|
Featured Member
JOHN KYRIAZOGLOU, CICA
This issue's featured member is John Kyriazoglou, CICA. John is an international IT and Management consultant with over 35 years' on-the-job practical experience with both private and public sector organizations. John has worked in Canada, Europe and the Middle East for over 35 years, as a Senior IT manager, IT auditor, Group EDP Internal Audit Manager and senior management consultant, in a variety of clients and projects, in both the private and the public sectors.
John was educated in Canada, at the International Data Processing Institute earning a Certificate in Computer Programming and Data Processing, at the University of Toronto where he earned a B.A. with Honours and in the U.S. at Pacific Western University where he earned a Masters in Science. He is a Certified Internal Controls Auditor (CICA) and has published four books and over 20 articles in professional publications, has served on numerous scientific committees, is a member of ISACA, the Institute for Internal Controls and other professional and cultural associations. He instructs courses in IT Auditing, Security and Electronic Crime Prevention.
John has recently authored a book on IT Controls, published by IT Governance, and has co-authored a book with the IIC Chairman and Dr. C. Kyriazoglou titled Corporate Strategic and Operational Controls, which will be released in early 2011. Both books will be used as sources and study guides for the upcoming CICA/CCS examinations.
__________________________________________
ABOUT THEIIC
The Institute for Internal Controls is a global organization dedicated to promoting an effective internal controls environment in all organizations by providing high quality research and education in all areas of internal controls. As an indicator of expertise in internal controls, The Institute for Internal Controls grants the designation of Certified Internal Controls Auditor (CICA) and Certified Controls Specialist (CCS).
__________________________________________
CONTACT INFORMATION
Institute for Internal Controls
109 Mullen Drive, Suite B
Sicklerville, NJ 08081
856.982.2410
TheIIC e-Newsletter is published on a quarterly basis by The Institute for Internal Controls.
Copyright 2010.
All rights reserved.
Link to TheIIC website
******************************************** ******************************************** Complete Your MBA Part-time with an 18-Month Accelerated Program with Two One-Week Business Abroad Immersion Courses
Link for Additional Information on the MBA Program
**************************************** **************************************** IT STRATEGIC & OPERATIONAL CONTROLS BOOK
Link to Book Site
**************************************** **************************************** Job Openings
Click here to Link to the Job Openings Webpage
**************************************** **************************************** Forward to a Friend or Add Another Email Address
Click here to Refer a Friend or Add Another Email Address or Opt back in for this and future e-Newsletters or emails from TheIIC
**************************************** ****************************************
Want to Advertise - FREE Service - email TheIIC at e-newsletter@theiic.org
Join our mailing list!
[ ][Join]
|
|
Message from the Chairman
TheIIC continues to be the most attractive internal controls certification organization in the international marketplace. At the recent ACFE Annual Conference we were one of the busiest exhibitors, receiving more than 300 applications from the 1700 plus attendees. Our presence is growing in Europe, Mexico, the Middle East and the Caribbean. In 2011 we will begin a major effort to establish local chapters in the major cities of the U.S., following the very successful chapter structure established in the international arena. The CICA and CCS are becoming more recognized as our membership and research efforts grow. Most recently, the ACFE notified us that they have approved the CICA and CCS designations to be listed next to a member's name. In 2011 we will start offering the CICA/CCS examination as well as training and study guides for preparation for the exam. We are looking at 2011 to be a very productive year for the growth and expansion of TheIIC. In addition to the above we are beginning planning for publication of an Internal Controls Magazine and a peer reviewed Journal of Internal Controls for research based articles. Details of these efforts will be described in future issues of this newsletter.
Dr. Frank
__________________________________________ __________________________________________
|
|
ACFE Annual Conference Exhibit By TheIIC a Success
|
|
In July TheIIC again exhibited at the ACFE Annual Conference in the Washington DC area. Attended by more than 1700 members and friends of the ACFE, TheIIC booth was one of the busiest exhibitors at the conference. TheIIC Chairman and several Board Members greeted attendees, introducing them to TheIIC and the CICA and CCS certifications. As a result, more than 300 applications were received. The ACFE Conference continues to be a major event for TheIIC.
|
|
Instructors and Course Developers Sought
|
|
In 2011, TheIIC will begin offering a portfolio of live and video based training courses. The courses will be a source of reference for those seeking internal controls training as well as preparation for those seeking certification via the examination process. The courses will also be an excellent refresher for the experienced internal controls auditor and specialist as well as a resource for Continuing Professional Education. All members of TheIIC will receive a discounted rate.
