of an internal database. In figure 2. gaining “legitimate” access to DB2.6 After successfully attacking a user. a threat can then deploy administrative access rights to the database management system (DBMS). knowledge and time for the threat agent to take advantage of the vulnerability. www.isaca. and then “legitimately” accessing DB2. From DB1. A second path. Let us assume that the goal for the threat agent is read access to DB2. The level of detail in the representation of the system components can be easily adapted to the analysis requirements.isaca.Figure 1—Legitimate Interactions in the Haruspex Model Webserver DBMS • Read Risk IT. reducing the time and effort to collect useful data. the threat can exploit a vulnerability in the DBMS for a privilege escalation.g. which is the agent’s goal. from there. In the example. presumably easier to deploy.org/riskit DB2 Webapp DB1 escalation Internet • Learn more about. a user or an application)—For example. the user rights can be exploited to implement further attacks. discuss and collaborate on risk assessment and risk management in the Knowledge Center..org/knowledgecenter complex procedure to evaluate the actual risk in terms of the large number of factors resulting from the decomposition. Figure 1 further describes the system model of Haruspex. (For the sake of simplicity. the system is modeled as a set of components interacting through channels. The probability of a PC being vulnerable to attacks from another PC on the same LAN can be evaluated based on the frequency of security bulletins for the adopted operating system and related to this kind of vulnerability. it still may be unable to recover a valid password in the defined time frame.”9 While an attack graph can represent all possible complex attacks a threat can implement. including possible countermeasures. the overall complexity cannot disappear. a single attack). a strategy and usually goals with an impact). The Monte Carlo method can be explained with a simple example.e. and the threat has the resources and knowledge required to deploy it. Haruspex faces this problem by applying the Monte Carlo11 method.. agents with their own resources. and each attack has a probability of being successfully implemented. Intelligent threats will have the ability to select their actions based on many factors. are modeled. even if a weak password vulnerability exists in an authentication scheme. Haruspex will evaluate the . an attack graph does not support the evaluation of whether the agent can successfully implement the attack described by each path. For the sake of clarity. the success probability of a complex attack is derived from the probabilities of local and more measurable factors. since probabilities still need to be evaluated. However. a complex attack). an attack on the local area network (LAN) to the manager’s personal computer (PC) and a “legitimate” access to DB2. whereas in the Haruspex methodology they represent sets of privileges. one focuses on intelligent threat agents (i. A key point is that. a well-known and widely applied strategy to collect statistical data on complex events when no mathematical model of the event is available. the probability that all the required vulnerabilities are actually present in the system or how easily the threat can exploit them.8 shown in figure 3. this evaluation is left to other methodologies that the analyst can freely select. please refer to the publication “A Simulationdriven Approach for Assessing Risks of Complex Systems. These few examples show that in the proposed model. one can play several hands of the game and count how often the card sequence appears. Provided that one plays enough hands.10 For example. The probability of a user being vulnerable to spear-phishing can be locally evaluated.. than the success 48 ISACA JOURNAL VOLUME 3.g. Dealing with IT security.g. as already mentioned. one can consider the path corresponding to a complex attack that includes a spear-phishing attack against a user component. if the analyst decides that a given threat will attack the system. e. In short. or the frequency or reason why they will attack the system. these probabilities can be determined more easily than those of a complex attack.. Haruspex does not support an analysis to discover which threats may attack the system. This is also confirmed by other approaches that define the various factors that influence the occurrence of an event. In other words. If one wants to know the probability of a specific sequence of cards in a game that is too complex to calculate the result. nodes are represented as components. it does not allow one to determine the complexity of each attack.. For example. it is easier to evaluate the success probability of one step in a path (e. where the dotted arrows represent the first of the two complex attacks previously outlined.12 But. through a penetration test simulating this specific attack. However. For a formal discussion of both the model and the methodology. and now the analysis of the attack graph is more complex due to the probabilities that have been introduced. It may seem that nothing was gained. Therefore. it is important to consider how threats. 2012 probability of the entire path (e. A nonintelligent threat can be modeled as a threat with a strategy based on random or fixed behavior.g. or better threat agents. the count will be a good approximation of the actual probability. the Haruspex methodology introduces a probabilistic component in the overall description: Each vulnerability has a probability of existing and being discovered (by the threat) in a given time frame. depending on many factors. as confirmed by the increase in the complexity of the analysis of an attack graph with a probabilistic component.Figure 3—The Attack Graph With the Attack Paths Against the System From Figure 1 Internet Webapp Web Server PC Admin Phishing Remote Exploit Admin Local DBMS Exploit PC User PC Manager Admin Admin DBMS DB2 Privilege Escalation DB1 All these attack paths can be represented in an attack graph. Before explaining the role of the Monte Carlo method in the Haruspex methodology. the simulator computes whether the attack is successful and grants to the threat agent the additional privileges it has possibly acquired. one day): • The simulator computes the vulnerabilities that the threat agent discovers in that time slice • According to the resources. is something especially useful in Haruspex. The threat agent will deploy them in the next time slice.probability of that threat reaching some or all of its goals and impacting the system.13 At each simulation step. and confidence in these statistics increases with the number of experiments. instead. given a proper definition of risk: What is the risk associated with an attack by the threat? What makes Haruspex unique with respect to other methodologies and other tools is its ability to join the Monte Carlo method for the probabilistic part of the model with the intelligent behavior of threat agents. that influence the success of the attack. In each simulated time step. what would be the probability that the threat would achieve some goals and cause an impact? Or. since it would be biased by the specific values selected to generate the random values in that experiment. In each experiment. for example. The ability to support accurate and specific countermeasure selection. both in design and audit. it can be used to implement a new simulation to evaluate the actual overall risk reduction ISACA JOURNAL VOLUME 3.. the question: If this threat were to attack the system. Hence. The adoption of the Monte Carlo method implies that Haruspex simulates several times. the selection of the threats and their interest in the system can be dealt with separately in the risk-evaluation process. the number of agents they can stop or some proper combination of these factors. such as the time when the attack is attempted or the existence of controls that may detect the attack. Obviously. but given a set of countermeasures that reduce the success probability of some attacks. by improving the uniformity of the point distribution in the rectangle and by assuring that successive points are independent. 2012 49 . let us consider another application of the method: the computation of the area under a convex curve that lies in a finite rectangle. Haruspex supports the evaluation of countermeasures in the general case. corresponding to a time slice (e. To compute the area of interest. Haruspex repeats the discovery of vulnerabilities and the implementation of attacks by the threats until the experiment ends—because either all the threat agents reached their goals or all the time slices were consumed. The error in the approximation can be reduced by increasing n. with confidence. In this way. each trying to achieve some goals. the value of p can be approximated with the Monte Carlo method previously described. Each threat agent starts with his/her set of privileges and has access to a set of resources in the system (e. public resources or the ones available for an internal role). The value that Haruspex tries to approximate is the probability that a threat succeeds in implementing a complex attack. Then. To show how Haruspex can be used. On the other hand. First of all. the analyst can collect enough statistical data on successful attacks to be able to answer. Provided the number of experiments is rather high.g. To better explain how Haruspex uses the Monte Carlo method. one can generate a number of independent random points (n) that are uniformly distributed within the rectangle—the two coordinates.. and computes the success probability according to the number of times the threat is successful. Data are collected in each experiment to compute the relevant statistic values. It is assumed that the success probability of the attack makes it possible to model the various factors. a unit square and the circle inscribed in this square have a ratio of areas that is