Book Review: “The New Data Imperative: Managing Real-Time Risk in Capital Markets” by Dr. Raj Nathan, Irfan Khan, & Sinan Baskan

Image by STML via Flickr

It seems that since the arrival of the Great Recession everyone has rushed a book out explaining why it happened and how to prevent it in the future.   The feeding frenzy includes folks from all sorts of backgrounds who barely know what Sarbanes-Oxley, a financial statement or a CobiT control is.  For many of these “experts,” the reasons for the recession are clearly not financial or regulatory or linked to Globalization, but deeply ingrained in our dysfunctional and narcissistic society and by nasty “capitalism,” which to many is as deadly a tormentor of society as the Black Plague was 700 years ago.   The damage caused by the recession is viewed as evidence that there is a need to educate the masses in new righteous ways to make money and  legislate new rules over corporate conduct.   The new Robin Hoods of course  are poised to make lots of money by selling new training programs, conducting seminars in Las Vegas and devising new green and “humane” ways to dismantle capitalism.

Although, writen by Sybase excecutives, The New Data Imperative by Dr. Raj Nathan, Irfan Khan and Sinan Baskan is not one of those new opportunistic books I am so disappointed to see in the book stores today.   This book is a breath of fresh air in that it does not overshoot its scope and intent.   Although, discussing the recession and using it as a backdrop, the book in its 115 pages manages to convey the what, how, when and why of the information infrastructure behind today’s globalized financial markets, and why changes to these are needed.  It does this in language that is understandable to non-technical business people (auditors, compliance, legal and financial management), who for the most part  are the ones who need to understand these things, so they can participate in future implementations and improvements to existing  systems.

In the next three to five years Risk Management will see an increase in the complexity of analysis,  the need for faster data acquisition, faster reporting and the integration of more diverse data sources from in-house and  from “the cloud.”   Not to mention a likely increase in Regulatory Compliance  mandates.  For these reasons, the way we approach the infrastructure that supports the  Risk Management function(s) needs to be  re-conceptualized.    “The New Data Imperative” provides a quick snapshot of how to achieve this.  The book looks at the state of current Risk Management “silos,”  their data feeds, analysis cycles, reporting structures and overall data infrastructure, explaining why these current systems fell short during the recent financial crisis and provides us with a well conceptualized picture of how to transition, often without major and costly changes, into the data environments needed for the new Risk Management processes now being proposed by regulators, the Big Four and some of the leading international financial standards organizations.

In addition to its clarity, in my opinion the book serves another important purpose.   That of attempting to educate “legacy” type IT managers who in many organizations today have “stale” skill sets and  are often ignorant of industry best practices  and trends.   As many an experienced IT auditor can confirm,  these managers are ill prepared for the future  and  can not visualize the infrastructure changes needed to implement and maintain the Enterprise Risk Management systems of the post Great Recession era.  Because these folks can not visualize the future, they tend to be serious obstacles to improving performance and strategically positioning IT investments for competitive advantage.    Although, high in authority because of seniority or organizational politics,  these folks have managed to carve out positions where they appear to provide value not by what they do, but by how they stop others from doing.   They are in a way the “Gate Keepers” against innovation and process improvements.    If by some miracle some of  these individuals were to read “The New Data Imperative,” I think great technological achievements would take place in their organizations.

If you are an IT Auditor or a Risk Manager for a financial institution, I highly recommend that you familiarize yourself with this book.   I believe the book will bring you up to date on the latest real time risk management concepts and will open your eyes to some of the technological challenges we will be facing in the next three to five years as Enterprise Risk Management evolves to a more mature level.

Because the book is small and unassuming, I also recommend it as a gift for those “legacy” type IT managers I mentioned earlier.   It may be the most eye opening technology book they’ve read in the last 10 years!

• You can purchase “The New Data Imperative” from:  Today’s Audit Journal bookstore.

If you’re wondering about the “Nude Sunbathing” sign above…. let me explain why it’s here.   This picture was taken last July one block away from the Jacob Javitz Convention Center in NYC, on the day the National Enterprise Risk Management Club of Buenos Aires, Argentina, was holding its national awards for the most creative use of Twitter in a crisis situation.   When members saw this sign they Twitted all the participants, and half the Jacob Javitz Center emptied as the men rushed to the Hudson River to watch the annoyed sun bathers.   Now the question being debated by serious Harvard sociologists is:  Did Twitter empty out the Jacob Javitz Center, or was it the naked sunbathers and their uncontrollable effects on the hot Latins from Argentina?

Related articles by Zemanta

• Risk Management Lessons from the Global Banking Crisis (blogs.law.harvard.edu)
• New Survey Reveals Increased Focus on Risk Management in Wake of Financial Crisis (prweb.com)

Response from Senator Bob Menendez to the “Dumb Auditor” Article

Dear Mr. Font:

Thank you for contacting me to express your opinion on banking reform.  Your opinion is very important to me, and I appreciate the opportunity to respond to you on this crucial issue.

I appreciate you taking the time to provide your ideas on how we can make changes to the banking industry to improve its efficiency and transparency.  Every day New Jerseyans are working very hard to provide for their families, but current market conditions have made it difficult for families to save or access credit.  The financial collapse last year demonstrated the need for increased transparency to protect investors and consumers from fraud and irresponsibility.  Americans simply cannot afford the risks associated with widespread economic instability such as losses of jobs, savings, and benefits.  I am committed to ensuring that our financial markets are fully regulated and operate in the best interest of the American people.

As a member of the Senate Banking Committee, I have long stood for financial reforms that promote smart, healthy, and sustainable development. I rely on the important communications I receive from my constituents to guide my work in the United States Senate.  On this, as with any issue, there are many different view points, but please rest assured that I will continue to work diligently to respond to the many valuable insights I receive from New Jerseyans like you.

Finding solutions to the issues you raise is what drives me to keep standing up for New Jersey families.  Again, thank you for sharing your thoughts with me.  Please do not hesitate to contact me if I may be of more assistance. 

I invite you to visit my website http://menendez.senate.gov to learn of other important issues in New Jersey.

Auditing Career: Do “Dumb” Auditors have more Professional Longevity than “Smart” ones?

