@ISACA Volume 25: 4 December 2013 

@ISACA Relevant, Timely News

Use the Updated IS Audit and Assurance Standards; Comment on Guidelines Before 31 December

The IT Assurance Framework (ITAF) is a comprehensive and good-practice-setting reference model that incorporates the ISACA IS audit and assurance standards. ITAF applies to individuals who act in the capacity of IS audit and assurance professionals and are engaged in providing assurance over some components of IS applications and infrastructure. However, care has been taken to design these standards, guidelines, and tools and techniques in a manner that may also be useful and provide benefits to a wider audience, including users of IS audit and assurance reports.

ISACA has updated the standards and reorganized them into three categories: general, performance and reporting. The current guidelines contained in ITAF, 2nd Edition are being updated into the three categories as well, to support the updated standards. Exposure drafts of the guidelines were posted on 1 October with public comments being accepted through 31 December 2013.

The revised standards became effective 1 November 2013 (their related previous version is indicated in parenthesis). The standards are mandatory in all cases. Any deviations from the standards must be addressed prior to completion of the IS audit or assurance engagement.

The revised standards are:

1001 Audit Charter (S1)
1002 Organisational Independence (S2)
1003 Professional Independence (S2)
1004 Reasonable Expectation (New)
1005 Due Professional Care (S3)
1006 Proficiency (S4)
1007 Assertions (New)
1008 Criteria (New)

1201 Engagement Planning (S5)
1202 Risk Assessment in Planning (S11)
1203 Performance and Supervision (S6)
1204 Materiality (S12)
1205 Evidence (S14)
1206 Using the Work of Other Experts (S13)
1207 Irregularity and Illegal Acts (S9)

1401 Reporting (S7)
1402 Follow-up Activities (S8)

Translations of the English versions are available in Chinese (Simplified and Traditional), French, German, Hebrew, Italian, Japanese, Korean, Portuguese and Spanish. A Polish translation is underway and will be available on the web site soon


Complying With Anticorruption Laws, Standards and Guidelines
By Lisa Young, CISA, CISM

Nearly every country has laws, regulations or guidelines against corruption. Forms of corruption vary from country to country, but include such things as bribery, nepotism, extortion, embezzlement and other activities that involve trading in influence. Compliance with anticorruption regulations is important to protect the reputation of any organization. If your organization operates in a multinational environment, it is important that the scope of any audit includes consideration for anticorruption practices. Internal auditors provide high-value services to audit committees, boards and senior management by examining and recommending improvements to an organization’s anticorruption compliance program.

It is important that you take some time to understand which country-specific laws, regulations or guidelines apply to your organization. The United Nations Convention Against Corruption (UNCAC) is a multilateral convention ratified by 168 members of the United Nations. It is the first global, legally binding anticorruption instrument. The Organisation for Economic Co-operation and Development (OECD) currently has 40 member countries participating in a convention aimed at reducing corruption in developing countries. The US has the Foreign Corrupt Practices Act (FCPA), the UK has the Bribery Act of 2010 and Canada has the Corruption of Foreign Public Officials Act (CFPOA). These are all good starting points for getting more information on the anticorruption risk landscape.

Asking and answering the following questions can help improve your anticorruption program:

  • To what extent does your organization have anticorruption practices already in place? Are there policies, guidelines or other programs in your organization to formally address the risk of corruption? Is there designated accountability and ownership for corruption risk in the organization?
  • Are senior and field managers provided cultural and linguistic training in global or country-specific business practices? If not, is there an independent, objective person who understands the multinational context available to assist managers in this endeavor? It should be someone who understands local customs regarding gifts, acceptance of favors or other types of influence.
  • Do risk assessments include criteria that consider the country-specific risk factors (i.e., a particular country in which you are looking to expand business ventures is more prone to corruption than another), industry segment risk, third-party relationships and financial transactions?
  • Have training and communication been provided to staff who travel to foreign countries to perform audits and assessments? If you maintain a centralized set of auditors in one country and fly them into another country to perform internal audits, have you briefed them on what to watch out for with regard to corruption? Have you communicated whistle-blower procedures sufficiently to those who need to know?