p/4. As an example. the attacks implemented by the threat. the area delimited by the curve can be approximated by the product of the area of the rectangle multiplied by the percentage of generated points that have fallen under the curve. each threat tries to advance by selecting and implementing an attack to acquire further privileges through some of the available vulnerabilities • Based on the success probability of the selected attack. strategy. A single experiment would be useless. are uniformly distributed for each side of the rectangle. several other methodologies assume that countermeasures remove vulnerabilities. Haruspex is not involved in the selection process. privileges and available vulnerabilities. Haruspex simulates a set of agents. in distinct experiments.g. countermeasures usually reduce the success probability of attacks or the existence probability of a vulnerability. This is seldom true. some proper deterministic algorithms have to be selected to generate the points. let us take a case in which some procedure has been defined to select a proper set of countermeasures according to their cost. DBMS hardening. Haruspex also encourages the creation of libraries of predefined components. according to the information returned by sensors on the progress of threat agents in the system). For example. the effectiveness of alternative sets of countermeasures can be evaluated in distinct simulations to discover the most cost-effective one. but the potentialities of Haruspex are. More accurate information on the attacks of a threat can result in a more realistic allocation of the limited resources of countermeasures to maximize the return on the investment. Usability The adoption of Haruspex to evaluate real systems poses two main problems: the complexity of system modeling and the evaluation of the local probabilities for component vulnerabilities and attack success. looking. Haruspex can also model defenders as additional agents that try to close the vulnerabilities optimally (e. this may avoid a useless effort in defining a precise value for a not-so-relevant probability. The authors are currently planning several simulations to validate and evaluate the current prototype (see figure 5). . Local information could be collected by vulnerability assessment tools. may be less effective than a targeted training for managers against phishing and the activation of segregation controls on network devices for network traffic.. In this way. the analysis that has been previously outlined represents the web server/web application component as a single component. could encourage information sharing between organizations (e. rather than based on statistics of the attacks that the threat will actually implement and reach its goal. however. which can be used for data mining. In the previous example. In this way.g. this analysis can decompose or zoom in on this component. Haruspex does not force the modeling of the entire system from the beginning at the same detail level. In some cases. It is easier to share information on single components and their vulnerability frequencies than on entire complex attacks that may expose too much information on the organization policies and on impacts. In fact. in turn. an additional feature of Haruspex is that probability ranges can be tested with simulations to assess how much a change in a local probability affects the overall risk.g. adding more details afterward. while probably more expensive.enabled by the selected countermeasures. between computer security incident response teams [CSIRTs] or in industry associations). The simulation produces a huge amount of data on the system. antivirus vendors). Further applications of Haruspex are the simulation of modern worms that patch components once they have been conquered. For example. and could then be personalized by the analyst for a specific organization (e. the exploded subsystem can replace the original component without changing the rest of the system model. the attacks and the threats. a Windows 7 desktop with its typical applications is a component that is almost the same in distinct organizations and can be defined with its typical attack channels and the probability of the related vulnerabilities (see figure 4). By returning important parameters that describe the behavior of threat agents.. Provided that the same relations with other components are maintained. If a more in-depth analysis of this component is required to select the most effective countermeasures. current strategies select countermeasures in terms of the attacks a threat may implement. 2012 Figure 4—Vulnerabilities of a Standard Component Removable Media Trojan Unpatched Local Browser Exploit Unpatched Local Privilege Escalation PC Admin Phishing? Unpatched Local LAN Exploit This. each with its vulnerabilities and probabilities that can be made available to analysts in an interface for system modeling. a lot of statistical data are already collected by many companies (e. In fact. or the modeling of threat strategies to select attacks. With respect to system modeling.g.. These probabilities can be based on the frequency of bulletins and on the data shared among organizations. Conclusion This article has presented the basic characteristics of Haruspex. for correlations between attacks. For example.. by and large. attacks and their probabilities must be assigned to the entire component. Vulnerabilities. for example. 50 ISACA JOURNAL VOLUME 3. still to be explored.g. a high-level analysis can be quickly performed. Haruspex can also support the definition and evaluation of algorithms to select proper countermeasures. the attacks they can successfully implement and so on. according to local configuration policies and patch management). D. 2011. each threat agent is represented through a distinct data structure rather than by a distinct agent. p. Seyit.” 26th annual SIGCHI Conference on Human Factors in Computing Systems. Due to the existence of several threat agents. Sushil Jajodia. no. “Measuring Security Risk of Networks Using Attack Graphs. Douglas W. 2009 3 Risk Management Insight LLC. Claudio Telmon. refer to: European Network and Information Security Agency (ENISA). The Failure of Risk Management: Why It’s Broken and How to Fix It. 12 Several methods and tools have been defined to discover and model the threat agents that may be interested in attacking a system. refer to: Egelman. USA. Z.” NATO Advanced Research Workshop on Information. For further details on the genesis of the method. “Constrained Automata: A Formal Tool for ICT Risk Assessment. Bulent Yener. “Modeling and Detection of Complex Attacks. Daniele Sgandurra. J. Wiley. 15. “A Simulation-driven Approach for Assessing Risks of Complex Systems. Hong:. which resulted in the building of the first atomic weapons. Handbook of Monte Carlo Methods. Lingyu Wang. For further references. so that the most useful and promising research paths can be explored. “You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. June 2005 8 Noel.Figure 5—Screenshot of the Haruspex Simulator Prototype Authors’ Note The authors are interested in interacting with the ISACA community to apply Haruspex to real-world complex systems. May 2011 10 Kim. New Mexico. Fabio Martinelli. USA.unipi. 13 Each agent to be simulated is modeled in terms of goals and resources it can access. Claudio Telmon. July 2010 9 Baiardi. For a detailed analysis of these tools and these methods. For a more complete reference. the resulting simulation can be described by an agent-based one—even if.. Mueller. in the current implementation.” Security and Privacy in Communications Networks. This attack is generally targeted against a small group of select users who are more likely to be attracted and behave as expected by the agent implementing the attack.” 13th European Workshop on Dependable Computing. S. Claudio Telmon. in turn.it. 125. L. 2007 5 Baiardi. which. Introduction to Factor Analysis: Why It Is and How to Do It. “Hierarchical. refer to: Metropolis. USA during the Manhattan Project. Inventory of Risk Management/ Risk Assessment Methods. Another interesting open-source project that we would like to undertake is the development of libraries to describe standard system components. Laura Ricci. P. Nicolas. 1978 11 The Monte Carlo method takes its name from the well-known casino.” Los Alamos Science. Faith Cranor.enisa. Jae-n. see: Kroese. 7 Baiardi. Endnotes 1 The name “Haruspex” was originally the name of ancient forecasters from Tuscany who predicted the future by interpreting the entrails of sacrificed animals—mainly the livers of sheep and poultry.” International Journal of Next-Generation Computing. Daniele Sgandurra. 2012 51 . 