Truth is, only Eagles and licensed pilots fly alone. We simple farm animals need ITGI's Knowledge Network, all the resources from ISACA (especially COBIT® On-line), IIA Resources for Information Technology, and updates from PricewaterhouseCoopers CFOdirect Network®. I rank attempts to Sarbanes-Oxley and SAS 70 compliance in the absence reading COSO and AICPA guidelines with untied shoe laces while running with scissors. These are our primary source of guidance, because they represent the people with a core mission to provide us with what we need to know. Google™ may be the source of infinite answers, but these sources are true Oracles. Google may win a Nobel Prize someday, but as for me, it is by definition “too much information ."
Reading PCAOB standards, audit guideline and practice frameworks, attending ISACA and IIA CPE events, and subscribing to the PwC’s world class newsfeed is hardly a shabby approach to an audit career. National Association of State Boards of Accountancy endorsed organizations assures timely access to uniform levels of training, materials and guidelines for our practice.
This writing only suggests that a diet consisting of “drinking from the fire hose” and every type of food they have in the company vending machine, will likely lead to poor thinking skills, obesity, and complete lack of resistance to minor changes in flu strain or weather. Vary the daily circle of reference to reliable solid sources and defend against self induced white paper frenzy. Protect whatever brain matter that may be left by careful selection of valid documents worthy of “Must Read” rank.
Let ISACA handle it
Have I have skipped right over the “shared responsibility” clause? Surfing for audit material has scary potential to drag us down dark alleys and rat holes. Isn’t it safer to let ISACA and IIA handle the reading list? Why not plug back in to three or four portals and stop the journey right here?
Because
The people, who maintain, manage use of and contribute to these critical resources, however, are not in the habit of playing it safe. They demonstrate life long patterns of participation in the scope, applicability and intent behind international standards, treaties and laws. Frameworks such as the widely implemented COBIT® are refined and optimized based in the solicited feedback of “rival” organizations. Consider the intent of “COBIT® Mapping: Mapping ISO/IEC 17799: 2000 with COBIT”, which painstakingly demonstrates a “global overview of […] important international standards and guidance for IT control and IT security in relationship to COBIT®: COSO, ITILŪ, ISO/IEC 17799:2000, ISO/IEC 13335, ISO/IEC 15408, TickIT and NIST 800-14 ." ISACA clearly supports that we consider these standards in our manner of implementing IT governance.
The influence of contributors to the Mapping Projects at ISACA and the GTAG at IIA are the same men and women who elevated a practice previously isolated to the department IT, into a major business and legal concern now known as Enterprise Governance. I thought about the articles and papers that I typically read. I examined a few references on papers people had been sending me to read. Some had no references at all. I compared one of the papers to a random (Carnegie Mellon Universities) CERT publications, IIA endorsed resource or and a product released under the guidance of ITGI. The differences between articles and white papers, and then any item by the three organizations were impressive. Look at the references listed on page two of “It Control Objectives for Sarbanes-Oxley: The Importance of It in the Design, Implementation and Sustainability of Internal Control over Disclosure and Financial Reporting ."
COBIT® 3rd Edition©, IT Governance Institute, Rolling Meadows, Illinois, USA, July 2000
Committee of Sponsoring Organizations of the Treadway Commission (COSO), www.coso.org
Common Criteria and Methodology for Information Technology Security Evaluation, CSE (Canada), SCSSI (France), BSII (Germany), NLNCSA (Netherlands), CESG (United Kingdom), NIST (USA) and NSA (USA), 1999
Exposure Draft Enterprise Risk Management Framework, Committee of Sponsoring Organizations of the Treadway Commission (COSO), USA, July 2003
“Final Rule: Management’s Reports on Internal Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports,” Release Nos. 33-8238; 34-47986; IC-26068; File Nos. S7-40-02; S7-06-03, US Securities and Exchange Commission, USA, June 2003, <http://www.sec.gov/rules/final/33-8238.htm>
Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission (COSO), AICPA, New York, USA, 1992
ISO IEC 17799, Code of Practice for Information Security Management, International Organization for Standardization (ISO), Switzerland, 2000 […]
Here’s my visual take away and mental note regarding organizations, documents and writers deserving our professional attention and a rating as “critical” ten out of ten weights.