Image via Wikipedia

Two days ago I attended a nice Thanksgiving party given by a CIO friend, who like in previous years, had invited several CFO’s, corporate attorney’s and high level management people from high profile Fortune 500 companies in the New York region to his house.   After a few drinks and delicious turkey, conversations about the state of the economy, technology and the headaches of regulatory compliance ensued.   There where two auditors in the group and it felt as if we where the only ones who did not feel regulatory compliance is a headache.    My Merlot and turkey friends, perceiving that they had numerical superiority over us, went on to a typical “we hate the auditors” discussion, where we had the “pleasure” of hearing every criticism launched against auditors since the time of Heraclitus.   Thank goodness I too had access to the Merlot.   One of the discussions that has stayed in my mind is one about how “well appreciated” dumb auditors are.   And, this I’ve decided to share with you.

Most auditors learn early in their careers that auditing is not a popularity contest.  As a result they adjust to the fact that they are paid to investigate, search, test, snoop around, and in many cases confirm the existence of wrong doing and mistakes by members of the organization at all levels.    The auditor is usually the person who has ulterior motives for asking questions, and the one who usually does not bring good news.    The auditor by his/her simple presence disrupts the “normal order” of things, makes the staff feel uncomfortable and require that all evidence be double checked for accuracy and legitimacy.   Often, when those being audited most want the auditors  to “go away,” some action or words  deep in the crevices of the organization send a message to the auditors to dig deeper or further expand their questions.   In common language, auditors are a pain in the neck.

The intensity of hatred or dislike towards the auditor however varies depending on his/her ability to understand what he/she is testing or investigating.    The smart, experienced auditor tends to ask deep, relevant and timely questions, often not found in a strict audit script or checklist, which can open the doors to problems and issues hidden just below the surface.   The smart auditor is happy when he/she finds problems, because he/she sees himself as a solution or insurance policy against risk exposures to the company.  However, this feeling is not shared by those who “own” the problems and depending on company politics, the reactions can range from lukewarm admission, challenges bordering threats from some levels of management, to a long term stealth campaign against the auditor leading to his/her dismissal for supposedly  “unrelated reasons.”  Like a Whistle-blower, the good auditor walks a dangerous road.    During difficult times, the good auditor has few or no allies.

The dumb auditor on the other hand, usually sticks to a rigid script or checklist, and is not likely to expand his questions beyond the “scope” of the audit, preassigned or created with the approval of management.  The audit process of the dumb auditor tends to be quick, rarely discovering problems and always neatly on time.   His reports usually sound like this:  “We tested A, B, and C and found no exceptions.  Managements’ controls are working according to established policies and guidelines and” (here is the mandatory recommendation for improvement – so it looks like some work was done),  “we believe the Segregation of Duties process in AP can be tightened by implementing the following…..  Otherwise all is well.”   This cookie cutter report, used by both Internal and External auditors, is the type that makes its way to most audit committees today.    This is also the type of report, according to my friends at the Thanksgiving party, that management wants and pays handsomely for.   I found myself looking at the other auditor and realized that we where both nodding in agreement.    My friends in the party, all experienced dealing with auditors, pointed out that “Smart” auditors, or auditors with independent minds can not last long in a typical organization, because the very act of following their ethical, inquisitive and legalistic mentalities gets them into serious conflicts with management and they end up fired after short tenures. Also, good auditors have few champions in the organization who see value or gain in “protecting” someone who is serious in his/her responsibility to investigate or test anyone (including them) in the future if they have to.   This is simple human nature.    A “Dumb” auditor on the other hand, creates few waves, does not offend or criticize too much, uses neutral and complimentary language in reports, and keeps to his/her “scripts” as planned by management.   By playing dumb, this type of auditor is indirectly “winning friends and influencing people.”   His/her back is covered because he/she is needed by those who need coverage.  The dumb auditor has allies.

In light of current scandals, like the Bernie Madoff case, and the mortgage meltdown, it has become common for many to ask:  “And, where were the auditors while all this was happening?”  My answer has to be that most of the auditors involved where diligently doing their jobs as good “dumb” auditors do, so they can stay employed.   That is, they where auditing every nick and cranny that was within scope and within the “Risk Appetites’ of their organizations, as set by “management.”   But, what about the codes of conduct, the audit charters, the PCAOB, the SEC, the GAAS’s, ISACA and the IIA’s.   Don’t these organizations have some level of control over how auditors should conduct themselves and how they should investigate and follow up on questionable activities?   Are all of these structures useless? My answer is no.  These are not useless organizations, and without them, the problems cited by my friends in the Thanksgiving party would be much worse.   The codes of ethics, guidance documents, audit frameworks and standards created by these organizations are the only line of defense we auditors and audit committees have against the many Barbarians who dwell in the halls of corporate America today.    But, are these standards  and frameworks sufficient?  My feeling is that they are not, and here is why.   Money corrupts as every auditor knows.  When you follow the money you find the power.   Organizationally, there is an imbalance between the auditor and those he/she audits.  On the one hand you have a well meaning, ethical person who wants to do the right thing, making an average mid-level management salary, tasked with uncovering wrong doing among those at levels that can crush him/her with ease, and whose interests are the maintenance of the status-quo, a low profile and making sure the company’s stock value is not disrupted by doubtful auditor reports.   In most companies, those in the Director, V.P. and “C” levels (usually persons with net worth’s in the millions  of dollars and stock holders in the company) can easily muster the resources of the organization whenever they raise a red flag regarding a “trouble maker.”   The controlling factor here is not bribery, but the threat of dismissal.   So, in my opinion things boil down to a primal level for the auditor.   Ethics, integrity, morality, legality and professionalism on one side,  versus no job on the other. Unemployment, inability to pay the mortgage, damaged credit rating, children without college tuition’s, etc.   How many good auditors can consistently afford to be martyrs, and when it happens, who shows up at their door to help them pay the mortgage?   The fact that the majority of auditors are good, ethical, law abiding and take their oath’s of conduct and ethics seriously is a reflection of the social, religious and cultural values they share with the greater society, and less so on other types of controls  promoted by various groups.   As these cultural, religious and social values erode,  resulting from poor education, dysfunctional families, media aggrandizement of thieves, the belief that the  “bad guys” win and little understanding of civics, I suspect we will see more problems relating to poor auditor ethics and values.   In general, auditors are still good because they perceive that the society provides more positive reinforcements for good behaviors than bad ones.