As companies continue to expand globally, the role of the internal auditor in building and maintaining an effective anticorruption program will expand. Adding an evaluation of anticorruption practices to ongoing risk assessments will assist in mitigation and help protect the organization from embarrassment and reputation damage.

Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Staying on Track in a Changing World
Bronislovas Balvocius, CISA, CRISC, OCP, PMP, Deputy Director of Internal Audit at AB Ukio Bankas and Vice President of the ISACA Lithuania Chapter, Shares His Experience as a CRISC

Bronislovas BalvociusBronislovas Balvocius recognizes the IT world is changing and needs people who embrace change. "I’m ready to be a lifelong learner and worker. Certifications help me keep up with market trends.” The desire to stay on track motivated Balvocius to deepen his knowledge. “I can see that ERM and IT risk management are merging and this trend is going to continue. I believe that the Certified in Risk and Information Systems Control (CRISC) certification helps me keep pace with these changes.”

His certifications have also connected him with like-minded professionals worldwide. “I have met a lot of people through ISACA who are passionate and love their job. I like to stick with people who love their work. Who doesn’t?”

Balvocius says his certification has helped him master professional challenges. “I spend most of my time switching between IT and internal auditor roles. I think internal auditors face big challenges in understanding IT risk and recommending implementation of rational controls. My CRISC certification and ISACA’s professional community have helped and continue to help me face these challenges.”

His CRISC certification has also helped him gain insights and Balvocius believes that “CIOs, software project managers and business process analysts are roles that would also benefit from the CRISC. Preparing for the CRISC certification gives those professionals a structured knowledge and better understanding of IT risk management tools.”

Balvocius sees the far-reaching benefits of his commitment to lifelong learning. “I understand now that giving back to the profession is as important as self-development. I look forward to teaching at a university, giving speeches or writing blogs about the IT profession. These efforts can help develop others, while at the same time developing myself.”

To learn more about ISACA certifications, visit the Certification page of the ISACA web site.


International VP Nominations Closing Soon

Nominations for the office of international vice president on the ISACA Board of Directors for the 2014-2015 term are open until 7 January 2014. (The deadline for nominations for president has passed.) Information about serving on the board, the attributes for office and the nomination form itself are available on the Board Nominations page of the ISACA web site.

Members may nominate themselves or others (or both). All candidates will be required to complete a candidate profile form that confirms their willingness to serve if selected and provides the Nominating Committee information about the candidate. Self-nominating candidates also need to submit a letter of recommendation from an ISACA member, outlining how the candidate demonstrates the attributes for office. Information on candidates will be gathered in other ways as well, including review of public web sites (e.g., Google, Facebook, LinkedIn) and, possibly, interviews.

The 7 January 2014 date is when all materials—not just the nomination form—must be received at ISACA International Headquarters (i.e., completed candidate profile form and letter of recommendation, if required). Questions? Contact nominate@isaca.org.


Member Get a Member: Last Chance to Earn Prizes

December is the last month to participate in the Member Get a Member program for 2013. Reach out and help your friends, colleagues and other professionals become ISACA members. The new member fee is waived for members recruited through this program. Recruit at least 10 new members to earn a full-size tablet device from the world’s leading manufacturer—a US $329 value.

Member Get a Member prize winner (August 2013) Brenda Gombosky encourages new members to take advantage of “the wealth of opportunities that ISACA provides members to interact with other professionals in addition to local chapter meetings.”

Member Get a Member recruiter Amit Ranjan agrees, “Options provided by ISACA really equip individuals with the right skills to cope with regulatory and control challenges. With appropriate skills, knowledge and experience gained through ISACA membership, as well as certification, anyone who would like to pursue this career will see more growth than other career domains.”

Remember to provide your ISACA ID number to your prospects to receive recruiting credit and ensure that their new member fee is waived. The Member Get a Member program ends 31 December 2013, so do not wait—start recruiting today! Visit the Member Get a Member page for helpful recruiting tips.


