Michael Piazza, CICA, has recently joined TheIIC as the Director of Program Development & Training, tasked with creating and presenting educational products and professional development programs for offering by the TheIIC. Michael will begin developing several one and two-day courses on COSO/Internal Controls Framework AND Fraud, Waste and Abuse. These courses will be available to organizations at their workplace as well as in IIC sponsored group settings. In addition, the Board has approved the development of self-study training courses that will be delivered via CD-ROM/DVD. More information concerning both the live instructional and self-study methods will be announced shortly. All courses will be approved for CPE credit by sponsoring organizations such as the NASBA.

In early January 2007 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) announced that Grant Thornton LLP had been commissioned to develop guidance designed to help organizations monitor the quality of their internal control systems. The end product will serve as a tool for effectively monitoring internal controls, as well as complying with the Sarbanes-Oxley Act of 2002. The project team, including Grant Thornton LLP partners, will be led by Grant Thornton Managing Partner of National Corporate Governance Trent Gazzaway. A project white paper will be released in early spring, 2007. The monitoring tool, scheduled for completion in early 2008, will include leading practices at large and small organizations and in-depth guidance for implementing the monitoring component of COSO’s Internal Control — Integrated Framework (IC Framework). Updates on COSO’s monitoring project will be posted to www.coso.org, as available.
 

On December 29, 2006 the International Ethics Standards Board for Accountants (IESBA), an independent standard-setting board within the International Federation of Accountants (IFAC), issued an exposure draft updating and strengthening the independence requirements contained in the IFAC Code of Ethics for Professional Accountants. The last substantive revisions to the Code were made in November 2001. The changing environment in the past few years has led the IESBA to consider what revisions to auditor independence requirements might be needed. Over the two-year development period of the exposure draft, the IESBA consulted with interested stakeholders, including regulators, standard setters, leaders of accountancy organizations, and members of the profession. "Auditor independence is a critical cornerstone of financial reporting," states Richard George, IESBA Chair. "We believe that the proposed changes to the Code contain important provisions that we consider are appropriate to protect the public interest." Significant proposed modifications to the Code include:
• Expanding the applicability of partner rotation requirements;
• Updating requirements related to the provision of non-assurance services, including setting out additional guidance on the provision of tax services to audit clients; and
• Extending the independence requirements to the audits of a wider range of entities of significant public interest.

Comments on the exposure draft are requested by April 30, 2007.

CICA Robert E. Davis has authored an article that asks the question How Does Management Support Deploying IT Governance? In the article he notes that depending on your abstraction level, IT governance can be viewed as a framework, methodology, or technique. As a framework, IT governance enables a “system of controls” assisting in assuring organizational goals and objectives are achieved effectively and efficiently. As a methodology, IT governance furnishes a description of the role entity direction and controls play in achieving information systems objectives. Lastly, as a technique, IT governance provides processes and steps that can generate superior financial and/or reputational returns for stakeholders.

Whatever your perspective may be, the importance of effective and efficient IT governance cannot be overlooked in the current global high technology environment. Considering what is at stake for most organizations, usually justifying IT governance deployment based on one viewpoint narrows suitability and expected benefits. In the final analysis, combining the discussed individual abstraction levels may be the most appropriate support for implementing IT governance.