2 Hubbard. T. September 2009 6 A spear-phishing attack is a phishing attempt in which a user is invited to access some dangerous site that injects malware into the user’s machine. Sage Publication... determine the attack the agent can implement. Charles W.” Reliability Engineering & System Safety. Model-based Risk Management of Critical Infrastructures. ACM. Fabrizio. Fabrizio. www.europa. Taimre. Botev. Fabrizio. ISACA JOURNAL VOLUME 3. Security and Assurance.. Steven. It was first invented by Enrico Fermi and later adopted at Los Alamos.I. The authors can be contacted at haruspex@di. “An Introduction to Factor Analysis of Information Risk (FAIR). “The Beginning of the Monte Carlo Method. USA. John Wiley & Sons.eu/act/rm/cr/ risk-management-inventory/rm-ra-methods. Anoop Singhal.” November 2006 4 Camtepe.. Crossword Puzzle By Myles Mellor www.themecrosswords.com 47 Life duration 48 New, in a way 50 Experimental area 51 Create Across 1 He said “We get the culture we deserve,” Jacques ____ 4 List of items to be taken up 8 Report evaluating the controls used in a third-party service organization’s systems, abbr. 9 High profile 10 Exaggerated the benefits of a software system 11 Trademarks, abbr. 13 Praised loudly 14 Internet systems using remote servers for storage and data processing 15 Field 17 Query 18 Turn to the next page, abbr. 19 Cap 22 One of the most effectual tools an IT auditor has for any audit 25 Salesperson 26 Unit of information, abbr. 27 Double, for short 28 One of the six disciplines: set goals that lead 30 Identifying markers 33 Price ___ 36 One of the six disciplines: work the plan 38 US currency, for short 40 Hacker’s target 41 Had an objective 43 “All software contains fatal weaknesses, and you cannot develop a formal system that is secure.” —Dorothy _____ 45 He developed the “work-around code” along with Safari, allowing cookie installations: Anant _____ 46 Chemical suffix 52 ISACA JOURNAL VOLUME 3, 2012 Down 1 Standard for measurement of a system or process 2 Take a fresh look at 3 Can’t be hacked into 4 Takes measures 5 Working toward doing what is right 6 Strategic use of resources 7 Allied 8 Fix conclusively 12 Strict disciplinarian 15 PC program 16 Ages 20 Investment (abbr.) 21 Type of address on the net 22 Doctor, for short 23 Positioning 24 Navigational system 29 Core of an operating system 31 Security advocates have to sell security to get a higher allocation from it 32 One part of the six disciplines approach; step back 34 “Don’t be evil” company 35 Aka plug-in 37 Identify 39 Directed 42 “Big ___” 44 Organization that sets Internet standards 49 Windows 7 is one (Answers on page 54) CPE Quiz Prepared by Kamal Khan, CISA, CISSP, CITP, MBCS Take the quiz online: QUIZ #142 Based on Volume 1, 2012 Value—1 Hour of CISA/CISM/CGEIT/CRISC Continuing Professional Education (CPE) Credit TRUE or FALSE Oyemade Article Akhtar, Buchholts, Ryan and Setty Article 1. In many instances, IT auditors merely confirm whether backups are being performed either to disk or to tape, without considering the integrity or viability of the backup media. 2. A checklist for database backup and recovery includes ensuring that there is sufficient budget to cover the cost of backup tapes. 3. Oracle and MS SQL Server databases can be backed up to tape or disk. It is not a good idea to back up to disk first because they are difficult for DBAs to monitor and control. 4. A backup and recovery SLA is an important mechanism in assisting in the recovery process. 5. IT auditors can assist data administration teams in strengthening their controls and data recovery processes by validating DBA operations. 11. IT has the potential for business transformation and also represents a significant investment, typically from 1-8 percent of gross revenue. 12. The three-lines-of-defense model consists of three key elements: risk identification, risk assessment and risk monitoring. 13. The four types of risk response are risk avoidance, risk sharing/transfer, risk acceptance and risk reduction/mitigation. Dutta and Sista Article 14. The Basel II framework uses three pillars: (1) detailed methods for calculating minimum regulatory capital, (2) supervisory review standards and (3) market disclosure. 15. The Basel Committee classifies operational loss data in seven categories including damage to physical assets and business disruption and system failures. Tammineedi Article 6. Disaster recovery planning (DRP) involves planning and procedural aspects, encompassing emergency reponse and crisis communications. 7. BS 25999 Business continuity management establishes the process, principles and terminology of BCM and highlights the benefits and outcomes of an effective BCM program. Davis, Ferrell, Scranton and Millar Article 16. Fraud impacted 97 percent of organizations in 2010, according to the Kroll Global Fraud Report. 17. Prioritizing results according to specific red flags has cut review times by more than 57 percent. 8. The main BCM assets are the six organizational resources: power, premises, technology, information, supplies and cabling. 9. Most business continuity and disaster recovery plans address failover to a hot site or alternate site. Very few address the need to move operations back to a restored primary location. 10. Many business continuity plans are built on assumptions that may not include all relevant assumptions and limiting factors. For example, one assumption is that employees will go long distances to support operations, whereas local or regional disasters can make employees reluctant to go far from home. ISACA JOURNAL VOLUME 3, 2012 53 ISACA Journal CPE Quiz Based on Volume 1, 2012—Critical Resource Management Quiz #142 Answer Form (Please print or type) Name______________________________________________ __________________________________________________ Address_____________________________________________ __________________________________________________ __________________________________________________ CISA, CISM, CGEIT or CRISC#_____________________________ Quiz #142 True or False Akhtar, Buchholts, Ryan and Setty Article 1.___________ 2.___________ 3.___________ Oyemade Article 11.__________ 12.__________ 13.__________ 4.___________ Dutta and Sista Article 5.___________ 14.__________ Tammineedi Article 6.___________ 15.__________ 7.___________ Davis, Ferrell, Scranton and Millar Article 8.___________ 16.__________ 9.___________ 17.__________ 10.__________ Please confirm with other designation-granting professional bodies for their CPE qualification acceptance criteria. Quizzes may be submitted for grading only by current Journal subscribers. An electronic version of the quiz is available at www.isaca.org/cpequiz; it is graded online and is available to all interested parties. If choosing to submit using this print copy, please email, fax or mail your answers for grading. Return your answers and contact information by email to
[email protected] or by fax to +1.847.253.1443. If you prefer to mail your quiz, in the US, send your CPE Quiz along with a stamped, self-addressed envelope, to ISACA International Headquarters, 3701 Algonquin Rd., #1010, Rolling Meadows, IL 60008 USA. Outside the US, ISACA will pay the postage to return your graded quiz. You need only to include an envelope with your address. You will be responsible for submitting your credit hours at year-end for CPE credits. A passing score of 75 percent will earn one hour of CISA, CISM, CGEIT or CRISC CPE credit. 54 ISACA JOURNAL VOLUME 3, 2012 Answers—Crossword by Myles Mellor See page 52 for the puzzle. B E N C H M A R K A D D I N A R Z U N A E N S O C T O T A B L E H R T M S A A I L E D N A A R E S K K P T O M A P P I N B D B L N K L A B E L E X E C U T E I D A L R E N N I N G R A G E N D E L A B T G E T H I C N A L G P L S N D E Y P L L O Y I M R E A N T P I M E D G A E O T S H A A S I E D E U D I T P A G O O R G L P E 010 Code of Professional Ethics . The titles of issued standards documents are: IT Audit and Assurance Standards S1 Audit Charter Effective 1 January 2005 S2 Independence Effective 1 January 2005 S3 Professional Ethics and Standards Effective 1 January 2005 S4 Professional Competence Effective 1 January 2005 S5 Planning Effective 1 January 2005 S6 Performance of Audit Work Effective 1 January 2005 S7 Reporting Effective 1 January 2005 S8 Follow-up Activities Effective 1 January 2005 S9 Irregularities and Illegal Acts Effective 1 September 2005 S10 IT Governance Effective 1 September 2005 S11 Use of Risk Assessment in Audit Planning Effective 1 November 2005 S12 Audit Materiality Effective 1 July 2006 S13 Using the Work of Other Experts Effective 1 July 2006 S14 Audit Evidence Effective 1 July 2006 S15 IT Controls Effective 1 February 2008 S16 E-commerce Effective 1 February 2008 IT Audit and Assurance Guidelines G1 Using the Work of Other Experts Effective 1 March 2008 G2 Audit Evidence Requirement Effective 1 May 2008 G3 Use of Computer-assisted Audit Techniques (CAATs) Effective 1 March 2008 G4 Outsourcing of IS Activities to Other Organisations Effective 1 May 2008 G5 Audit Charter Effective 1 February 2008 G6 Materiality Concepts for Auditing Information Systems Effective 1 May 2008 G7 Due Professional Care Effective 1 March 2008 G8 Audit Documentation Effective 1 March 2008 G9 Audit Considerations for Irregularities Effective 1 September 2008 G10 Audit Sampling Effective 1 August 2008 G11 Effect of Pervasive IS Controls Effective 1 August 2008 G12 Organisational Relationship and Independence Effective 1 August 2008 G13 Use of Risk Assessment in Audit Planning Effective 1 August 2008 G14 Application Systems Review Effective 1 October 2008 G15 Audit Planning Revised Effective 1 Ma1 2010 G16 Effect of Third Parties on an Organisation’s IT Controls Effective 1 March 2009 G17 Effect of Non-audit Role on the IS Auditor’s Independence Effective 1 May 2010 G18 IT Governance Effective 1 May 2010 G19 Withdrawn 1 September 2008 G20 Reporting Effective Effective 16 September 2010 G21 Enterprise Resource Planning (ERP) Systems Review Effective 16 September 2010 G22 Business-to-consumer (B2C) E-commerce Reviews Effective 1 October 2008 G23 System Development Life Cycle (SDLC) Reviews Effective 1 August 2003 G24 Internet Banking Effective 1 August 2003 G25 Review of Virtual Private Networks Effective 1 July 2004 G26 Business Process Re-engineering (BPR) Project Reviews Effective 1 July 2004 G27 Mobile Computing Effective 1 September 2004 G28 Computer Forensics Effective 1 September 2004 G29 Post-implementation Review Effective 1 January 2005 G30 Competence Effective 1 June 2005 G31 Privacy Effective 1 June 2005 G32 Business Continuity Plan (BCP) Review From IT Perspective Effective 1 September 2005 G33 General Considerations for the Use of the Internet Effective 1 March 2006 G34 Responsibility.020 Organisational Relationship 530 Professional Ethics and Standards . use professional judgement in their application and be prepared to justify any departure. The framework for the IT Audit and Assurance Standards provides multiple levels of guidance: n Standards define mandatory requirements for IT audit and assurance. The objective of the IT Audit and Assurance Guidelines is to provide further information on how to comply with the IT Audit and Assurance Standards. Authority and Accountability 520 Independence . The IT audit and assurance professional should consider them in determining how to achieve implementation of the standards. helps enterprises increase the value attained from IT.010 Control Planning 560 Performance of Work . n Guidelines provide guidance in applying IT Audit and Assurance Standards. One of the goals of ISACA® is to advance globally applicable standards to meet its vision.010 Periodic Reporting 580 Follow-up Activities .010 Skills and Knowledge .010 Responsibility.isaca. The development and dissemination of the IT Audit and Assurance Standards are a cornerstone of the ISACA professional contribution to the audit and assurance community. CobiT enables clear policy development and good practice for IT control throughout enterprises.010 Professional Independence . 