In addition to the money and power challenges I noted above, there are issues dealing with the “Culture of Auditing,” which most of us are familiar with.    In my opinion, many of these favor the “Dumb” auditor.   Some of these also help explain why many Madoff type schemes go “Undetected.”  Here are the top fourteen that come to mind.  I am sure there are others:

1. Auditors are taught to find ways to give bad news in a positive manner.  Avoid bad news as much as possible.
2. Auditors should avoid using the words “Failure,” “Problems,” or naming specific individuals who fail or pose problems.  Instead they should call these things “Exceptions,” or “Positive findings Needing Improvement.”
3. Even when management has repeatedly ignored auditor recommendations and warnings, auditors are expected to be “flexible” and at best point out the issues as “still needing some levels of improvement.”
4. Auditors are bound by extreme discretion and confidentiality.  They are to be like flies on the walls.  Rarely seen and not too vocal on any subject or occasion.
5. Management has the last say in terms of what is possible by way of solutions to issues raised by audit.   The “Business” is the key determinant in whether a risk gets addressed as recommended by audit.
6. Auditors work on behalf of management, and are not to be seen as impediments or obstacles to managements’ decision making.   Aggressive auditors can inhibit management’s entrepreneurial spirit.
7. The auditor is there to protect the business from outside risks.
8. Management sets the “Risk Appetite” for the company.  Auditors work within those parameters.   Even when the parameters are not well defined (on purpose).
9. Auditors are supposed to uphold the utmost ethical standards, but often their superiors lie, cheat and have no scruples.   Some times the code of Ethics, zero tolerance statements, and even the Audit Charter are disregarded at higher levels, while zealously enforced at the lower levels.
10. Auditors are supposed to remain positive and un-moved, even when those audited usually assassinate their character, create rumors and gossip about their professionalism, plant fake or doctored evidence against them, and call for their dismissal.
11. Auditors are supposed to maintain meticulous notes and documentation, while many of their superiors rarely answer  email requests for clarifications, or document an opinion.
12. Auditors are supposed to advocate for and practice “meritocracy” being on a constant race to obtain and maintain professional certifications.   While it is not unusual to see many of their superiors having reached positions of authority because they have either slept, drank, bought or strong armed their way up the ladder.
13. When the Chief Audit Officer is weak, unstable and/or indecisive, audit work is reactive and there is unusual turn over in Internal Audit.   Expertise, maturity and professionalism has little time to take root.   “Dumb” auditors flourish in these environments.
14. In a recession and during cost cutting, some Audit departments let go of their “expensive” talent, keeping lower paid less experienced staff on hand until better times (and budgets) return.    “Dumb” auditors flourish in these environments also.

As I prepared to finish this article, I discussed it with my friend, the other auditor at the Thanksgiving party, and he felt many of the issues tackled here are highly controversial and uncomfortable.   He said I make many generalizations  like what constitutes “Dumb” or “Smart.”   He said that what I call here the “Dumb” auditor may really be the “Smart” one.  Every person faced with the sorts of challenges I mention has a huge reservoir of personal, professional and family reasons for taking one or another path, and those are known only to that person.   Passing judgment as I appear to do in this article may be too insensitive and simplistic.   The issues are just too complicated to put them in simple moral boxes.

I admit that my friend makes good points here, and I can only say that in this article my intent is to shed light on what is clearly a serious challenge with ramifications that go far above those of individuals.   This is a serious systematic problem  in the business world and many good minds in government and in professional organizations worldwide are working hard to find the right solutions.   In an ideal world, the typical auditor should not have to spend sleepless nights wondering whether he/she should play “Dumb” or “Smart.”

I  personally do not have a clear answer on how to solve these dilemmas for others.  I only know what my ethical, moral and social values are and I have first hand experience on the high costs and frustrations of being a “Smart” auditor.

If you are a new auditor, I hope I’ve alerted you to issues that may come your way sooner or later.   If you are an experienced auditor, I hope that by reading this you realize that you are not the only one who has seen these things.

To all readers.  I will appreciate it very much if  you left  your comments on this subject, so we can make this a more diverse  exchange.  Do you believe that “Dumb” auditors indeed have a longer professional longevity than “Smart” ones?

Related articles by Zemanta

• Falling Friehling: Madoff’s Auditor to Plead Guilty (blogs.wsj.com)
• We’re Paying The Legal Fees For Those Who Defrauded Fannie Mae and Freddie Mac (crooksandliars.com)
• The Jones Day Lawyers Looking to Take Down SOX (blogs.wsj.com)

New from DRII – Certified Business Continuity Auditor (CBCA) or Certified Business Continuity Lead Auditor (CBCLA)

Image via Wikipedia

New Audit track for Business Continuity Professionals and IT Auditors. If you are an experienced Auditor or Business Continuity Planner, this is your opportunity to get certified as a Business Continuity Auditor by the leading BCP organization in the USA.   DRI International will be offering training in Atlantic City, New Jersey this coming April.    For more information on this course, see the notice from DRII below:

Two opportunities at the training you want!

The National Fire Protection Association (NFPA) and the Disaster Recovery Institute International (DRI) have joined forces to create an education and certification program that will qualify participants to audit disaster/emergency management and business continuity programs against existing standards and regulations. Certifications available are: Certified Business Continuity Auditor (CBCA) or Certified Business Continuity Lead Auditor (CBCLA).

Through this program, participants will be able to apply the key components of disaster/emergency management and business continuity, the relevant standards, laws and regulations, the process of risk assessment, vulnerability analysis, loss prevention, risk mitigation, and develop, implement, test and maintain their plans and procedures.