On December 11, 2006, UCLA announced that the personal records of as many as 800,000 individuals may have been vulnerable in a computer breach at the university. The names and certain personal information of UCLA's faculty, staff and current students are included in a restricted administrative database which was illegally and fraudulently accessed by a sophisticated computer hacker. Also among the data was information on some former students, student applicants and parents of students or applicants who applied for financial aid. In addition, about 3,200 on the database are current or former staff and faculty of the University of California, Merced, and current or former employees of the University of California Office of the President, for which UCLA does administrative processing. In mailed notifications, the university urged that all those affected take steps to protect their personal privacy by contacting one of the national credit bureaus to place a fraud alert on their consumer credit file and to obtain a copy of their personal credit report. UCLA first detected suspicious activity at the database on Nov. 21, at which time university officials immediately blocked access and activated its information technology security incident team. UCLA also notified the FBI, which is conducting an investigation. The database includes names, Social Security numbers, dates of birth, home addresses and contact information. UCLA's ongoing investigation at this time indicates only that the hacker sought and obtained some of the Social Security numbers, and there is no evidence that any data has been misused. Nevertheless, out of an abundance of caution, the university decided to inform all those whose names appear in the database. Jim Davis, UCLA's chief information officer and associate vice chancellor–Information Technology, described the attack as sophisticated, saying it used a software program designed to exploit a flaw in a single software application that is one of among hundreds used throughout the campus. The UCLA incident is the latest in a string of computer security breaches nationwide affecting financial institutions, universities and other large employers. According to the Los Angeles Times, in the first six months of this year alone, there were at least 29 security failures at colleges nationwide, jeopardizing the records of 845,000 people. In 2005, a database at USC was hacked, exposing the records of 270,000 individuals.

As internal controls specialists, we need to be concerned with protecting our computer systems and its data. The following article from Enterprise Security Today gives us some things to think about on Antivirus Software.

(Extract)
Antivirus technology is a crock. It fails to prevent computers from getting infected with viruses, and this failure contributes to many other security woes that plague the world's computers. Because viruses spread, hackers find it easier to compromise computers, identity theft is better enabled, and computer fraud is easier to perpetrate. Virus-infected computers become a resource for hackers to exploit. Some hackers assemble and control networks of thousands of such computers and use them to distribute huge volumes of spam, mount sophisticated phishing attacks, and launch targeted "denial of service" attacks on companies. The level of virus infection is high. It's not an epidemic; it's a pandemic. How bad is it? That depends on how you look at it. For the home computer user and small-business user, infection is chronic. In June, 2006, Microsoft revealed the results of a 15-month test of its Malicious Software Removal Tool on home PCs and small-business PCs. The utility had been used to scan and clean 5.7 million PCs, and it found backdoor Trojans, or programs that let hackers gain entry, on about 62% of them. And during the 15-month period, 20% of PCs that were cleaned were reinfected. Big companies aren't immune, either. The 2005 Yankee Group Security Leaders & Laggards Survey indicated that while 99% of enterprises have deployed antivirus programs, 62% got infected by viruses. The situation for large enterprises is, it seems, not much better than for other PC users. They may be better able to recover from infection, but they still get infected.

So why is it that Anti-Virus technology does such an inept job? Link below to view the complete article.

If you missed a previous edition of TheIIC
e-newsletter, or would like to retrieve a copy, you can now view archived editions of TheIIC
e-Newsletter on TheIIC website at http://www.theiic.org/publicationsnewsletter.html.

Organization of the ICQ Development Committees is being finalized and will be announced shortly. There are still openings available for volunteers for membership on the four new committees that are being formed. The committees will be responsible for the development and refinement of Internal Control Questionnaires (ICQ) for specific areas of audit within each control area. No travel will be required and all communication will be made through telephone and email.
The four committees are:

1. Management Controls
2. Financial Controls
3. Operational Controls
4. IT Controls

For first timers, I would like to welcome you to the TheIIC e-Newsletter. In the design of the newsletter we completed extensive research on how to make the e-newsletter successful. As you can see, the layout is a little different than you see in other e- newsletters. While most e-newsletters only give you a few lines of the article, with a link to the full article, we have decided to present an abstract type summary of each, with a link to the full article, when available. We feel that this allows you to get the substance of the article without having to link to another site. However, we do provide a link for those who want any additional details available. This also provides you with the ability to print out the newsletter and read it at your leisure. We encourage any comments or suggestions for improving the e-newsletter. Comments as well as contributions for publication should be sent to me at e-newsletter@theiic.org.