TheIIC is seeking educators and professionals with teaching experience to help develop courses and/or serve as instructors. Interested parties should contact the Office of the Chairman for consideration at chairman@theiic.org.
|
|
IT Controls Text Authored by CICA
|
|
John Kyriazoglou, CICA and our featured member for this issue, has just released a very good text on IT Strategic and Operational Controls. The book is an excellent source of learning and reference for the internal controls auditor and specialist as well as those interested in the field and will be used as a source for IIC internal controls training and for question development for the CICA/CCS examination. John has generously agreed to allow members of TheIIC to receive a 10% discount on their purchase of the book. The link to purchase the book is available below.
Link to purchase textbook
|
|
Cloud Computing: What Accountants Need to Know
|
|
In the 21st Century "cloud computing" is the new IT buzz word that is gaining a great deal of momentum. Worldwide, cloud services revenue is forecast to reach $68.3 billion in 2010, a 16.6% increase from 2009 revenue of $58.6 billion, according to analyst firm Gartner Inc. So what does this mean to the accounting/auditing/internal controls profession? What are the benefits and risks? What controls need to be in place to address the risks? Who are the vendors in the proverbial sky, and how do you know you can trust them with your data or your clients' data?
An article in the October 2010 edition of the Journal of Accountancy answers some of those questions and explains the history and future of the cloud as well as areas of concern in evaluating risks and implementing internal controls to address the risk.
Link to JOA article
|
|
SOX 404 Reduces Financial Misstatements
|
|
A new academic study has found evidence that Sarbanes-Oxley 404 audits of companies' internal controls significantly reduce the likelihood of issuing materially misstated financial statements. The report, by Dr. Albert L. Nagy, an accounting professor at John Carroll University in Cleveland, and published in the recent issue of the American Accounting Association's journal Accounting Horizons, provides evidence that SOX 404 is meeting its objective of improving the quality of financial reports.
Section 404 of the Sarbanes-Oxley Act requires firms and auditors to annually assess the systems of internal control that govern company operations and financial reports. Nagy's study found that 20 percent of the financial reports from non-complying companies had to be reissued because of material misstatements, compared to only 14.5 percent of the reports from compliers. In other words, non-complying companies proved almost 40 percent more likely than compliers to restate.
Link to Article
|
|
COSO Report on Fraudulent Financial Reporting Released
|
|
Extract from Report Executive Summary (edited)
A COSO sponsored study, titled Fraudulent Financial Reporting: 1998-2007, provided a comprehensive analysis of fraudulent financial reporting occurrences investigated by the U.S. SEC during the period. The study updated their understanding of fraud since COSO's 1999 issuance of Fraudulent Financial Reporting: 1987-1997. Some of the more critical findings of the present study include:
- There were 347 alleged cases of public company fraudulent financial reporting from 1998 to 2007, versus 294 cases from 1987 to 1997. Consistent with the high-profile frauds at Enron, WorldCom, etc., the dollar magnitude of fraudulent financial reporting soared in the last decade, with total cumulative misstatement or misappropriation f nearly $120 billion across 300 fraud cases with available information (mean of nearly $400 million per case). This compares to a mean of $25 million per sample fraud in COSO's 1999 study. While the largest frauds of the early 2000s skewed the 1998-2007 total and mean cumulative misstatement or misappropriation upward, the median fraud of $12.05 million in the present study also was nearly three times larger than the median fraud of $4.1 million in the 1999 COSO study.
- The companies allegedly engaging in financial statement fraud had median assets and revenues just under $100 million. These companies were much larger than fraud companies in the 1999 COSO study, which had median assets and revenues under $16 million.
- The SEC named the CEO and/or CFO for some level of involvement in 89 percent of the fraud cases, up from 83 percent of cases in 1987-1997. Within two years of the completion of the SEC's investigation, about 20 percent of CEOs/CFOs had been indicted and over 60 percent of those indicted were convicted.
- The most common fraud technique involved improper revenue recognition, followed by the overstatement of existing assets or capitalization of expenses. Revenue frauds accounted for over 60 percent of the cases, versus 50 percent in 1987-1997.
- Relatively few differences in board of director characteristics existed between firms engaging in fraud and similar firms not engaging in fraud. Also, in some instances, noted differences were in directions opposite of what might be expected. These results suggest the importance of research on governance processes and the interaction of various governance mechanisms
- Twenty-six percent of the fraud firms changed auditors between the last clean financial statements and the last fraudulent financial statements, whereas only 12 percent of no-fraud firms switched auditors during that same time. Sixty percent of the fraud firms that changed auditors did so during the fraud period, while the remaining 40 percent changed in the fiscal period just before the fraud began.