COBIT® (ISACA, ITGI) AND COSO (AICPA, IIA)
Common Criteria and Methodology for Information Technology Security Evaluation, CSE (Canada), SCSSI (France), BSII (Germany), NLNCSA (Netherlands), CESG (United Kingdom), NIST (USA) and NSA (USA)
Enterprise Risk Management Framework, (COSO)
Any Final Rule - US Securities and Exchange Commission
Any - ISO IEC 17799, Code of Practice for Information Security
ITILŪ and OCG
CCTA
Public Company Accounting Oversight Board=Auditing Standards
Information Security Forum
Endorsed contributions: Deloitte & Touche, PricewaterhouseCoopers
Enough about them, let’s talk about us
Consider again, a “critical,” a ten out of ten weight, “It Control Objectives for Sarbanes-Oxley: The Importance of It in the Design, Implementation and Sustainability of Internal Control over Disclosure and Financial Reporting”, Copyright© 2003 by the IT Governance Institute[140]." Contribution in peer review and content include PricewaterhouseCoopers, Crowe Chizek, RBC Financial Group, Deloitte & Touche, Financial Executives Institute-Research Foundation (FERF)[141], Ernst & Young, Protiviti, META Group, Q Alliance, RBC Financial Group, demonstrating among business and regulators their highest rank and strongest talent. The come from Banking, Audit, and Enterprise IT Consulting, in Industries ranging from Manufacturing to Insurance an Air Travel, (i.e., Electrolux, Great-West Life Assurance Company, Waviest Technologies, New Zealand Air). Participation in this one project represents regulatory mandates as experienced in the USA, Canada, Singapore and Tokyo, Argentina, Australia, United Kingdom, Luxembourg, and Belgium.
What was the motivation that brought this group together? Were they working as a team to be Olympic swimming gold medalists in the 1000 meter Reference List? If so, I didn’t catch that on ESPN. The product is in public domain and no particular individual is given exclusive rights except for guardianship on the copyright. If IIA and ISACA aren’t going to fight, and PricewaterhouseCoopers is work along side Deloitte & Touche, Ernst and Young, Protiviti and KPMG, then… then….
Say it ain’t so
Frameworks don’t compete. That can be accomplished by People. Consider the evidence so far; audit bodies, corporations, and every member of the Big5 have been caught in the act of teamwork. ISACA, IIA, AICPA represent a combined membership of one half million audit and technology professionals. As found on their respective web sites, "ISACA is a leading information technology organization representing more than 47,000 individual members in more than 140 countries. […] ISACA has assumed a role as the harmonizing source for IT control practices and standards the world over[142]." AICPAreported the 2005 member total as 327,135 members, who passed the CPA exam and are certified to practice[143]. "IIA Membership reaches 110,000” is the noted headline of the IIA’s Home page[144]. These are not the full team required for national compliance.
Did you happen to notice where I left a half million auditors?
Total Accountants and Auditors in the United State are estimated to be around 1,007,760[145]. Each organization provides framework and guidance as required by the Unified Accountancy Act, as mandated by PCAOB, according to the U.S. laws for GAAP (Generally Acceptable Accounting Practice) and according to the state guidelines of the NASB[146]. Our charters serve the spirit of the law but each team applies different methods frameworks toward a fairly unified goals. Whether if we walk, swim, bike or fly, we are over a million professionals who all know one thing about this country’s need for compliance; we need to get there and stay there.
Certainly all auditors involve themselves in maintaining Continued Professional Education requirements, and an enormous number work among the PwC, E&Y, D&T and KPMG (Big4), (surely Protiviti is overdue for making this a Big5). Why are so many professionals creating faction organizations? Why not join OASIS, IETF, IIA, and ISACA contributing to the greater good? Why do so many IT consultants feel qualified to act as auditors, and why do auditors believe they have mastered the extent of needed learning to perform forensics?
