Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This lesson covers auditor methods that are geared towards success. This lesson covers different kinds of audits and how the auditor communicate with the auditee. This lesson also discusses corporate fraud with statistics drawn from the US Securities and Exchange Commission (USEC). This lesson also discusses new regulations in the banking and healthcare industries (e.g., HIPAA in healthcare) and how they are relevant to security professionals. [toggle_content title="Transcript"] Alright, so let's start with chapter 1. We're going to be speaking about the auditor methods that are geared for success. So this chapter we've got several objectives listed here. We'll start off with thinking about what the foundations of auditing are. We'll look at the professional requirements for the auditor themselves. What kind of skills does the auditor need? The difference between discretionary and mandatory- That applies in several different contexts. In this case we're talking about regulations, but it could be things like policies and procedures as well. We'll talk about that a little bit more. We'll look at different types of audits. Then we'll think about how the auditor communicates with the auditee. I kind of touched on that a little bit in the last section as far as the inter-relationship between the auditor and the persons that they're working with. The auditor also has some leadership aspects, even to the point of considering the auditor to be an executive position, so what kinds of priorities and planning are involved when you're in a leadership position? We'll look at those. Then, lastly, we'll cover the structure of different types of corporations or organizations, whether it's a consulting firm, a privately held organization, a publicly held or government organization, they all have their different aspects and considerations for how you deal with them and how they work internally. So why do we need an information system audit? Some of those questions are self-evident. We know that we've got different situations that are in-place. For instance, going back from a period between 2002 and 2005, we've got a lot of different people that were caught doing something they shouldn't have been doing. 92 presidents of corporations were convicted of fraud. 86 CEOs, 40 CFOS. 98 vice-presidents. Even 17 attorneys were convicted of fraud. What does all this mean? It means that maybe in this day and age that there is perhaps a trend where more and more people that are in positions of power, that are letting a lot of money run through their hands, so to speak, are more tempted than ever before to try to take advantage of their position in order to enrich themselves, or to enrich their friends. That's just human nature, I suppose, but it's something to think about as a trend. Because of this activity, we've got more regulation that's come into being to try and put an end to this as much as possible. Some of the regulations are more punitive. They punish the offender more than they would have been punished before, with either financial penalties or prison time. Obviously, for certain individuals, it doesn't matter what the penalty is they're going to do what they want to do anyway. If there's enough money to be made, they'll take that risk. So we'll look at some of the relevant regulations that are in-place or continuing to be invented. Every year we know that there are new laws that get created. Not all of them pertain to this particular topic, but some of them do. So we start off with the Committee of Sponsoring Organizations of the Treadway Commission, or COSO. So this is a United Nations effort to get leadership from world governments to have sort of a custom, tailored approach to dealing with different types of fraud. Each country has different laws, of course, so the way that they do things in England versus the way they might do it in Russia versus the way they do it in the US might have their own differences, just because of cultural and legal considerations. So we have the Sarbanes-Oxley Act, otherwise known as SOX. So this is for publicly traded companies trying to force them to be more transparent in their financial dealings. Everyone's probably aware of the Security Exchange Commission having the ability to publish details about stock trades. For instance, you can go to any number of financial websites for any given company like Yahoo Finance or Google Finance, for instance, and you can simply type in the name of the company and see the list of the officers. You can also see what stock trades they're making. This is useful for an investor, of course, to know if someone on the inside is selling or buying stock but it also provides some transparency for the organization itself to know that if an officer decides to buy a tremendous amount of stock, or sell a tremendous amount of stock, or options, then that might have some meaning for the shareholders or other people within the organization. So that's why that kind of information is made public. Canada has something similar. They have the OSX, their Ontario Securities Exchange. So if you're a public company in Canada you have to adhere to the rules that the OSX puts forth. Australia has their version, the ASX 10; their securities exchange and corporate governance council. Japan has their version of Sarbanes-Oxley otherwise known as J-SOX. And then we have a European standard, the International Financial Reporting Standards, or IFRS. So this covers the European Union, Australia, Canada, Japan, Russia and the US. So a lot of different regulations to think about depending on what part of the world you're operating in. And for those organizations that are multi-national then that adds a little bit of complication to navigating the regulation safely. So, some regulations related to banking here. Obviously trade between large countries is very important. So trying to provide transparency and assurance that the transactions are legitimate and are not being covered up in any way is definitely one of the goals. And if we know that different countries are trading with each other fairly, then that should only stand to improve their relations from a business perspective. So we can start off with the base core for bank capital measurement standards. Then we have the payment card industry, the PCI data standard. These are both international standards. The Gramm–Leach–Bliley Financial Services Modernization Act: this is just for the US, of course. Then we have other things that are for the US: the Federal Financial Institutions Examination Council. That's a little bit hard to say, but the FFIEC. Then we have FACTA, the Fair and Accurate Credit Transactions Act. This one in particular deals with US citizens that have holdings in different countries, and some of the reporting requirements for doing so. Having some level of familiarity with these is a good idea for the exam, although the test is not going to tremendous levels of detail for any one of these acts or these regulations. You're just expected to know the high level explanation of what the act does and where it applies. So do spend a little bit of time on this list, the COSO regulations and banking regulations. Other things to think about if you're involved in healthcare you have to adhere to the HIPAA standard, in the US anyway. FISMA should be very familiar to those of you who work for the federal government, since that's an annual reporting requirement. HIPAA, going back to that for a moment, not only deals with healthcare organizations but how they handle PII, or PHI, protected health information. But we want to make sure that personally identifiable information, protected health information, is handled correctly and doesn't invite any opportunities for fraud or identity theft. FISMA has more to do with making sure that your federal organization is adhering to some type of framework for the security monitoring and configuration of your systems, as well as being able to monitor the effectiveness of your security controls continuously throughout the lifetime of those systems and then providing some reporting on at least a minimum of an annual basis to show that your systems are secure. Then we've got SCADA systems: Security Control and Data Acquisition. These are used by your utility companies, if you're running a nuclear power plant or a hydroelectric plant. There are certain standards which apply to the way that those systems are managed and how they are monitored and how the reporting has to take place. Of course there are many other laws that apply in various parts of the world that's beyond the scope of what we're talking about here today. [/toggle_content]