- Initial news in the press of an alleged fraud resulted in an average 16.7 percent abnormal stock price decline in the two days surrounding the news announcement. In addition, news of an SEC or Department of Justice investigation resulted in an average 7.3 percent abnormal stock price decline.
- Long-term negative consequences of fraud were apparent. Companies engaged in fraud often experienced bankruptcy, delisting from a stock exchange, or material asset sales following discovery of fraud - at rates much higher than those experienced by no-fraud firms.
Link to COSO report
|
|
GAO Audit Reveals Weak Controls Put IRS System at Risk
|
|
A GAO financial audit of the Internal Revenue Service for Fiscal Years 2010 and 2009, released in November 2010, revealed that three-quarters of IT security vulnerabilities and controls identified in previous years' audits of the IRS financial systems have yet to be corrected. This GAO audit reveals that the weak controls put IRS systems at risk.
Among the weaknesses the GAO audit identifies:
- Allowing individuals more access to sensitive information contained on the network than needed to perform their assigned duties.
- Permitting users to enter commands that bypassed normal application security controls in its procurement system.
- Providing unnecessary access to secured areas by visitors.
- Failing to secure adequately the database associated with the online system IRS used to support and manage its computer access request, approval and review processes.
- Using unencrypted protocols on a server supporting the Electronic Federal Tax Payment System and several internal routers, potentially exposing user identifies and passwords transmitted in clear text across the network to inappropriate disclosure and unauthorized use.
- Failing to update the database software on the Microsoft Windows servers that supports the IRS's general ledger system to protect against known vulnerabilities.
- Failing to install critical patch updates on several databases supporting the system.
"An underlying reason for these deficiencies is that IRS has not yet fully implemented key components of its comprehensive information security program," Steven Sebastian, GAO director of financial management and assurance, says in a letter to Treasury Secretary Timothy Geithner. "Although IRS has processes in place intended to monitor and assess its internal controls, these processes were not always effective." In a letter responding to the GAO audit, IRS Commissioner Douglas Shulman says material weaknesses in security controls have decreased over the past year, and steps are being taken to reduce them further. "The improvements we made have significantly reduced the overall risk, and we look forward to work with GAO to develop testing of the IT security controls and the compensating processes and procedures during the FY 2011 audit to demonstrate the overall risk has been reduced to below a material weakness. GAO points out that the IRS has initiated various programs to address critical information security weaknesses, such as those tied to access controls, audit trails, contingency planning and training. According to the plan, the last of these weaknesses is scheduled to be resolved in fall 2013. The IRS also told the GAO it has developed metrics to measure success in complying with guides, policies and standards in such areas as configuration management, access authorizations, auditing and change management.
Link to COPY OF GAO REPORT
|
|
Top Data Security Controls Ranked by 1100 IT Professionals
|
|
Imperva sponsored Securosis in a data security survey designed to provide security practitioners with useful information on the perceived effectiveness of major security tools and techniques. TheTop Rated Controls based on perceived effectiveness) include:
- The top 5 rated controls for reducing the number of incidents are network data loss prevention, full drive encryption, web application firewalls, server/endpoint hardening, and endpoint data loss prevention.
- The top 5 rated controls for reducing incident severity are network data loss prevention, full drive encryption, endpoint data loss prevention, email filtering, and USB/portable media encryption and device control. (Web application firewalls nearly tied to make the top 5).
- The top 5 rated controls for reducing compliance costs are network data loss prevention, endpoint data loss prevention, storage data loss prevention, full drive encryption, and USB and portable media encryption and device control. (Very closely followed by network segregation and access management).
Link to Report
|
|
Call for Papers
|
|
A key resource for members is the sharing of information among the membership via articles. Subject matter including techniques for reviewing internal controls, discussion of available tools, case studies, etc. can assist both the new and experienced internal controls auditor/specialist.
If you would like to submit an article or monograph on any subject matter that may be of interest to the membership, we encourage you to do so. You can direct any materials for review to the Chairman at chairman@theiic.org.
|
|
Message from the Editor: Welcome for First-timers
|
|
For first timers, I would like to welcome you to the TheIIC e-Newsletter. In the design of the newsletter we completed extensive research on how to make the e-newsletter successful. As you can see, the layout is a little different than you see in other e- newsletters. While most e-newsletters only give you a few lines of the article, with a link to the full article, we have decided to present an abstract type summary of each, with a link to the full article, when available. We feel that this allows you to get the substance of the article without having to link to another site. However, we do provide a link for those who want any additional details available. This also provides you with the ability to print out the newsletter and read it at your leisure. We encourage any comments or suggestions for improving the e-newsletter. Comments as well as contributions for publication should be sent to me at e-newsletter@theiic.org.
|
|
|