2012 55 . in disciplinary action.010 Follow-up Effective 1 September 1999 Code of Professional Ethics Effective 1 January 2011 ISACA JOURNAL VOLUME 3.010 Supervision .org/standards. The procedure documents provide information on how to meet the standards when performing IT auditing work. It emphasises regulatory compliance.020 Evidence .isaca.org/cobit. www. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate ISACA committee and.030 Effectiveness 570 Reporting . They inform: – IT audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics – Management and other interested parties of the profession’s expectations concerning the work of practitioners – Holders of the Certified Information Systems Auditor™ (CISA®) designation of requirements. The objective of the IT Audit and Assurance Tools and Techniques is to provide further information on how to comply with the IT Audit and Assurance Standards. enables alignment and simplifies implementation of the CobiT framework’s concepts.020 Due Professional Care 540 Competence . Links to current guidance are posted on the standards page. but do not set requirements. therefore. its usage enables the understanding of business objectives and communication of good practices and recommendations to be made around a commonly understood and well-respected framework. CobiT is available for download on the ISACA web site. n Tools and Techniques provide examples of procedures an IT audit and assurance professional might follow in an audit engagement. www.Standards Guidelines Tools and Techniques ISACA Member and Certification Holder Compliance The specialised nature of IT audit and assurance and the skills necessary to perform such audits require standards that apply specifically to IT audit and assurance. CobiT® is an IT governance framework and supporting tool set that allows managers to bridge the gaps amongst control requirements. ultimately. technical issues and business risks.020 Continuing Professional Education 550 Planning . CobiT is intended for use by business and IT management as well as IT audit and assurance professionals. Authority and Accountability Effective 1 March 2006 G35 Follow-up Activities Effective 1 March 2006 G36 Biometric Controls Effective 1 February 2007 G37 Configuration and Release Management Effective 1 November 2007 G38 Access Controls Effective 1 February 2008 G39 IT Organisation Effective 1 May 2008 G40 Review of Security Management Practices Effective 1 October 2008 G41 Return on Security Investment (ROSI) Effective 1 May 2010 G42 Continuous Assurance Effective 1 May 2010 IT Audit and Assurance Tools and Techniques P1 IS Risk Assessment Measurement Effective 1 July 2002 P2 Digital Signatures and Key Management Effective 1 July 2002 P3 Intrusion Detection Systems (IDS) Review Effective 1 August 2003 P4 Malicious Logic Effective 1 August 2003 P5 Control Risk Self-assessment Effective 1 August 2003 P6 Firewalls Effective 1 August 2003 P7 Irregularities and Illegal Acts Effective 1 December 2003 P8 Security Assessment—Penetration Testing and Vulnerability Analysis Effective 1 September 2004 P9 Evaluation of Management Controls Over Encryption Methodologies Effective 1 January 2005 P10 Business Application Change Control Effective 1 October 2005 P11 Electronic Funds Transfer (EFT) Effective 1 May 2007 Standards for Information System Control Professionals 510 Statement of Scope . Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. CISM. CISM. CRISC.00. CITP Robert Findlay B. CISA. CISM Past International President. CPA. for a flat fee of US $2. CISA. BS 7799 LA Sailesh Gadia. CISSP ISACA Board of Directors (2011–2012) International President Kenneth L.D. CISSP Daniel Paula. CISM. employers or the editors of this Journal. CISA. CA. Ganapathi Subramaniam. CISA. SSCP. CRISC Media Relations Larry Marks. Subscription Rates: US: one year (6 issues) $75. Send payment to the CCC stating the ISSN (1944-1967). or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. CGEIT. CGEIT Vice President Niraj Kapasi. CISA. MCSE Robert Moeller. CISM. Ph. CISA. Ph. CMA. CISSP. MBCS Christos Dimitriadis. CISA Smita Totade.com/ISACA Back Cover 16 3 18 1 Leaders and Supporters Editor Deborah Vohasek ISACA® Journal. CPA Vice President Christos Dimitriadis. ISACA Journal does not attest to the originality of authors’ content. CISM. online.50 per article plus 25¢ per page.com/ISJ www. CSQA. Ph. CISA Vice President Tony Hayes. Chaudary. CPP. CISSP. reprint or republication. CISA. CISA. Remittance must be made in US funds. CISA.D. CISA. CGEIT.. CRISC news@isaca. Bizarro. CRISC.. ACIS Reynaldo J. CISA. CGEIT Muthoni Mutonyi. CISA. Vander Wal. entitles one to receive an annual subscription to the ISACA Journal. CISA. Ross. RegisDegrees.00 All international orders: one year (6 issues) $90. CISM. CISA.com). CGEIT. CRISC. CISA. and first and last page number of each article. to photocopy articles owned by ISACA. CISM. CSQE Aureo Monteiro Tavares Da Silva. CISA. CISA Gretchen Myers. CRISC Brian Barnier. Ph. CGEIT. Where necessary. CFSA. Mass.org Cassandra Chasnis. Ph. CRISC Juan Macias. CISA. CISM Vice President Greg Grocholski. CISA Ashwin K. CISA. 2007–2009 Lynn Lawton. CISM Parvathi Ramesh. CISSP Ken Doughty. CISA. ISSN 1944-1967 Editorial Reviewers Matt Altman. CISA. and from opinions endorsed by authors.org Norman Marks David Earl Mills. CRISC Senior Editorial Manager Linda Betz. FCA. CITP. CISA.D. CISA. All rights reserved. CGEIT. CRP Johannes Tekle. CRISC. CISSP. CISA. CISA publication@isaca. Copying for other than personal use or internal reference. CRISC. Membership in the association. CIA Steve Primost.edu/ISACA www. CISA. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees. CISA.lewis. 2009–2011 Emil G. CISSP Director Marc Vael. CRISC media@isaca. CGEIT. CRISC.candf. CGEIT Past International President.org www. CISA Jennifer Hajigeorgiou Jerome Capirossi. CISSP Jeffrey Hare. CISSP The YGS Group Khawaja Javed Faisal. date. CISA.. CRISC. CISA Vice President Jeff Spivey. Ph.iia2012ic. For other copying. CA David Ramirez. 27 Congress St. CISA. volume. CISSP.. CIA Ilija Vadjon. CISM. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. permission must be obtained in writing from the association. CISA. CISM Ron Roy. CISM Steven J.D. CISSP Chief Executive Officer Susan M. CGEIT. CCNA. CBCP Tommie Singleton. CISA.. a voluntary organization serving IT governance professionals.D. Ross Dworman. CBCP. CGEIT. GSLC CMA. CGEIT.p1 www. 01970. CRISC Contributing Editors Joao Coelho. CGEIT.D. CRISC Anuj Goel. CISA. Caldwell . CGEIT Kamal Khan.org Romulo Lomparte. CRISC. CRISC. CISM. CISA Ellis Wong.. CGEIT. CGEIT. CISA. CISA. MIEEE John Pouey. CISM. CISSP Manish Gupta. CISA. PSP Vice President Jo Stewart-Rattray. CPA.Advertisers/Web Sites Clients & Friends ExamMatrix IIA Lewis University Regis University www. FBCS CITP. de la Fuente. Salem. CGEIT Sally Chan. CISA. CISA Pascal A. © 2012 ISACA. CCSA.www. CFE. CISM. permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC) (www.ExamMatrix.. D’Angelo. CIA Advertising Francisco Igual. FIIA Director Allan Boardman. formerly Information Systems Control Journal. CIA. is published by ISACA. CISA. CPA.copyright. CISA. PMP Pak Lok Poon. a nonprofit organization created for the public in 1969. See www.00 nonmember $135. 3rd Edition* Code ISOA3 | member $60.00 2012 CISA/CISM/CGEIT/CRISC Study Aids* * Published by ISACA and ITGI ISACA member complimentary download www.isaca.00 IT Auditing: Using Controls to Protect Information Assets. 184 pages—10-IT | member $81.isaca.00 Code ITCOC | member $35.00 2012.00 nonmember $50. 230 pages—WCB5EP E-book – PDF Format (purchase online only) | member FREE nonmember $135.00 nonmember $80.00 nonmember $80. 230 pages—CB5EP | member $35. 78 pages—WCB5IG E-book – PDF format (purchase online only) | member FREE nonmember $150. 3rd Edition* Code ISPS3 | member $65.00 nonmember $75. Featured… www. Audit and Control Features Oracle PeopleSoft. 2nd Edition Code 15-MIT2 | member $70.00 Security.00 IT Governance: Policies & Procedures.00 nonmember $50.org/newbooks Internet and Related Security COBIT COBIT 5* 2012.00 IT Governance to Drive High Performance: Lessons from Accenture Code 8-ITHP New Books… www.00 member $40. 368 pages—27-MSC | IT Security Metrics: A Practical Framework for Measuring Security and Protecting Data Code 22MSM Lean IT: Enabling and Sustaining Your Lean Transformation 2010. 2012 Edition Code 5-AS12 | member $245.00 COBIT 5: Enabling Processes* 2012. Audit and Control Features Oracle E-Business Suite.00 nonmember $255.00 nonmember $60. Performing and Presenting IT Audits Code 1-IIA | member $70.org/bookstore for the complete ISACA Bookstore listings.00 | member $15.00 nonmember $80.isaca.org/featuredbooks A New Auditor’s Guide to Planning. 2nd Edition Code 2-SAPP | member $70.00 Cybersecurity: The Essential Body of Knowledge 2012.00 | member $50.00 2012.00 nonmember $91.00 COBIT 5 Implementation* 2012.00 nonmember $80. 94 pages—CB5 | member $35. 370 pages—52-CRC | member $52.00 nonmember $60.B o o k st o r e Resources for your Professional Development Over 350 titles are available for sale through the ISACA® Bookstore.00 Securing the Clicks: Network Security in the Age of Social Media 2011. This insert highlights the new ISACA research and peer-reviewed books.isaca. 