The course will cover existing legal and regulatory requirements by industry and country, as well as emerging requirements, including  BS25999, SS540, US PL 110-53 (PS-Prep), NFPA 1600, ASIS, DRI International’s professional practices, financial services, insurance, healthcare, utilities, public sector guidance and a host of others will be explored.  It will also cover the processes by which disaster/emergency management and business continuity programs are initiated with an eye toward corporate governance, policy, and procedures.  More in depth emergency and disaster management will be provided by NFPA.

At the end of the course, a unique. audit track, qualifying examination is conducted and individuals who have passed will be eligible to apply for certification as a Certified Business Continuity Auditor (CBCA) or Certified Business Continuity Lead Auditor (CBCLA). The certification level (CBCA or CBCLA) will be granted based upon the amount of demonstrated audit experience of the applicant. Those seeking the CBCLA designation will be required to provide references to verify that they have at least five years of active audit experience.

For course and education related questions please call the DRII Education Department on:    Toll free numbers: 866-542-3744 and 866-535-3744

This course is designed for novice & experienced corporate planners, internal & external auditors…

Course Name: BCLE-AUD
Start Date : 04/26/2010
End Date : 04/30/2010
Course Cost: $2900.00
Instructor: Not Specified

Location:
Atlantic City Convention Center
1 Miss America Way
Atlantic City, NJ  08401

DRII The Institute For Continuity Management.

This was not a paid promotional announcement.

Related articles by Zemanta

• DHS Announces Intent to Adopt BSI’s Preparedness Standard (newswire.ca)
• Business Continuity Management Lifecycle and Key Contractual Requirements (punetech.com)

Enterprise Security: Cheating on Your IT Security Audits

Image by Computer Science Geek via Flickr

I recently read a good article regarding IT Security Audits which I thought many readers would be interested in.   Cheating on IT Audits by IT staffs is not unheard of to most of us in the auditing business.   However, it is a taboo subject that rarely gets any media attention and few ever discuss in public.   When ever we Auditors perform an audit, all the information provided to us is accurate, never doctored, performed within the time frame or scope of the audit and properly authorized by management (if you believe this you may be on drugs).  Cheating on audits, on purpose or out of ignorance is common, and this is one of the reasons we have to verify the authenticity and relevancy of  the samples and evidence provided to us before we can accept them.

The article points out that 20% of the 151 IT Security professionals recently polled at a major InfoSecurity conference admitted to cheating on IT Security Audits of firewalls.   Although, this sounds like a high figure and I have never investigated this in any formal way, I will venture to say that in the “field” the number is probably higher than 20%.   Here is an excerpt from the eWeek Security Watch article, which you can read in its entirety by clicking the link at the bottom of the post:

“An audit isn’t worth much if the people doing it are cutting corners. Unfortunately, a survey by the folks at Tufin Technologies suggests many IT pros may be doing exactly that.

The survey, which was conducted at the InfoSecurity Europe 2009 Conference in April, took opinions from 151 IT security pros. The aim was to determine companies’ approach to firewall auditing and management.

What Tufin turned up was that 20 percent of the respondents admitted they or a colleague had cheated on an audit to get it passed. The company did not ask specifically how they cheated, citing time constraints. But if applied generally, it could be there are many networks operating a false sense of their own security posture.

Going deeper, 9 percent of the respondents admitted that they never bother to check and audit their firewalls at all….”

To continue reading this interesting story, please click the link below:

• Enterprise security strategy – Cheating on Your Security Audits – eWeek Security Watch.

What do you think.   Am I stretching it here by thinking that the real figure may be higher than 20% ?   Leave a comment (anonymously if you like).

Related articles by Zemanta

• Cyber Attack Fear As Firms Cut IT Costs (news.sky.com)
• More security breaches hit midsized companies (news.cnet.com)

Auditing Career: Traveling to Dangerous Places

Image via Wikipedia

So, you’re now sitting pretty working for a big Fortune 500 company with the enviable task of auditing subsidiary divisions in three continents, and you’re only 27 years old.   If your friends back in Mumbai could only see you now!

This is not an unusual situation in many internal audit departments in large organizations where fresh young auditors are recruited with the understanding that they are to travel 50 to 75% of the time to places few of them knew existed on the map.   The natural inquisitiveness of youth, the romantic appeal of traveling the world, the pay, the superman complex, the arrogance and the lack of common sense we all have at that age makes us perfect to accept challenges others with more experience would probably turn down.  And, this sometimes occurs when young auditors  and consultants accept without much thought, assignments in dangerous places.

In America, knowledge about geography, international politics, cultural, ethnic, religious and criminal activities in the rest of the world is weak.   There are many well educated Americans who believe that the power of the US Constitution somehow extends beyond our borders, or in some unknown fashion is respected by most foreign countries.   There is also a belief that the US version of “the rule of law” is accepted everywhere else in the world.   And, that in a worse case scenario, if one is in trouble overseas, a lawyer just like in the USA will save the day.   This is a dangerous misconception.

On December 10, 2008, my cousin Felix Batista, one of the world’s most respected and experienced international security consultants was kidnapped in Mexico while giving a conference on anti-kidnapping strategies.   To this day, Felix’s whereabouts are unknown and many presume him dead.   The plight of his wife and children and our family to bring closure to this ordeal can be understood by visiting the Felix Batista media blog, setup to track coverage of his disappearance.   I shared an interest in Crisis Management with Felix, except I chose the technology route and he the international security one.   I will share with you a few items you should keep in mind when considering a foreign assignment to places you are not familiar with, or if you are a new employee still unfamiliar with your organization.    I hope you do not consider these too radical or old fashioned, especially if you’re relatively new in the field:

1. Understand that your company’s image overseas is likely to be different than what it is in the USA.   You need to research this from various sources and understand that you may be putting yourself at high risk by simply identifying yourself as an employee visiting from the USA.

2. Understand that the behaviors, expectations, values and views of a person who earns a yearly income of less than 20 or 25% of what you make, will be very different than yours.  Be aware that your US based ethics, morals and values come back on the plane with you, and they do not feed that persons’ hungry children who are left behind.

3. Understand that in many countries the “law” and the criminals are the same guys.   And, that includes the lawyers.   You need to research this and determine before hand what to do in case you are the victim of a setup or involved in an accident.  Ending up in a foreign jail is not nice!