Found them!
I knew they weren’t lost. The circle of reference strikes again. Audit is much more than IT. Site details at AICPA and NASB mention
- AACSB International AACSB International—www.aacsb.edu
- Management accounting and the CMA designation is found at the IMA, Institute of Management Accountants www.imanet.org
- Accredited in Accountancy, Accredited Business Accountant, Accredited Tax Advisor, or Accredited Tax Preparer designations are supported by the Accreditation Council for Accountancy and Taxation www.acatcredentials.org
- Government accounting is supported by the CGFM designation, earned with the help of Association of Government Accountants www.agacgfm.org.
A problem not owned equals a problem not solved
We need to own a little bit of the solution or we lose interest in the problem. This is misidentified as “NMO” or “not my idea.” Even as a babies adopted a personal mission to take everything apart. Our obsession evolved to putting pieces together followed by, reverse engineering. (That’s why I parents have gone insane.) Some of us matured to actual inventing, and even hacking for professional gain. (Wolves invent, sharks hack, pigs use the hack created by a shark.) We copy fashion, software, music and even personality. The nature of copying is so pervasive, it is at least a significant reason for most areas of security and all of Title 17.
In fact, we assume we’re supposed to copy and in some cases this is a career strategy. When asked to perform even a slightly creative task, we begin with a search for the right template. In fact, very few people really want to hear our ideas. Ask any boss and he’ll say, is there a template? Great, let’s move one.
Where do the templates end and our unique configurations begin? Living with blinders is a sure path to failure. Propose anything dramatically different from the norm, and chances are, you become member to a class I’ve completely left off the list, the jackass.
Many business leaders will tell you that failure in one context drove success in another. We have a proliferation of new organizations in IT Control and Information System Audit. They can be characterized as toddlers, cute, creative, still in possession of baby superpowers. Their interests are stirred by the exciting new problems in technology compliance standard. Outsmarting our favorite cartoon villain holds fascination, joy and wonder, providing opportunity to flex our intellect, sense of justice and share in camaraderie. You have to admit, for a while there SOX was holding almost as much country attention as the first round of Ben and Jen.
You
want me to kill them now? 
(But they're so cute!)
Are you sure about this? I agree they will reproduce. Yes, they may marry into family. You’re right, they’ll publish more standards. Correct, we will have to read them too.
Valid points and I see the wisdom in killing them while they’re weak, but I can’t support youth organization genocide. It’s not even a religious hang-up. I’m concerned these baby organizations may be needed in the compliance chain.
Basic principles in human dynamics limit team size as a factor in success. Business and the army use a principle of five. Schools try to do it with rules for number of students per class. We need small groups to manage and learn. Large mature groups tend to drown out creativity. People lack a sense of place and purpose. Newcomers to large established organizations see a list of problems that aren’t qualified to solve, leaving nothing to do but try to rub elbows with people who are “trusted to think.”
We need baby organizations. In addition to pollinating the untapped dogs and sheep with inspiration, I’m pretty sure killing them isn’t legal. (Check the ACLU site comments on “right to gather for any purpose, no matter how stupid or a waste of time”, First Amendment[147].) New teams share uninformed optimism, a chemical we have not been able to bottle. They believe they impact the world. Sometimes, they do.
Consider the mission of ITPI, an organization focused on prescriptive, data-driven guidance for IT leaders.
Research – study top performers and identify the causal link between behavior and results.
Benchmarking – create tools that compare individual organizations to top performers.
Prescriptive Guidance – share content written to help IT organizations become top performers.
With this simple data-driven approach, the IT Process Institute aims to enhance the efficiency and effectiveness of our member organizations, and drive performance. They are not Gartner, and they are not the OGC, but their leadership is comprised of Eagles, and their goals remind us there are stars.“Dreams are like stars...you may never touch them, but if you follow them they will lead you to your destiny.”