78 pages—CB5IG | member $35.00 IT Governance and Business Management Supplement IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud* Security.00 SAP Security and Risk Management.00 nonmember $62.00 nonmember $150.00 nonmember $25.org/downloads All prices are listed in US Dollars and are subject to change S-1 . 00 * Published by ISACA and ITGI S-2 ISACA member complimentary download www. 2012.1 by integrating other major frameworks. 230 pages. Also.00 nonmember $150.00 member FREE nonmember $135. 78 pages.00 COBIT 5 Implementation* ISACA This guide and COBIT 5 recognize that information and related IT are pervasive in enterprises and that it is neither possible nor good practice to separate business and IT-related activities. covering the full end-to-end business and IT functional areas of responsibility. This evolutionary version incorporates the latest thinking in enterprise governance and management techniques. and provides globally accepted principles.00 member FREE nonmember $150. 78 pages. standards and the opinion of experts.org/newbooks NEW COBIT 5* ISACA COBIT 5 is the overarching business and management framework for governance and management of enterprise IT. This volume documents the five principles of COBIT 5 and defines the 7 supporting enablers that form the framework. improvement and assurance of governance of enterprise IT based on (strategic) objectives of the enterprise and the related risk COBIT 5 Process Model The COBIT 5 process model includes a number (37) of governance and management processes. the guidance defines practices and activities at a relatively high level and does not describe how the process procedure is to be defined. analytical tools and models to help increase the trust in. Val IT and Risk IT processes. NEW Enabling Processes COBIT 5: Enabling Processes includes: COBIT 5 Goals Cascade Enterprises exist to create value for their stakeholders.00 COBIT 5: Enabling Processes* ISACA This publication complements COBIT 5 and contains a detailed reference guide to the processes defined in the COBIT 5 process reference model. efficient application of technology • Maintain IT-related risk at an acceptable level • Optimize the cost of IT services and technology • Support compliance with relevant laws. 230 pages. information systems. CB5EP 2012. including: • ISACA’s Val IT and Risk IT • Information Technology Infrastructure Library (ITIL®) • Related standards from the International Organization for Standardization (ISO) COBIT 5 helps enterprises of all sizes: • Maintain high-quality information to support business decisions • Achieve strategic goals and realize business benefits through the effective and innovative use of IT • Achieve operational excellence through reliable.isaca. and it has to be adapted to suit the enterprise. It is important to understand that the model and its contents are generic and not prescriptive.org/downloads All prices are listed in US Dollars and are subject to change . 94 pages. and value from. CB5 | Supplement member $35.00 nonmember $50. It covers the following subjects: • Positioning GEIT within an enterprise • Implementing continual improvement that includes change enablement and program management • Taking the first steps toward improving GEIT • Using COBIT 5 and its components • Implementation challenges and success factors • Using COBIT 5 and its components • Enabling GEIT-related organizational and behavioural change 2012. standards and resources.isaca. any enterprise will have value creation as a governance objective.00 nonmember $135.1.n e w books www. contractual agreements and policies 2012. The goals cascade is important. because it allows the definition of priorities for implementation. practices. COBIT 5 builds and expands on COBIT 4. Process Reference Model Developed based on best practices. WCB5IG E-book—PDF format (purchase online only) | member $35. Value creation means realizing benefits at an optimal resource cost while optimizing risk. this set of processes is the successor to the COBIT 4. regulations. Consequently. The governance and management of enterprise IT should therefore be implemented as an integral part of enterprise governance. Implementation NEW This publication provides a good-practice approach for implementing GEIT based on a continual improvement life cycle that should be tailored to suit the enterprise’s specific needs. and includes all processes required for end-to-end treatment of all GEIT. CB5IG | 2012. WCB5EP E-book—PDF Format (purchase online only) | | member $35. A Business Framework for the Governance and Management of Enterprise IT COBIT 5 is the only business framework for the governance and management of enterprise IT. competitors. 370 pages. and maintain quality and stability. and the public • Block cyberstalking. Bell and Michael A.00 * Published by ISACA and ITGI ISACA member complimentary download www. Yet when an enterprise begins a Lean transformation.org/downloads All prices are listed in US Dollars and are subject to change S-3 . This book is organized to help readers understand how the various roles and functions within a cybersecurity practice can be combined and leveraged to produce a secure organization. improve service levels. instead.00 nonmember $91. administration. clients. and metrics supported by practical examples and case studies • Addresses the intersection of Lean. Readers will find ways how to analyze risk. online reputation management.00 Nonmember $62. 2012. and information systems • Illustrates how to apply the principles of Lean to IT operations for improved quality and performance 2010. all while steadily reducing operating costs. malware. trademarks. and enforce social media usage policies. This book provides guidance to: • Assess the enterprise’s global social media presence and identify vulnerabilities • Establish solid security policies at every level of the enterprise • Allocate resources for planning. and identity theft exploits • Guard intellectual property rights. manage change. and logos • Preserve the enterprise’s brand image using online reputation management tools NEW Supplement IT is supposed to enable business performance and innovation. and incident response are also covered in this comprehensive volume. Regulatory compliance. the content is interwoven in a real world adventure story that runs throughout. phishing. methods. too often the IT department either left out or viewed as an obstacle. this book shares practical tips. 52-CRC | Member $52.00 Securing the Clicks: Network Security in the Age of Social Media Gary Bahadur. 184 pages.00 Lean IT: Enabling and Sustaining Your Lean Transformation Steven C. This approach grabs readers’ attention and assists them in visualizing the application of the content to real-world issues that they will face in their professional life. Derived from the US Department of Homeland Security’s Essential Body of Knowledge (EBK) for IT Security.00 Nonmember $50. Orzen NEW is Features include: • Provides a comprehensive and definitive resource on Lean IT • Offers tools. In this unique book. and competencies involved with information security. Jason Inasi and Alex de Carvalho Securing the Clicks: Network Security in the Age of Social Media explains the latest threats along with detailed fixes. examples. best practices. 2011. a fictional company experiences numerous pitfalls of cyber security and the reader is immersed in the everyday practice of securing the company through various characters’ efforts.Cybersecurity: The Essential Body of Knowledge Dan Shoemaker and Wm. and corrective action • Monitor usage by employees. Arthur Conklin NEW Cybersecurity: The Essential Body of Knowledge provides a comprehensive. and case studies to help the reader establish a culture of continuous improvement to deliver IT operational excellence and business value to the organization. Six Sigma. In the story. roles. concepts are not presented as stagnant theory. copyrights. 368 pages. trustworthy framework of practices for assuring information security. 10-IT | member $81.isaca. implement robust security protocols. What is to be done? Winner of a 2011 Shingo Research and Professional Publication Prize. and “from the headlines” case studies. this book is an indispensable resource dedicated to understanding the framework. 27-MSC | Member $40. 00 nonmember $80.isaca. Audit and Control Features Oracle E-Business Suite. (Outside US & Canada) 01 of 2 www.1177 © IS se AC rv A.00 8-ITHP member $15.00 Supplement nonmember $80.isaca.isaca. A .com Technical Support: +1.org/downloads CRISC Review Manual 2012* CRISC Review Questions.00 nonmember $25. Answers & Explanations & Explanations Manual 2012* Manual 2012 Supplement* CISM Practice Question Database v12* 2012 CGEIT Exam Reference MaterialS IT Security Metrics: A Practical Framework for Measuring Security and Protecting Data u To prepare for the June or December 2012 CGEIT exam. answers & explanations manual 2012 Supplement ® nonmember $60. Audit and Control Features Oracle PeopleSoft. cop ights reser ved.799. A ll red ll r e ll r giste nc. Answers & Explanations Manual 2012 Supplement* CISA Practice Question Database v12* 2012 CISM® Exam Reference Materials u To prepare for the June or December 2012 CISM exam.org/cismbooks ITCOC member $35.00 CGEIT Review Manual 2012* CGEIT Review Questions.272.00 nonmember $75.00 Certified information SeCurity manager CiSm® review Questions.isaca. 3rd Edition* ISPS3 member $65. 2012 Edition IT Governance to Drive High Performance: Lessons from Accenture member $245.00 S-4 * Published by ISACA and ITGI ISACA member complimentary download www. I 12 Re yright p ro 2012 M ystem (v. Answers Questions.100-question database Technical Support:
[email protected] nonmember $255. order u www. Answers & Explanations Manual 2012 Supplement* 2012 CRISC EXAM REFERENCE MATERIALS SAP Security and Risk Management. order u www.org/cisabooks CISA ® Practice Question Database v11 Featuring a 1.20 d uc atrix Learning S ited tion i n whole or in part is prohib 2 S of CISA Review Manual 2012* A New Auditor’s Guide to Planning.00 5-AS12 Certified information SeCurity manager ® CISM Review CISM Review Questions.00 member $70.org rk re tw ISAC ma are de ghts A tra i Sh . CISA is a re s.isaca.00 u To prepare for the June or December 2012 CRISC exam.Featured Publications www. order u www.00 CISM Review Manual 2012* IT Governance: Policies & Procedures. ed .303. Answers & Explanations Manual 2012 Supplement* All prices are listed in US Dollars and are subject to change . 3rd Edition* ISOA3 member $60.org/featuredbooks EXAM REFERENCE MATERIALS 2012 CISA® Exam Reference Materials u To prepare for the June or December 2012 CISA exam. 2nd Edition 2-SAPP member $70.isaca.0). Performing and Presenting IT Audits IT Auditing: Using Controls to Protect Information Assets.00 nonmember $80. answers & explanations manual 2012 CiSm® review Questions.00 IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud* CISA Review Questions.00 nonmember $60. 2nd Edition 1-IIA 15-MIT2 member $70.00 Security.00 nonmember $80.7277 (US & Canada) +1.org/cgeitbooks 22MSM member $50.org/criscbooks Security. order u www.877. 00 100.00 40.00 2012 CRISC EXAM REFERENCE MATERIALS u To prepare for the June or December 2012 CRISC exam.00 60.00 70.00 2.Code Title Nonmember Member Code Title Nonmember Member CobiT® u To prepare for the June or December 2012 CISA exam.00 CobiT and Application Controls: A Management Guide WCAC* E-book—PDF format (purchase online only) 55. security or assurance tool.00 100.00 CobiT Assessor Guide: Using COBIT 4.00 25. 2nd Edition Additional Set (5 each) Reference Cards HRC2 Home Users 3.00 5.00 5. Answers & Explanations Manual 2012 Supplement (100 Questions) CGEIT Review Questions.1 WCMNIST* Mapping of NIST SP800-53 Rev 1 With CobiT® 4.00 40.00 MRC2 Managers 3.1 Excerpt 5.00 ITG9* Implementing and Continually Improving IT Governance 115.00 CB4A* IT Assurance Guide: Using CobiT 165.00 40.00 15.00 185.1. Answers & Explanations Manual 2012 Supplement* QAE-12ES English Edition (100 Questions) QAE-12CS Chinese Simplified Edition (100 Questions) QAE-12FS French Edition (100 Questions) QAE-12IS Italian Edition (100 Questions) QAE-12JS Japanese Edition (100 Questions) QAE-12SS Spanish Edition (100 Questions) CISA Review Questions.00 25.00 130.00 25. order u CGM-12* CGQ-12ES* CGQ-11* CACG* CGEIT Review Manual 2012 CGEIT Review Questions.0 WCMFF* Mapping FFIEC with CobiT 4.00 CobiT 5 Implementation WCB5IG* E-Book—Pdf format (purchase online only) 150.00 60.00 85.00 100.00 2.00 SDG* SharePoint Deployment and Governance Using CobiT 4.00 ERC2 Executives 3.00 105.00 PRC2 Professional Users 3.00 60.00 20.00 CBSB2* CobiT Security Baseline.0 WCMTOG* Mapping of TOGAF 8.00 40.00 85.00 ALL PRICES ARE LISTED IN US DOLLARS AND ARE SUBJECT TO CHANGE S-5 .00 185.00 115. CobiT Mappings WCMCMM* Mapping of CMMI for Development V1.0 VITB2* The Business Case Guide—Using Val IT 2.00 60. Answers & Explanations Manual 2011 (60 Questions) Candidate’s Guide to the CGEIT Exam and Certification (No charge to paid CGEIT exam registrants) 115.00 135.00 25.00 60. Print Format 190.00 135.00 25.00 40.2 With CobiT 4.00 120.org/cobitonline) 50.00 135.00 $105.00 40. Answers & Explanations Manual 2012 Supplement* CQA-12ES English Edition (100 Questions) CQA-12JS Japanese Edition (100 Questions) CQA-12SS Spanish Edition (100 Questions) CISM Practice Question Database v12 (800 Questions)* MDB-12 CD-ROM – English Edition MDB-12W Download – English Edition (no shipping charges apply to download) CGC* Candidate’s Guide to the CISM Exam and Certification (No charge to paid CISM exam registrants) 115.00 40.00 60.00 25.00 SRC2 Senior Executives 3.00 40.org/cobit for descriptions and pricing) See NON-ENGLISH RESOURCES for additional CobiT material.00 100.00 75. 2nd Edition 110.00 130.00 60.00 90.00 60.00 40.isaca.00 76.0 VITAG* Value Management Guidance for Assurance Professionals—Using Val IT 2.00 40.00 85.00 100.00 70.00 2012 CISM® Exam Reference Materials u To prepare for the June or December 2012 CISM exam.1 WCPAM* E-book—PDF format (purchase online only) 40.00 60.2 with COBIT 4.00 Objectives for Successful IT Governance.00 25.00 70.00 2.00 30.00 40.0 WCMISO* Mapping of ISO/IEC 17799: 2005 With CobiT 4.00 CobiT Self-assessment Guide: Using COBIT 4.00 95. Val IT TM Enterprise Value: Governance of IT Investments VITM* Getting Started With Value Management VITF2* The Val IT Framework 2.00 35.00 35.00 160.00 86.1 WCAG* E-book—PDF format (purchase online only) 80.00 30.00 100.00 105. order u CRR-12* CRQ-12ES* CRQ-11* CACR* CRISC Review Manual 2012 CRISC Review Questions.00 CB5* COBIT 5 50.00 CobiT User Guide for Service Managers WCUG* E-book—PDF format (purchase online only) 35.00 FREE CSAG* Print format 40.00 5.00 50.00 CobiT 5: Enabling Processes WCB5EP* E-Book—Pdf format (purchase online only) 135.00 130.00 45.1 25.0 WCMIT3* Mapping of ITIL V3 With CobiT® 4.0 WCMSEI* Mapping of SEI’s CMM for Software to CobiT 4.00 (purchase online at www.00 60. order u CISM Review Manual 2012* CM-12 English Edition CM-12J Japanese Edition CM-12S Spanish Edition CISM Review Questions.00 185.00 105.00 130.00 15.00 185.00 60.00 105.00 40.00 FREE CUG* Print format 50. (see www.1 COLB* Annual Full Subscription + Benchmarking 400.00 2.00 90.00 225. Answers & Explanations Manual 2012 Supplement (100 Questions) CRISC Review Questions.00 55.org/cobitbooks for components included in each Focus Set Meycor CobiT Suite Comprehensive software for implementing CobiT 4.00 85.00 40.00 60.00 115.00 135.1 WCSAG* E-book—PDF format (purchase online only) 30.org/cobitonline for additional information.00 55.00 55.00 30.00 FREE CB5IG* Print format 150.00 185.00 225.1: A Practical Approach 70. order u CB4.00 CBX* CobiT 4.00 5.00 CPS2* CobiT Control Practices: Guidance to Achieve Control 110.00 40.00 60.1 WCM20000* Mapping of ISO/IEC 20000 with COBIT 4.00 FREE CAC* Print format 75.00 40.00 Free Free Free Free Free Free Free Free Free Free Supplement 2012 CISA® Exam Reference Materials Sets of related CobiT products focusing on your professional needs are available—purchase a focus set and save! See www.00 CAG* Print format 100.00 225.00 Visit www.00 25.00 135. 2nd Edition CBQ2* CobiT Quickstart.1 WCMCMM2* Mapping of CMMI for Development V1.00 25.00 60.isaca.00 200.00 CobiT Process Assessment Model (PAM): Using COBIT 4.00 FREE CB5EP* Print format 135.00 2.00 160.00 55.00 40.00 5.1 WCMPMB* Mapping of PMBOK to CobiT 4.00 25. Optimizing Performance and Measuring Results 5-RO A Risk Management Approach to Business Continuity: Aligning Business Continuity with Corporate Governance 40.00 15.00 90.00 40.00 40.0 VITS2* Complete Set 39-CRC The Business Value of IT: Managing Risks.00 35.00 25.00 35.00 120.00 105.1 With CobiT 4.1 as an IT governance.00 60.isaca.00 225.00 105.00 20.1* CobiT 4.00 85. Answers & Explanations Manual 2012* CQA-12 English Edition (700 Questions) CQA-12J Japanese Edition (700 Questions) CQA-12S Spanish Edition (700 Questions) CISM Review Questions.00 25.00 15.00 90.00 40.00 60. Answers & Explanations Manual 2011* QAE-11 English Edition (900 Questions) QAE-11C Chinese Simplified Edition (900 Questions) QAE-11G German Edition (900 Questions) QAE-11I Italian Edition (900 Questions) QAE-11J Japanese Edition (900 Questions) QAE-11S Spanish Edition (900 Questions) CISA Review Questions.00 40. Answers & Explanations Manual 2011 Supplement* QAE-11ES English Edition (100 Questions) QAE-11CS Chinese Simplified Edition (100 Questions) QAE-11FS French Edition (100 Questions) QAE-11IS Italian Edition (100 Questions) QAE-11JS Japanese Edition (100 Questions) QAE-11SS Spanish Edition (100 Questions) CISA Practice Question Database v12 (1.00 130.00 40.00 FREE CPAM* Print format 50.00 130.00 60.00 105.00 ISACA members SAVE 75% CISA Review Manual 2012* CRM-12 English Edition CRM-12C Chinese Simplified Edition CRM-12F French Edition CRM-12I Italian Edition CRM-12J Japanese Edition CRM-12S Spanish Edition CISA Review Questions. Answers & Explanations Manual 2011 (100 Questions) Candidate’s Guide to the CRISC Exam and Certification (No charge to paid CRISC exam registrants) Shaded — New Books * Published by ISACA and ITGI 115.00 CobiT Online 4.00 BRC2 Board of Directors/Trustees 3.00 40.00 2.00 60.00 2012 CGEIT Exam Reference MaterialS u To prepare for the June or December 2012 CGEIT exam.isaca.00 40.100 Questions)* CDB-12 CD-ROM—English Edition CDB-12W Download—English Edition (no shipping charges apply to download) CDB-12S CD-ROM—Spanish Edition CDB-12SW Download—Spanish Edition (no shipping charges apply to download) CAN* Candidate’s Guide to the CISA Exam and Certification (No charge to paid CISA exam registrants) $135.00 60. 00 80.00 55.00 95. and Compliance 86.00 95. 3rd Edition 7-ART Implementing the ISO/IEC 27001 Information Security Management System Standard 105.00 WITAF* ITAF: A Professional Practices Framework for IT Assurance e-book—PDF (purchase online only) 45.00 7.00 60. German.00 15-MIT2 IT Auditing Using Controls to Protect Information Assets.00 60.00 76-WSL Build Your Own Security Lab: A Field Guide for Network Testing 60.00 105.00 60. 2nd Edition 49-CRC Honeypots: A New Paradigm to Information Security 29ST-3 The Little Black Book of Computer Security. available at the following web site Chinese Simplified Edition .00 110.00 74.00 48.1 Edition. and Trust: A Logical Approach 100.00 60. Audit and Control Features Oracle® Database. Audit and Control Issues WW* E-book—PDF Format (purchase online only) 40.00 95. Control and SecuritY—Essentials 130. 9th Edition 70-WAS Accounting Information Systems: Controls and Processes 183. 6th Edition 23-MHE Hacking Exposed Web Applications.00 32. 3rd Edition 80.00 60. Management.00 100.00 35. Extreme.00 6-PL Auditing IT Infrastructures 105. 2nd Edition 21-MMS Mobile Application Security 86-WNS Network Security Bible.00 33. 