4. Understand that in many countries and cultures physical violence is the first step taken in addressing a dispute or misunderstanding.   If you’re lucky, you’ll get a chance to talk later.

5. Understand that your actions, innocent in the USA, may jeopardize the lives of locals.   Meeting someone in a restaurant for example, may brand them as a spy for the company or worse off, an informer for the CIA.

6. Understand the capabilities and limitations of your company’s security department.   Do not assume that the V.P. or Director of Security, sitting at corporate knows much about the foreign risks you may face.  A good number do not.  Ask around to see if anyone has ever met a V.P. or Director of Security who has admitted to not knowing about important risks to low level employees?

7. Understand that in the USA you may be a miserable Junior Auditor, but in many places your earnings put you at the top of the food chain, and you may be feared the same as if you where a member of the Board of Directors.

8. Understand that its OK to dress like a cool dude, a Southampton beach bum, a ghetto boy or a spoiled Princess in your spare time, in the USA.   Doing so in many places around the world is an invitation to be robbed, sexually molested and even beaten.

With these things in mind, you should also ask the Audit Director or your Manager the questions below.   If you are uncomfortable with anything, say so because in the end you will be the one responsible for your life, not someone in an air conditioned office 3,000 miles away:

• Are there any World Health Organization (WHO) travel restrictions or vaccine requirements in effect for the country in question.  If so, is the company getting you vaccinated?

• Is the country or region on any CIA or State Department warning list for US citizens?

• If your company has been doing business in the country in question for some time, does it have a bi-lingual and/or bi-cultural staff in place to assist you.  If not, why not?

• Has your project lead managed previous  projects in the country in question and if not, why was he/she selected to lead this project.  Is he/she qualified, someone’s favorite pet or simply the only one available?

• Is there an official report or area analysis assessing the region’s geography, politics, cultural, ethnic, religious and criminal activities so company personnel can obtain a quick education and know what to expect when they arrive?

• Have you been, or will you be briefed on how to handle instances of political unrest, terrorism and natural disasters at the places you are expected to work?

• Is there a properly documented and authorized company policy for foreign travel and work?

• What is the official company policy in the event an employee is kidnapped and held for ransom, in light of Foreign Corrupt Practices Act (FCPA) restrictions?

• Does the company carry Kidnap, Ramsom and Extortion Insurance covering your work?

• Is there a Crisis Management Plan in place that can be executed, in the event there is a problem with an employee working overseas.   And, if there is one, who is on the crisis management team and when was the plan last tested or exercised?

• If you are killed while working overseas, what is the process in place to handle the legal, transportation, funeral, family and financial issues that will have to be dealt with.   Who will pay for your funeral?

• If you are held hostage for a significant period of time, what is the company’s policy regarding your compensation.  Will they make payments to a family member and for how long?

• If your company holds an insurance policy on you, (Special Risks) which pays them as beneficiaries in case you die or are injured while working, does it cover your work overseas?   If so, find out the history of this practice and details of any deaths and payouts.   Does the practice indicate anything of concern?

• Do you have a Will in place that deals with the possibility of dying overseas.  Do you have a Living Will that deals with the possibility of being in a critical condition at a foreign hospital?

• Do you have a medical and dental “dossier” on record with the company (respecting all HIPPA regulations), or with a close family member, which can be easily referenced by foreign and domestic medical personnel in the event you are hospitalized or your body needs to be identified?

• If you need medical attention while at the foreign location, has the company provided you with information on obtaining it from local doctors, hospitals or clinics?

• Have you been given information about the US Embassy and Consulates in the country where you will be working, and who and how to contact in case of an emergency?

• Will the company let you opt out of a particular trip if you are uncomfortable with the safety conditions at the destination and the type of security provided by the company.   If not, what is the rationale and what are the guarantees provided to ease your concerns?

If you work for a company that has these things in place, and is experienced in sending people to work overseas, you’re in good shape.   But, regardless of your company’s maturity level on this issue, it is your responsibility to make sure you do not put yourself in undue danger.  Assume nothing and do not be shy about asking questions.

Many places around the world do not require excessive planning or precautions for “the worst case scenario,” but you need to be aware of the good places as well as the bad ones.   Experienced international workers do not assume that all foreign engagements will be without challenges, surprises or risks.   And, they do not wait until they are in danger to wonder how their companies will react, or if they can react at all.

Going through this type of exercise may seem unpleasant and uncalled for, especially if you hold the belief that most people are good, that all Americans are loved around the world, that there is no threat of terrorism, that the violence attributed to drug cartels is over rated, and that the disparity between rich and poor is a myth.   If you hold these beliefs, I wish you the best and hope you are able to hold them for as long as possible, without reaching any life threatening situations.

For the young auditors and young consultants out there, excited about the travel and the life of an “expense account junkie,” I say go for it.   Work hard and play hard, but do it with your eyes open and as safely as possible.   And, always give yourself the option of not going if you sense the risks are too high or those tasked with protecting you are clueless, incompetent or irresponsible.

What do you think?   Leave us some “Comments” regarding your views on this matter and perhaps some personal experiences as well.

Related articles:

• Crime in Mexico – Wikipedia citation
• Crime in Brazil – Wikipedia citation
• Crime and Violence in Latin America – Wikipedia citation
• African Criminal Enterprises – FBI
• Crime in China – Wikipedia citation
• Human Trafficking in Central Europe – Wikipedia citation
• Islamic Terrorism – Wikipedia citation
• Crime in India – Wikipedia citation
• Terrorists in India and Pakistan – Wikipedia citation
• Crime in Malaysia – Wikipedia citation
• Crime in Russia – Wikipedia citation
• Crime in Southern Europe (Italy) – Wikipedia citation
• Human Trafficking in Indonesia – Wikipedia citation
• The Drug Cartels – Wikipedia citation
• Human Trafficking – Wikipedia citation
• Organized Crime – Wikipedia citation

A Painful Lack of Security Jobs

Image by worldsurfer via Flickr

I just read this excellent article from SCO Security and Risks magazine online, regarding the state of the job market for top level IT Security professionals, and I decided to share it with you because my sense is that we have been experiencing a similar situation in the IT Audit field.