Informed Optimism
How did a handful of starving painters create all the works that are collectively known as Impressionism? Why is it we tend to find that Nobel Prize winners are also best friend’s with a Golden Globe awarded play writes, parents to winners of the Tchaikovsky competition or just merely leaders of fortune five hundred corporations? Don’t Tom Hanks, Paul Newman, Jane Fonda, Goldie Hawn and the Durnings understand what they’ve done to the bell curve on talent? Will someone please tell these bumblebees that science has absolutely proven they can’t fly!
Last note on why we should let baby organizations live, and do everything in our power to help them along, is answered by simply reading the list of members who belong to ITPI. We need this gene pool.
- Kevin Behr – President and co-founder: CTO and Chief Operational Strategist for IP Services. Kevin co-founded the ITPI with Gene Kim. He is an active member of the Information Systems Audit and Control Association. Kevin is a frequently invited speaker called on to address a broad range of technology and management framework topics. Kevin is co-author of the Visible Ops Handbook.
- Scott Alldridge – Vice President and founding officer: founding officer and board member of the ITPI. He provides key strategic and operational oversight, and provides key resources from IP Services to see the vision and mission of the ITPI is carried onward.
- Ron Neumann – Vice President and founding officer: President of Neumann Management Group, Inc. Ron is a board member of the ITPI and participates in defining the vision and overall strategic direction of ITPI. He manages the organization’s finances, and develops strategic relationships and sponsorships.
- Gene Kim – Director of Research and co-founder: CTO and co-founder of Tripwire. Gene Kim co-chaired the Best in Class Security and Operations Roundtable (BIC-SORT) with the Software Engineering Institute. He is co-author of the Visible Ops Handbook and is a primary researcher for the IT Controls Benchmarking Survey with Dr. Grant Castner.
- Dr. Grant Castner – Director of Benchmarking: Professor in the Department of Decision Sciences, Lundquist College of Business, University of Oregon. His research interests include technology adoption and diffusion, accounting information systems, electronic commerce, and information-technology infrastructure best practices. Grant is the research lead for the IT Controls Benchmarking Survey. Grant has also developed the ITPI website, ecommerce systems, and content management system.
- George Spafford Jr. – Director of Prescriptive Guidance: Managing Director of Spafford Global Consulting. He is a recognized expert in IT process and Audit. He is a prolific author contributing articles to a wide range of IT publications. He co-authored the Visible Ops Handbook.
- Julia Allen: Senior member of the technical staff at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University. Julia is engaged in developing and transitioning enterprise security frameworks and executive outreach programs in enterprise security and governance.
- Kurt Milne – Managing Director IT Process Institute: He has over 15 years experience in various marketing management, alliance management, and engineering positions at leading technology companies. His main areas of expertise include IT service management and IT controls, inventory and supply chain management, and computer integrated manufacturing. He is responsible for overall ITPI operations including sponsorship and membership.
I
don’t want a baby brother. Tell
the stork to bring ideas. 