November Board of Directors Meeting Report

ISACA’s Board of Directors met on 1 November 2013 to discuss strategy, finance and activities undertaken to support the association’s three lines of business: knowledge, relations, and credentialing and career management. Highlights include:

  • The establishment and formalization of a corporate social responsibility program, which is being conducted on a three-year pilot basis beginning in January 2014.
  • First-in-focus strategic initiatives were identified from among the many Strategy 2022 (S22) initiatives in the areas of cybersecurity, privacy, COBIT growth, academia and career management. Volunteer task forces were appointed to develop specific plans for each area, resulting in the recommendation of more than 100 proposed projects. The Strategic Advisory Council addressed prioritization among the proposals, given the need to allocate human and financial resources appropriately.
  • The Governance Advisory Council reported on progress made in revising ISACA’s bylaws, a necessary undertaking to align with California corporate code. Ultimately, bylaw revisions must be approved by the ISACA membership. A ballot is anticipated in 2014.
  • Investigation continues into digital badging, which is expected to be rolled out on a pilot basis before the end of 2013.

The board’s next meeting will be held in late February/early March in Brisbane, Queensland, Australia.


Book Review: Securing Cloud Services
Reviewed by Ibe Kalu Etea, CISA, CRISC, ACA, CFE, CRMA, ISO 9001:2008 QMS

The importance of cloud computing as a game changer in Internet technologies cannot be overemphasized. Cloud computing and services provide access to fully functional applications without user-owned infrastructure, ensuring software deployment and test environments, as well as Internet access to processing and storage requirements. As much as the cloud is one of the greatest areas of advancement and innovation in modern Internet technologies, it is not without its own risk and multiple threat factors. The cloud places a lot of pressure on risk practitioners to understand the various dimensions of security issues related to it.

Securing Cloud Services analyzes the various cloud deployment models and architecture and reviews a model for assessing extant security risk and threats to the cloud. By making case studies of existing cloud services hosted by enterprises, author Lee Newcombe provides a practical overview of cloud security, both for existing and prospective assessors, risk consultants, end users and vendors of the cloud. The author bases his viewpoint of the cloud concept on the National Institute of Standards and Technology (NIST) parameters. The book takes the reader through the cloud services methodology, touching on the essential fundamentals of the concept.

The book is divided into four sections. The first part reviews the general classifications of the different cloud types and service models, as well as deployment models. A key concept is the introduction of the Jericho Forum® Cloud Cube model, which uses four dimensions to describe various cloud formations. This section strikes a balance between the acquired benefits and threats of the cloud from a security standpoint and highlights the security threats posed by different stakeholders of the cloud, e.g., providers, insiders, hackers, identity providers.

The second section of the book outlines the different architectural layers of the cloud, and here the author introduces a security reference model (SRM) to illustrate his approach to cloud security. The analysis of cloud security based on this nascent model forms the core of the book, and the author shows ingenuity in its exposition with the current service and deployment models. The public, private, hybrid and community cloud models are treated extensively from a security standpoint, with the strengths and weaknesses of each analyzed. Security concepts such as cryptography, access management and identity management are linked to the SRM model and analyzed, with practical examples of real-life cloud-hosting services well referenced.

In the third and fourth parts of the book, the author projects cloud computing into the future and analyzes future scenarios applicable for the cloud, chiefly from a security and risk standpoint. Newcombe asserts that cloud computing will hasten implementation of service-oriented architecture (SOA) and continue to impact working practices.

The book is richly enhanced with tables, diagrams, concepts, and references to various web sites and pages for further examination. It is a book for any security professional, student or IT risk practitioner who wishes to see the cloud from its more practical side.

Securing Cloud Services is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Ibe Kalu Etea, CISA, CRISC, ACA, CFE, CRMA, ISO 9001:2008 QMS, is a corporate governance, internal controls, fraud and enterprise risk assurance professional. He also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).


Read More Articles in Our Archives