The economic downturn has forced many companies to cut corners, and get rid of many folks at senior management levels (including many CISO’s and IT Audit Directors), creating serious hardships for a layer of individuals who are by all standards, the most qualified, best certified and experienced in the industry.    These individuals are not finding work because they are poorly qualified, but because companies no longer want to, or can not, pay them for having reached these high levels of expertise and professionalism.   The typical company in today’s environment is looking to hire a lower level (lower paid) “Analyst” with mid-level technical skills over a well seasoned IT Security professional.    From my discussions with peers in IT Audit, the same is happening with folks holding multiple certifications, CISA-CFE- CISSP or CISA- CBCP-ARP, which would have been insane or close to impossible just two years ago.   This sort of thing is happening all over the country as the article points out, and will have long term negative impacts on both companies and the individuals experiencing these hardships.   Below is an excerpt from the SCO Security and Risks magazine article, which you can read in its entirety by clicking the link at the bottom of the post:

“An IT security pro’s personal tale of a long and bloody job hunt and what it says about the industry’s current state of affairs.

We can blame it all on this dastardly economy, but even in good periods, qualified individuals find it difficult to land a job as an executive.

Just recently, I applied for a job as a director of information security. The position reported directly to the company’s hiring manager (CIO). It was widely advertised at the company so many of my friends and colleagues knew who the hiring manager was. I had already contacted the CIO directly — and had subsequently been introduced to him and recommended by other CIOs who knew him well, so the hiring manager immediately e-mailed me to say to contact the HR director for an initial phone interview and to call him later that same day.

Both interviews went extremely well, with conversations lasting well over an hour. We covered their challenges that I could address and gravitated to small talk on our past experiences. We clicked and had long, enjoyable conversations. The CIO said he would bring me in for a face-to-face meeting the following week once he had a chance to interview other candidates.

Deep down I was overly cautious, having been burned in the past, as I explained to another candidate who had applied. I said, “It would appear to you I’m a natural shoe-in or on the CIO’s short list by knowing so many people and from the work I do. But it is getting to the point that it no longer matters who and what you know, not even if you’re a close friend of the hiring manager.”

Being well-known in the industry and the local IT community, I knew who these other candidates were, and we shared much information. It is a small world.

In the weeks that passed, I sent the CIO two follow-up e-mails, I also e-mailed the HR director in California. All three were met with silence. I also left the CIO two voice mail messages — one on his office line, the other on his personal cell phone — and neither was returned. After three weeks, I received a phone call from the HR director telling me the CIO was unsure about the position. He was contemplating diminishing the role to a lesser grade and I was, of course, overqualified, and so were the other candidates…..”

To continue reading this interesting story, please click the link below:

• SCO Security and Risks Magazine

What do you think?  Are you a high level person experiencing something similar in today’s economy.  Please share by leaving a “Comment.”

Auditing Career: How to Focus on High Value Skills

Image by Remko van Dokkum via Flickr

Recently, I received an email from a young auditor, asking that I advice him on how to focus his resources in a way that will yield the most valuable skills for the future.  Especially in a future where IT Audit and Financial Audit are meshing.  Below is the email, with his name changed to protect his privacy:

“Hello Joel,

I have a question for you. I have a business background having done Chartered Accountancy and then also did CISA. I also worked in the Enterprise Risk Services in Deloitte. The field of IT Audit requires an understanding of the business processes as well as the technical knowledge of ERP, OS and other applications. Since one cannot be an expert in both (business & technical), how can one achieve a balance between the two and know which skills will be most valuable in the future.

Regards,

Mr. H. Dalad Wasi”

This is, in my opinion one of the most important questions auditors should be asking themselves today. Gone are the days when auditors could rely on a static set of skills and practices to succeed in their careers. And, gone are the days when most auditors, internal and external, had the good fortune of having job security to the point where they could, over a period of many years, fine tune company specific “routines” that allowed them to remain in their company’s insular (and sometimes provincial) cultures, where bad habits and bad practices went unnoticed and unchecked for decades. As a result of Globalization and market realities, survival for most auditors now depends on their abilities to re-educate themselves quickly and in gaining a strong foundation in the internationally accepted frameworks promoted by organizations like IIA, ISACA, ISO, IRCA and the AICPA. After gaining the basic certifications issued by these organizations, my focus would be as follows:

1) Prepare to change the focus of your career several times over the next 5 or 10 years, in order to adjust to rapid changes in the economy and as technology forces change the society in general. What I’m saying here is that 10 years ago there was no Sarbanes-Oxley and IT Auditors where still focused on AS-400’s, EDI networks and the Internet was still not well defined as a viable e-commerce platform. Most auditors 10 years ago still worked in a manual environment, and those using spreadsheets where considered highly advanced. Imagine an auditor today not “accepting” work on Sarbanes-Oxley, or not having upgraded his technical skills beyond the AS-400. They would be out of work. In a nutshell, to stay employable the auditor must be able to dynamically accept and understand the tools, processes, political realities, economics, new practices and limitations adopted by the general society, the auditing field and specifically the business world, as they progress through time. Some folks call this “having an open mind to change.”

2) Accept that the meaning of “Auditor” is in flux, and in the process of being redefined. It is my opinion that today the best auditors are those who unofficially wear about 4 hats at the same time. The first hat is the traditional hat worn by the typical CIA or CISA, which is focused on control frameworks and controls testing. Then the risk management hat, which is for auditors a “light version” of the work done by the PRM or ARM folks; dealing with formal risk assessments, reporting and analyzing impacts at the operational and IT levels. Then there is the compliance hat, which auditors can not avoid since they are the ones testing the controls that either pass or fail compliance. So, they often have to perform some sort of unofficial duties helping the compliance officers, or when there is no compliance officer, leading the compliance / remediation efforts in some fashion. The fourth hat worn by most auditors is the Governance hat. In the past, this hat was a small one, but now its gaining in size. Both corporate and IT governance have experienced fast changes since Sarbanes-Oxley was passed, stockholders became more demanding (in last 10 years) and internationally accepted frameworks have been accepted as legal and operational practices. The need for governance advisers by boards and the “C” levels, have allowed many auditors to fulfill this role given their traditional work with rules and regulations, policies and procedures. Next to corporate lawyers, auditors are the best positioned to work in the governance area. In my opinion, auditors who master these four areas are currently in high demand and will be so for a long time.