Consider just a sample of organization impacting at least some of the thoughts we actually we believe are our own. Don’t get discouraged, even the mighty oak, was once a nut like …
Source Title: |
Short Name: |
Web |
American Chemistry Council |
ACC |
|
American Civil Liberties Union (ACLU) Privacy Information |
ACLU Privacy Information |
|
American Institute of Certified Public Accountants |
AICPA |
|
American National Standards Institute |
ANSI |
|
Basel Committee on Banking Supervision (BCBS) |
BCBS |
|
Business Software Alliance |
BSA |
|
Center for Internet Security (CIS), Benchmarks and Scoring Tools |
CIS Benchmarks and Tools |
|
Center for Public Company Audit Firms |
CPCAF |
|
CERT Coordination Center |
CERT/CC |
CERT Coordination Center: Security Practices and Evaluations |
Common Criteria Project |
Common Criteria Project |
|
Chief Information Officers Council |
CIO Council |
|
Code of Federal Regulations Full listing at GPO |
CFR Full Listing at GPO |
|
Committee of Sponsoring Organizations of the Treadway Commission |
COSO |
|
Corporate Information Security Working Group |
CISWG |
Corporate Information Security Working Group: Report of the Best Practices and Metrics Teams |
Director of Central Intelligence Directives |
DCID |
|
Federal Emergency Management Agency Mitigation Division |
FEMA Mitigation Division |
|
Financial Crimes Enforcement Network |
FinCEN |
|
Global Information Assurance Certification |
GIAC |
|
Government Accountability Office |
GAO |
|
Information Systems Audit and Control Association |
ISACA |
|
Information Systems Security Association |
ISSA |
|
Information Technology Governance Institute |
ITGI |
|
Institute of Internal Auditors |
IIA |
The Institute of Internal Auditors (The IIA) - Progress Through Sharing |
International Information Systems Security Certification Consortium, Inc |
ISC2 |
(ISC)² - International Information Systems Security Certification Consortium, Inc |
International Organization for Standardization |
ISO |
ISO - International Organization for Standardization - Homepage |
National Archives and Records Administration |
NARA |
|
National Association of State Boards of Accountancy NASBA |
NASBA |
|
National Institute of Standards and Technology |
NIST |
|
Organization for the Advancement of Structured Information Standards |
OASIS |
Organization for the Advancement of Structured Information Standards |
Open Information Systems Security Group |
OISSG |
|
Organization for Economic Co-operation and Development |
OECD |
|
Public Company Accounting Oversight Board |
PCAOB |
|
SANS Information and Computer Security Resources |
SANS Resources |
SANS Institute - Information and Computer Security Resources |
Securities and Exchange Commission |
SEC |
|
SysAdmin Audit Network Security Institute (SANS) |
SANS Institute |
SysAdmin Audit Network Security Institute -About the SANS Institute |
Thomas - Library of Congress On Line |
Thomas |
|
United States Security Awareness Organization |
USSAO |
Competition is the spice of life
Consider why so many mission statements use words like “best”, “premier”, and “highest authority.” 'Amaarrikans' are measured in increments of gold (medals). We compete, because that is the only way to win.
That was a little harsh. Let me take it back. Searching the internet for “Edwards Deming, Cooperation and Competition” brings back a list including the U.S. Department of Defense. In spite of reputation, The DoD has long promoted cooperation over competition, “Quality” over “Zero Defect,” citing Edward Deming’s 14 points for management practice[148]. Here’s an example found buried in a memo on how to work with vendors:
“W. Edward Deming recommended stable, ongoing relationships between vendors and customers as a key to long-term success. Industry has applied this principle with great success. On the other hand, the Government has traditionally taken the shorter view, e.g., one base year and four option years. This mind-set can lead to rapid vendor turnover and encourages industry to maximize profit. Long-term contracts provide the vendor with the steady income stream needed to make long-term investments in the tools, people, and facilities that the Government needs[149]."
The Wolf maintains a ruthless image which serves to protect the pack. The leaders collaborate and optimize as a lifelong form of play. They don’t care what it says in the history books. Their children grow up on instinct. Building the better mousetrap may make them wealthy or powerful, but good ideas just add to the world paradigm.
Evidence of Deming’s impact is honored in our Library of Congress. We rate his ideas among our country’s greatest assets. Stories of triumph through cooperation, by opposing forces represents a third of prime time television, even if the only reason to cooperate is to enforce the medal, but we are making our way towards living Deming's dream.
My only comment on our obsession with winning is I’m a Deming fan[150].
[136] PricewaterhouseCoopers on behalf of COSO, COSO, Enterprise Risk Management — Integrated Framework, AICPA, Volume 2. Retrieved December 1, 2005 from https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/COSO+Enterprise+Risk+Management+-+Integrated+Framework.htm. & COSO (2005), Internal Control — Integrated Framework, Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting, AICPA, Exposure Draft. Retrieved December 1, 2005 from http://155.201.80.182/Coso/coserm.nsf/vwResources/PDF_IC/$FILE/COSO_FINAL_Draft_IC_Guidance.pdf. Note: These are both noted by the SEC as appropriate framework in the implementation of controls assessment.