6 Edition 70.00 2-ABA Information Security and Privacy: A Practical Guide for Global Executives.00 81.00 65.00 FREE 35.org/getcobit Russian Edition—www. 2nd Edition 71-WCF Essentials of Corporate Fraud 58.00 Managing Risk in Wireless Environment: Security.org. Operational Resilience and ROI 140.00 48-CRC Access Control.00 60. Second Edition 70.org/nonenglishbooks para descripción y precios) 1-TCA Principios de Auditoría y Control de Sistemas de Información 40.00 ® ISOA3* Security. Audit and Control Features 70. and Other Random Nuances Therein 56-WPC Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft ALL PRICES ARE LISTED IN US DOLLARS AND ARE SUBJECT TO CHANGE .isaca. 3rd Edition 1-MHF Hacking Exposed Computer Forensics Secrets and Solutions.00 60.00 150.isaca.00 60.00 82. Rants and Raves.Code Title Nonmember Member Risk IT and risk related topics 78-WRM 70-WFR 11-CRC8 84-WRM 2-HBS 1-HHOP 5-PL 55-WRCS RITF* RITPG* The Failure of Risk Management: Why It’s Broken and How to Fix It Fraud Risk Assessment: Building a Fraud Audit Program How to Complete a Risk Assessment in 5 Days or Less Information Technology Risk Management in Enterprise Environments IT Risk: Turning Business Threats Into Competitive Advantage The Operational Risk Handbook for Financial Companies Risk Management & Risk Assessment Risks.00 18-MAO 4-DC 1-SAPP 10-ART Code 70.00 Suite.00 435.00 80.00 PW* Print Format 50.isaca. and Security 95. 2nd Edition 10-MOC2 Network Security: The Complete Reference.00 Audit.isaca.00 25.isaca.00 119. Prosecution and Defense of a Computer-Related Crime.isaca. Uncertainty.00 80. Audit and Control Features WLIN* E-book—PDF Format (purchase online only) 30.00 213.00 60.00 15.00 20.00 90.00 55.00 29-ST4 A Practical Guide to IBM i and i5/OS Security and Compliance 89.00 82-WACL Fraud Analysis Techniques Using ACL 221.00 90.00 90.00 76.00 50.00 90.00 64.00 IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud WITCOC* E-book – PDF Format (purchase online only) 50.00 60.00 45.00 65. Control and Security—Specific Environments Applied Oracle Security: Developing Secure Database and Middleware Environments Audit Guidelines for DB2 CobiT and the Sarbanes-Oxley Act Identity Management: Concepts. and Security: Concepts and Applications The Risk IT Framework The Risk IT Practitioner Guide 45.00 7-SYN9 PCI Compliance.00 ODB9* Security.aiea.00 72.00 79-WCAF Computer Aided Fraud Prevention and Detection: A Step by Step Guide 74. 2nd Edition 80.isaca.fr Hebrew Edition .00 84.00 70.00 30.00 70.00 80.00 95.00 85.00 th 50-WPM6 Effective Project Management: Traditional.00 60.00 6-PAW Applied Security Visualization 65.00 1-ABES Enterprise Security for the Executive: Setting the Tone from the Top 45.00 60.00 130.kr CobiT 4.00 ® rd 75.00 ITCOB* Print Format 50. Risk Management.00 63.00 211.isaca.org/getcobit French Edition—www.) 55.00 70.00 4-CRC3 Information Technology Control and Audit.00 70-WFR Fraud Risk Assessent: Building a Fraud Audit Program 84.00 IT Control Objectives for Basel II WITCOB* E-book—PDF Format (purchase online only) 35. Audit and Control Features Oracle® PeopleSoft®. 2nd Edition 59-WNS Network Security Fundamentals 1-GL NMAP Network Scanning: The Official NMAP Project Guide to Network Discovery and Security Scanning 1-WCNR No Root for You: A Series of Tutorials.00 85.00 PLIN* Print Format 50.00 48.00 129.00 1-IT9 Accounting Information Systems. 2nd Edition 5-PSM Security Metrics: Replacing Fear.00 35.0 Edition.1.or. 3rd Edition 55.00 40.00 50.00 PSOX* IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal 7.00 2-W404 How to Comply with Sarbanes-Oxley Section 404: 100. Agile.00 50.00 45.00 74. 3rd Edition ISPS3* Security.afai.00 31-CRC Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance.00 Assessing the Effectiveness of Internal Control.00 OS390* OS/390-z/OS Security.00 35.00 FREE 20.00 105.00 FREE 70.00 38.00 10-EL GFI Network Security and PCI Compliance Power Tools 73. 3rd Edition 95-WISA Interpretation and Application of International Standards on Auditing 115.org/getcobit 1-AOCF Computación Forense: Descubriendo los Rastros Informáticos 42.00 35.org/getcobit Portuguese Edition—www.00 96.00 43-CRC Building an Effective Information Security Policy Architecture 94. Audit and Control Features Oracle E-Business 75.00 90. 3 Edition 3-JBSS Security Strategies in Windows Platforms and Applications 100.00 6-ITSOC IT Strategic and Operational Controls 70. Lawyers and Technologists 106.00 79. Audit and Control Features SAP ERP. 3rd Edition 2-SCC Cybercrimes: A Multidisciplinary Analysis 34-CRC Cyber Forensics: A Field Manual for Collecting. Control and Security—Specific Environments (cont. and Protecting Digital Information 70. Security.www.00 STDPK* IT Standards and Summaries of Guidelines and Tools and Techniques for Audit and Assurance and Control Professionals 20.00 115.00 50.00 Linux: Security. Control.00 199.00 4-IGI Computer Security. 2nd Edition 10-IT Cybersecurity: The Essential Body of Knowledge 4-MGH3 Gray Hat Hacking: The Ethical Hakers Handbook.00 50.00 50.00 35.00 1-IIA A New Auditor’s Guide to Planning.00 CISA Examination Reference Material Study aids available in Chinese Simplified.00 1-MPPI Protecting Industrial Control Systems from Electronic Threats 100.00 73.00 189.00 90.00 100. 3rd Edition 17-MHE2 Hacking Exposed Wireless: Wireless Security Secrets & Solutions. Privacy and Politics: Current Issues. Controls.00 70. Italian.00 55.00 100.00 105.00 35.00 Meycor CobiT Suite Meycor CobiT es un software completo e integrado para la implementación de CobiT como una herramienta para el Buen Gobierno de la TI.00 60.00 50.00 106.00 90.00 60.00 60.www.00 23.00 140.00 93-WAAS Auditing and Assurance Services: Understanding the Integrated Audit 223.00 248.00 Supplement Audit.00 45. and Security 9-EL Computer and Information Security Handbook 11-EL Cyber Attacks: Protecting National Infrastructure 1-CAP3 Cybercrime: The Investigation.00 90-WACS IT Audit. available at the following web site Korean Edition—www.00 90. Japanese and Spanish for the June or December 2012 CISA exam—see page S5 CISM Examination Reference Material Study aids available in Japanese and Spanish for the June or December 2012 CISM exam—see page S5 CobiT 3rd Edition. Challenges and Solutions 110.isaca-russia.00 173.ch CobiT 4.00 80.ru Spanish Edition—www.00 70.00 50.00 95.00 35. available at the following web sites German Edition—www.00 NON-ENGLISH RESOURCES 2-TCA Administración de la Seguridad de Información 55. and Presenting IT Audits 80.00 22-MSM IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data 60.00 Internet and Related Security Topics 19-M24 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them 45-CRC Cloud Computing: Implementation.00 55. Technologies. (see www. Seguridad de la TI o Aseguramiento de la TI según CobiT 4.00 ITCOC* Print Format 60.00 51-CRC Data Protection: Governance.00 70.it Japanese Edition—www.00 2-SAPP SAP Security and Risk Management.00 50.00 2-BAY* Stepping Through the InfoSec Program 45.00 258.00 95. French. Examining.00 120.00 70.00 1-RIA Practical IT Auditing with current Supplement 445.00 91.00 15. 2nd Edition 2-MCG6 Hacking Exposed: Network Security Secrets & Solutions.00 60. Performing.isaca.org/getcobit Italian Edition .00 80.00 92-WIA The Essential Guide to Internal Auditing.00 60. Managing.www.il Hungarian Edition—www.00 ISAP3* Security. and Doubt 70.00 60.00 45.00 83-WIS Information Storage and Management: Storing. 2nd Edition 9-SYN The IT Regulatory and Standards Compliance Handbook: How to Survive Information Systems Audit and Assessments 83. and Preserving Evidence of Computer Crimes.00 84.00 Control Over Financial Reporting. and Systems Shaded — New Books S-6 * Published by ISACA and ITGI Title Nonmember Member Audit.00 96. 00 80.00 9-ITSIA Swanson on Internal Auditing: Raising the Bar 60. Customs Customers are responsible for any custom duties/taxes/VAT charges levied by the country of destination.00 99.00 85.0: A Pocket Guide 32.00 26.00 10-ITISQ Implementing Service Quality based on ISO/IEC 20000 35.00 80.00 25.00 1-IBM The IBM Data Governance Unified Process 35.00 77-WTS Technology Scorecards: Aligning IT Investments with With Business Performance 60.00 PSA* Print Format 50.00 11-VH IT Outsourcing: Part 1 Contracting the Partner 41.W.00 22.00 37-CRC Digital Privacy: Theory.00 System Forensics. Once shipped.00 23-WIT The Executive’s Guide to Information Technology.00 MIC* Monitoring Internal Control Systems and IT 70.00 BMIS* The Business Model for Information Security 60.00 nd 108.00 60.00 of Directors and Executive Management.00 65.00 Securing the Clicks: Network Security in the Age of Social Media 50.00 42-CRC The Green and Virtual Data Center 90.00 44-CRC Vulnerability Management 90.00 50.00 50. 2 Edition 9-VH MOF—Microsoft Operations Framework V4. and Response 100.00 45.00 50. Costs and Benefits to Business 50.00 40.00 52.00 FREE Supplement * Published by ISACA and ITGI Nonmember Member IT Governance and Business Management (cont.00 50.00 (E-Book—purchase online only) 8-ITHP IT Governance to Drive High Performance: Lessons from Accenture 25. and Using Winning KPIs.00 50.00 2-ITPI Visible OPS Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps 32.00 89-WEG Empowering Green Initiatives with IT: A Strategy and Implementation Guide 60.00 7.00 nd 60. and Practices 90.00 41-CRC Business Resumption Planning.00 7.00 80.org/shipping for further information. 2 Edition 20-MHE Hacking Exposed Malware and Rootkits: Malware & Rootkits Secrets & Solutions 60.00 1-ITG* Board Briefing on IT Governance.00 10-VH Foundations of IT Service Management Based on ITIL V3 3-VH Frameworks for IT Management 65.660.00 50.00 56.00 35.00 WGPM* IT Governance and Process Maturity 30. 2012 Edition 255.00 Fraud.00 495.00 67-WHF Human Factors in Project Management: Concepts.00 7-ITGR Green IT in Practice.00 25-MIPM IT Project Management: On Track from Start to Finish. 