3) The IT challenge. My opinion is that IT Auditors need to get their CIA certifications and financial auditors need to get their CISA’s. This will take time for most people, but its not un-duable, specially for intelligent folks that are good at test taking. Most auditors by natural selection, are good at taking tests! Why do I feel this way? Remember we are talking about things that will make you most valuable for the future, and with the US economy shrinking, outsourcing, foreign competition and shorter employment cycles for most professionals, those who have the most diversity of skills and qualifications are better off than those who do not. If you look at the CIA material, a good two sections parallel with the CISA material. Study and get it done, period.

4) If you are a new CISA, I recommend that you focus your energies on two or three IT domains (IT Security, DR, SDLC) which you will make your “forte” for the next two to three years.  Included in there should be strong knowledge of an ERP system like Oracle.  Also, make sure you learn and become confortable with CobiT 4.1.  If you are a new CIA, I recommend that you focus your energies on learning the IFRS and you position yourself as an expert in that area.  Also, learn the COSO framework and get a good grip on risk assessments and the ACL analytics package.

The email from H. Dalad Wasi also asks how one can maintain a balance between IT and Financial auditing (since he is balancing the two). He is right in that few people can be masters of both. My answer is that one tends to gravitate for that which gives you the most satisfaction and where you find the greatest recognition and compensation from a social, financial, political and family perspective. If you are a nerd dressed up as a auditor, this will influence how you make this decision. But, if you’re an auditor forcing yourself to understand TCP/IP and router tables, this will also influence your decision. When I say that auditors should be both IT and financial auditors, I do not call for supermen or superwomen who are complete experts in each domain. Strong expertise in one domain and working knowledge in the other is sufficient to give you the competitive advantage needed.

This was intended to be a short reply, but it grew into something bigger. I also suspect I’ve missed some key issues, but for now this is my advice and I hope it was helpful to H. Dalad Wasi and others reading it.

If readers have ideas or suggestions for Mr. Wasi, please feel free to leave them here in the “Comments” so we can all contribute.

Nigeria: Corrupt Auditors and Auditing Practices

Image via Wikipedia

Sometimes its good to read about the auditing profession in other countries to get a sense of perspective about auditing in the USA.

This story published in the allAfrica.com News Service provides a good sense of the lack of ethics, oversight and reliability of auditors in Nigeria. I’ve always wondered (and sometimes admired) how some companies do business in places like these and consistently stay in compliance with the FCPA.  At other times I just wonder how it is that half of the officials in these places are corrupt, but the foreigners who do business with them are always ethical and lawful.   After you read the excerpt below, you can read the complete article by clicking on the link at the bottom of the post:

“Abuja – When the EFCC carried the anti-corruption war to the Federal Ministry of Agriculture and Water Resources recently, it yielded good results. The head of internal audit received marked bills totalling N2 million as a bribe from some contractors. He was caught in the act!

The story has not attracted undue attention, partly because it is common and “normal” in government ministries, departments and agencies. Auditors are envied even by other corrupt colleagues. They obstruct free flow of files so that contractors, suppliers and even workmates are forced to offer bribes to them. Often, they do not act alone: they have the backing of their bosses who also have itchy fingers. In the private sector, internal and external auditors collaborate to doctor the books of quoted and unquoted companies.”

To finish reading the story from the allAfrica.com News Service, click the link below:

• allAfrica.com: Nigeria: Corrupt Auditors
  

Shared via AddThis

*** Important Update ***

Soon after I posted the article above, I was contacted by a Nigerian person who directed me to a Nigerian Blog that carried a story on the subject of fraud, auditors and the Nigerian Oil and Gas Industry.   Although, I am not a follower of business, political or social events in Nigeria, I found it appropriate to add information about this story, and link it for the benefit of those interested.    The story shows how real efforts are being made in Nigeria to combat corruption and how local auditors are not all corrupt.  Below is an excerpt of the story, posted in the Nigeria General Discussion Blog Website which you can read in its entirety by following the link on the bottom of this update:

“How Corruption, Theft Ruin Nigerian Oil and Gas Industry.  Is PIB the Way Out? – From DENNIS MERNYI, Abuja.

The high level corruption and theft in the extractive industry particularly the oil and gas industry has been exposed for the second time by the Hart Group and Sam Afemikhe group of auditors that carried out the audit report on the activities of the multinational firms in the oil and gas sector, the Nigerian government institutions responsible for both revenue, tax collections and regulations of all financial transactions in sector.

The auditors were commissioned by the National Stakeholders Working Group of NEITI under the chairmanship of Professor Assisi Asobie and their report was unprecedented for their independence and comprehensiveness. In that report, both financial and physical audits were carried out. Nigerian National Petroleum Corporation, NNPC, Central Bank of Nigeria, CBN, several government institutions as well as oil companies were indicted for stealing chunk of moneys either during crude production or refined oil product export or supply.

In the report also, the auditors found some discrepancies among the Petroleum Profit Tax (PPT), royalties and gas flaring penalties the companies declared they have paid and what the CBN said it had received.

NNPC’s reported cash calls were reconciled with receipts by the joint venture operators, but when the audit moved away from the CBN to focus on PPT and royalties in more detail, it ran into several problems because the companies’ assessments of production differed from the Federal Inland Revenue Service others’ records.

NEITI was created in 2004 essentially to develop a framework for and ensure transparency and accountability in the reporting and disclosure by the extractive industry companies, of revenue, owing to or paid to the government. As a subset of the global Extractive Industries Transparency Initiative, EITI, the main task of NEITI is the reconciliation of payment s made by the extractive industry companies with receipts recorded by public agencies.”

The article goes on to mention the challenges faced by the auditors who undertook the investigation, attempts to influence or derail their report by political forces, the large amounts of moneys involved and identifies some of the the foreign companies investigated.

To read entire article, please follow this link:

• Nigeria General Discussion Blog Website – How Corruption, Theft Ruin Nigerian Oil and Gas Industry

Does Wikileaks Support Corporate Whistleblowers?