[137] Note: Google is a fascinating company, but their name is not “Googol”, confused infinite number. I am reminded by the PBS rerun of Cosmos, of Carl Sagan saying the googol is finite in number with 1 followed by 100 zeros, or 10100.
[138] ITGI & ISACA (2004). COBIT® Mapping, Overview of International IT Guidance. Retrieved December 1, 2005 from http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/CobiT_Mapping_Paper_6jan04.pdf.
[139] ITGI
& ISACA (2004). It Control Objectives
for Sarbanes-Oxley: The Importance of It in the Design, Implementation and
Sustainability of Internal Control over Disclosure and Financial Reporting.
Retrieved December 1, 2005
from http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/
IT_Control_Objectives_for_Sarbanes-Oxley_7july04.pdf.
[141] FERF, Financial Executives Research Foundation. Retrieved December 1, 2005 http://www.fei.org/rf/.
[142] ISACA, op.cit., ISACA Membership Information. Retrieved November 1, 2005 http://www.isaca.org/Template.cfm?Section=Membership&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=15&ContentID=7510.
[143] AICPA Membership. AICPA 2004-2005 Annual Report. Retrieved November 1, 2005 from http://www.aicpa.org/about/annrpt/2004-2005/aicpa_04-05_ar.pdf, p. 22.
[144] IIA, op.cit.
[145] U.S. Department of Labor, Bureau of Labor Statistics. Occupational Employment and Wages, November 2004. Retrieved December 1, 2005 from http://www.bls.gov/oes/current/oes132011.htm.
[146]NASB, National Association of State Boards of Accountancy. Retrieved November 1, 2005 http://www.nasba.org/nasbaweb.nsf/?Open.
[147] ACLU, (American Civil Liberties Union). Free Speech. Retrieved November 1, 2005 from http://www.aclu.org/freespeech/index.html.
[148] Edwards Deming (1986), "14 Points for Management", in Out of Crisis, 1986, Cambridge: The MIT Press. Retrieved December 1, 2005 from http://www.deming.org/resources/books.html. Note: Found at http://www.deming.org/instituteinfo/wedihistory.html, “The W. Edwards Deming Institute® was founded by Dr. Deming in 1993. The Institute is headquartered in Washington, D.C. It is a nonprofit corporation which provides educational services related to the teachings of Dr. Deming. These services include conferences and seminars. The Institute also makes Dr. Deming's personal and professional papers available to researchers at the U.S. Library of Congress. The Deming Collection at the Library of Congress includes an extensive audiotape and videotape archive of Dr. Deming. The aim of The W. Edwards Deming Institute® is to foster understanding of The Deming System of Profound Knowledge™ to advance commerce, prosperity and peace."
[149] U.S. Navy, "Increasing Contractor Commitment", in Benefits, DoN Acquisition One Source. Retrieved from December 1, 2005 http://www.ar.navy.mil/aosfiles/tools/turbo/topics/cj.cfm. Note: Argument promotes the works of Edwards Deming as reason for DoD changes in procurement and acquisition practice.
[150] Deming, op.cit., Chapter 2. Note: Edwards Deming, author of Out of the Crisis and The New Economics and father of Quality Management – Perhaps, best known for “14 points for Management”. The Edwards Deming Institute, "Condensation of the 14 Points for Management", in The Deming System of Profound Knowledge (Continued). Retrieved December 1, 2005.
(not my Dad) 
(real Dad)
I sincerely apologize to any member of the actual Demming family. What I said was, "My Dad is "TQM" This is true. He worked for International Telephone & Telegraph, ITT, during the 60s and up to the 80's during the era of CEO "No Surprises", "leadership through action" Harold Geneen. My Dad's full name is... Alvin Martin Silver. I still like to call him TQM.
I also said I wish I had been raised by wolves. I meant to disrespect to dogs or my own family.