60.00 55. Environmental.00 12-ITPM IT Project Management: 30 Steps to Success 30.00 91-WKPI Key Performance Indicators (KPI): Developing. and International Guidance and Best Practices 173.org/bookstore Mail completed form with payment: ISACA/ITGI 1055 Paysphere Circle Chicago.00 3-PAGE 7 Steps to Better Written Policies and Procedures 30.) 1-HA 30-CRC 24-MSIEM 27-MSC 1-OSM 2-JBSF Scrappy Information Security: The Easy Way to Keep the Cyber Wolves at Bay 30.00 22.00 20.00 ALL PRICES ARE LISTED IN US DOLLARS AND ARE SUBJECT TO CHANGE four easy ways to place an order: WWW 25.00 38. Risk and Compliance Handbook: Technology.00 495.00 45.00 FREE 795.5650 onday-Friday.1443 Phone: +1.00 30.00 9-ART Enterprise Information Security and Privacy 109.00 Information Technology. 3rd Edition 60. ABA #0260-0959-3 ISACA Account #22-71578 S. USA) Personal service—please M have credit card number available.00 50.) 94-WIFRS An Executive Guide to IFRS: Content. 2 Edition WCCS* Creating a Culture of Security (e-book) 50.00 75-WSO The Sarbanes-Oxley Section 404 Implementation Toolkit: 105. Illinois.00 31.00 2-PS3 Information Security Roles & Responsibilities Made Easy.isaca.00 WGOALS* Identifying and Aligning Business Goals and IT Goals 35.00 87. Finance.00 80.847.00 90. Technologies.00 55.00 95.00 65.00 4-ITG* Unlocking Value: An Executive Primer on the Critical Role of IT Governance 7. Measurement and Compliance 110. 2nd Edition 13-VH The Service Catalog 66.00 55. and Techniques for Inspiring Teamwork and Motivation 62.00 50.00 100.00 28-CRC Information Security: Design.00 60.00 40.00 195.00 6-SYN Business Continuity and Disaster Recovery Planning for IT Professionals 70.F.253.00 245.00 80. Please call +1.00 90.00 202.00 50. No refunds or exchanges.00 5-AS12 IT Governance: Policies & Procedures.00 15.847. 2 Edition 54-WCIO2 CIO Best Practices: Enabling Strategic Value with nd 75. See www. Implementation. Tools.00 100.00 20.00 110. IL 60674-1055 USA Fax completed order form with credit card number and expiration date to +1.00 55.00 (E-book—PDF purchase online only) 4-ID Implementing Information Technology Governance: Models. Version 12 805.00 20.847. 2nd Edition 66-WCP Building a World-Class Compliance: Best Practices and Strategies for Success 60.00 26-MDM Master Data Management and Data Governance.00 50-CRC Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement 90.00 40.I.847.00 3-IGI Information Technology Governance and Service Management: Frameworks and Adaptations 205.00 3-ITGD IT Governance: Guidelines for Directors 60. 2nd Edition ® 65.00 1-CMP Enterprise Security Architecture: A Business-Driven Approach 97.00 20.00 87-WWC World Class IT: Why Businesses Succeed When IT Triumphs 48.Code Title Nonmember Member Code Internet and Related Security Topics (cont.00 2-ITG* Information Security Governance: Guidance for Boards nd 7.00 Implementing.00 Securing Converged IP Networks 100. 2 Edition Shaded — New Books Title Order online at www.5501 or +1.00 100.660.00 7.00 5-ITOC IT Outsourcing Contracts: A Legal and Practical Guide 40. 2nd Edition 52-CRC Lean IT: Enabling and Sustaining Your Lean Transformation 62.00 12-VH IT Financial Management 65. Practices and Cases 110. publication quantity discounts Academic and bulk discounts are available on books published by the ISACA and IT Governance Institute. We will confirm availability and expected delivery date.00 Practice Aids for Managers and Auditors.00 Security Awareness: Best Practices to Secure Your Enterprise WSA* E-book—PDF Format (purchase online only) 35.00 Free 15.00 7.00 50.660.00 W3ITG* E-book—PDF Format (purchase online only) 45.00 Strategic and Operational Performance.00 Security Information and Event Management (SIEM) Implementation 75.00 163.00 nd 70. Investigation.T code BOFAUS3N return policy All purchases are final.00 55.00 80-WITM8 Information Technology for Management: Improving th 212.00 3-JR A Practical Guide to Reducing IT Costs 60. Version V3 505.00 WSH* Information Security Harmonisation: Classification of Global Guidance (E-book—PDF format purchase online only) 40.00 98. delivery time can vary between 2-7 business days.00 4-ITIG IT Governance: A Pocket Guide 25.00 IT Governance and Business Management Information Security Governance: Guidance for Information Security Managers 3-ITG* Information Security Governance: Guidance for Information Security Managers 50.00 46-CRC Implementing the Project Management Balanced Scorecard 90. Send electronic payments in US dollars to: B ank of America.00 52.00 1-IS The Privacy Management Toolkit 505. 3rd Edition 64-WGRC Governance.00 Security Monitoring 55.isaca. Delivery Orders normally ship within 2-3 business days upon receipt of payment.00 25.00 99.00 11-ITDG The Data Governance Imperative 50.00 1-BS12 Information Security Policies Made Easy. 8 Edition 81-WIC Internal Controls Policies and Procedures 95.00 2-ITO Outsourcing IT: A Governance Guide 60.00 4-PAGE Best Practices in Policies and Procedures 36.00 20. 8:00 am-5:00 pm Central Time (Chicago.00 50.00 FREE 32-CRC Crisis Management Planning and Execution 90.00 6-RO Principles and Practice of Business Continuity: Tools and Techniques 109.5578 for pricing information.00 85-WF101 Fraud 101: Techniques and Strategies for Understanding 65.00 80. S-7 . Payment Information—Prepayment Required Payment enclosed. Pricing.660. All orders must be prepaid. TOTAL Shipping & Handling Rates for Orders S-8 All orders outside the US are shipped Federal Express Priority. All purchases are final. shipping and handling.253. Oklahoma (OK)—4% Wisconsin (WI)—5% Florida (FL).00 Over US $150. and may also be used by ISACA to send you information about related ISACA goods and services.00 US $80.00 US $20. 3-12 Order Online at www.org/shipping International customers are solely responsible for paying all custom duties.00 US $8. Customer Information Shipping Information Name____________________________________________________________ FIRST ISACA Member: MIDDLE No LAST/FAMILY Supplement Address: Home If shipping to a PO Box.org and read our Privacy Policy. . For Orders Totaling Outside US Within US Up to US $30. drawn on US bank.org Your contact information will be used to fulfill your request. No shipping charges apply to CISA Practice Question Database v12—download.D. please include street address to ensure proper delivery.00 17% of Total 10% of Total No shipping charges apply to Meycor CobiT.isaca. Tennessee (TN)—7% Illinois (IL)—9% Bank wire transfer in US dollars.S. All purchases are final. No shipping charges apply to CISM Practice Question Database v12—download.00 US $7. Date_____________________________________________________________ Print Cardholder Name___________________________________________________ Signature of Cardholder___________________________________________________ Sales Tax: Add sales tax if shipping to: Louisiana (LA).00 US $15.00 US $50. and taxes levied by their country. OFFICE USE ONLY Customer Order Form Vol.org/bookstore U. Chicago. Federal I.00 US $10. New Jersey (NJ). Name____________________________________________________________ Yes Member Number ___________________________ Company Name_____________________________________________________ (If different from customer information) FIRST MIDDLE LAST/FAMILY Company Name_____________________________________________________ (IF PART OF SHIPPING ADDRESS) Company ________________________________________________________________ Address:__________________________________________________________ ________________________________________________________________ ________________________________________________________________ City _________________________________ State/Province__________________ ________________________________________________________________ Country_______________________________ Zip/Mail Code__________________ City _________________________________ State/Province__________________ Phone Number ( )________________________________________________ Country_______________________________ Zip/Mail Code__________________ Fax Number ( )_________________________________________________ Phone Number ( )________________________________________________ E-mail Address _____________________________________________________ E-mail Address _____________________________________________________ Code Title/Item Quantity Subtotal Thank you for ordering from ISACA.847. and other information in which we believe you may be interested. and tax are subject to change without notice.5650 Fax: +1. service charges.847. To learn more. please visit www. 1055 Paysphere Circle. Minnesota (MN).isaca. No. Visa American Express MasterCard Diners Club Credit Card #__________________________________________________________ Exp.00 US $10.00 US $5.1443 E-mail: bookstore@isaca. USA Phone: +1. Please return to: ISACA. IL 60674. South Carolina (SC). Check payable to “ISACA” in US dollars. Texas (TX). Washington (WA)—6% California (CA).01 to US $80.isaca. Shipping details www.00 US $30. Date of transfer ______________________________ Charge to Unit Price Total For all orders please include shipping and handling charge—see chart below.01 to US $150. 23-7067291 Please Note: Read payment terms anD shipping information below .00 US $26.01 to US $50. Pennsylvania (PA). org/careercentre-journal .isaca. Explore the ISACA Career Centre Today: www.Don’t get lost in your quest for a job. Simplify your search with ISACA’s newly enhanced online Career Centre. pl T: +48 22 898 72 66 (Poland) T: +44 207 022 4884 (UK) AdaptiveGRC IS A TRADE MARK OF CLIENT & FRIENDS SP.pl E: adaptive@candf. Superior business technology solutions. Client & Friends Sp z o.THE 1 COMPANY IN THE WORLD st TO OFFER CUSTOM BUILT GOVERNANCE.o. Z O. delivered faster . RISK AND COMPLIANCE (GRC) DATA WAREHOUSE AND BUSINESS INTELLIGENCE SOLUTIONS.O. Connect and unlock the valuable data across your existing GRC applications: — Audit results — Assessment results — Risk Management information — CAPA (Corrective/Preventive Actions) — Incidents — & other high value GRC information sources. Web: candf.