Image via Wikipedia

For those who did not read my previous post about Wikileaks.org, here is an explanation of what they do, copied from their website:

“Wikileaks is an uncensorable version of Wikipedia for untraceable mass document leaking and analysis. It combines the protection and anonymity of cutting-edge cryptographic technologies with the transparency and simplicity of a wiki interface.

Wikileaks looks like Wikipedia. Anybody can post comments to it. No technical knowledge is required. Whistleblowers can submit documents anonymously and untraceably. Users can publicly discuss documents and analyze their credibility and veracity. Users can discuss the latest material, read and write explanatory articles on leaks along with background material and context. The political relevance of documents and their veracity can be revealed by a cast of thousands.

Wikileaks incorporates advanced cryptographic technologies to ensure anonymity and untraceability. Those who provide leaked information may face severe risks, whether of political repercussions, legal sanctions or physical violence. Accordingly, sophisticated cryptographic and postal techniques are used to minimize the risks that anonymous sources face.”

Now that you know what they do, the excerpt below copied from the Wikileaks  “About” page at www.wikileaks.org provides information on Wikileaks views regarding Corporate Whistle blowers.    I believe that the work these folks are doing will likely have a far reaching impact on our professions, corporate ethics, fraud investigations and governance in general.   Read and reach your own conclusions:

“Does Wikileaks support corporate whistleblowers?

It is increasingly obvious that corporate fraud must be effectively addressed. In the US, employees account for most revelations of fraud, followed by industry regulators, media, auditors and, finally, the SEC. Whistleblowers account for around half of all exposures of fraud.

Corporate corruption comes in many forms. The number of employees and turnover of some corporations exceeds the population and GDP of some nation states. When comparing countries, after observations of population size and GDP, it is usual to compare the system of government, the major power groupings and the civic freedoms available to their populations. Such comparisons can also be illuminating in the case of corporations.

Considering the largest corporations as analogous to a nation state reveals the following properties:

1. The right to vote does not exist except for share holders (analogous to land owners) and even there voting power is in proportion to ownership.
2. All power issues from a central committee.
3. There is no balancing division of power. There is no fourth estate. There are no juries and innocence is not presumed.
4. Failure to submit to any order may result in instant exile.
5. There is no freedom of speech.
6. There is no right of association. Even romance between men and women is often forbidden without approval.
7. The economy is centrally planned.
8. There is pervasive surveillance of movement and electronic communication.
9. The society is heavily regulated, to the degree many employees are told when, where and how many times a day they can go to the toilet.
10. There is little transparency and something like the Freedom of Information Act is unimaginable.
11. Internal opposition groups, such as unions, are blackbanned, surveilled and/or marginalized whenever and wherever possible.

While having a GDP and population comparable to Belgium, Denmark or New Zealand, many of these multi-national corporations have nothing like their quality of civic freedoms and protections. This is even more striking when the regional civic laws the company operates under are weak (such as in West Papua, many African states or even South Korea); there, the character of these corporate tyrannies is unobscured by their civilizing surroundings.

Through governmental corruption, political influence, or manipulation of the judicial system, abusive corporations are able to gain control over the defining element of government — the sole right to deploy coersive force.

Wikileaks endeavors to civilize corporations by exposing uncivil plans and behavior. Just like a country, a corrupt or unethical corporation is a menace to all inside and outside it.”

I’ve heard calls for reforms in the board room, but what these folks are talking about goes a little beyond that!

• To visit Wikileaks.org, click here

Wikileaks Plans to Make the Web a Leakier Place

Image by myfear via Flickr

This may be one of the most revolutionary events in the history of Corporate Governance, since the SEC was established.    It will be interesting to follow how this service unfolds around the world and here at home.

Here is an excerpt of the article:

“IDG News Service – Wikileaks.org, the online clearinghouse for leaked documents, is working on a plan to make the Web leakier by enabling newspapers, human rights organizations, criminal investigators and others to embed an “upload a disclosure to me via Wikileaks” form onto their Web sites.

The upload system will give potential whistleblowers around the world the ability to leak sensitive documents to an organization or journalist they trust over a secure connection, while giving the receiver legal protection they might not otherwise enjoy.

“We will take the burden of protecting the source and the legal risks associated with publishing the document,” said Julien Assange, an advisory board member at Wikileaks, in an interview at the Hack In The Box security conference in Kuala Lumpur, Malaysia.”

To read the complete article, from CIO.com, please click the link below:

• CIO.com

Shared via AddThis

Related article:

• Exposed: Wikileaks’ Secrets – Wired Magazine

FTC: Bloggers must disclose material connections to endorsed products

Image via Wikipedia

I am not surprised that our political culture is beginning to address the challenges of an “un-regulated” blogosphere, especially when financial (and eventually taxable) matters are at hand.

Although, I am a technologist with a web presence going back to 2001, I did not focus time and energy to Blogging until recently.  My blogging practice is now to identify any and all endorsements or royalty agreements with vendors, whose products I review or recommend.   If I have no financial interests, my posts simply omit any mention to an agreement.

As of this writing the only commercial arrangement I keep related to this Blog is the Today’s Audit Journal Book Store, which is an affiliate program with Amazon.com.   Books and products I review on this Blog, I may also recommend for purchase by interested readers through my book store.  However, readers are free to purchase said products anywhere else on the web.

In terms of syndicated news articles posted in this Blog; all article sources are properly cited for copyright protection, and if the article at its source (other Blog, publication, etc…) promotes a product or service, I am not compensated, unless disclosed.   The use of syndicated news in this Blog is for the purpose of helping readers to stay informed of subjects I consider worthy to our profession, and as a means to maintain a consistent flow of posts, especially when I am unable to write/post due to professional/family demands.

The above mentioned practice and anything else presented in the “Legal” page of this blog shall constitute my official policy towards disclosures relating to endorsements or payments from third parties or vendors.

To read the entire article on the new FTC regulations, from the Tech Policy & Law News – Betanews website, please click the link below:

• FTC: Bloggers must disclose material connections to endorsed products | Tech Policy & Law News – Betanews

Shared via AddThis