Phoenix business and systems process

Audit Universe Audit Tools - How Vast is your Universe?

Controls go far beyond the requirements of the Sarbanes-Oxley Act and they are no longer just an "auditor's problem.". The days of fighting for budget to "Optimize IT" are long gone, and everyone has one single mission: "Compliance"

What is compliance? If this is the question that strikes fear in your heart, consider "The Perils of Must Read™" as part medicine and anecdote.

Compliance is a universe of constraints enforcing business and technology practice aligned to minimally acceptable product, service and financial benchmarks, consumer and citizen safety, and continuous availability of critical resource as mandated by US and World Governments. Considerations for HIPAA, the USA Patriot Act, Graham-Leach-Bliley, FISMA/ eGovernment, OMB Circulars (various, such as A-119 and A-130), Executive Directives, DCIDs can't be limited to government, federal and financial programs. Businesses work in tandem, weaving regulatory issues via ecommerce, outsourcing and third party services, such that any law has implications for across multiple industries and business classifications. Laws like the Clinger-Cohen Act, the Paper Reduction Act, Basel I and II - European Union privacy laws and Safe Harbor Principles - California Security Breach Notice Law as well as emerging bills with similar guidelines - SEC rule17a-4, NARA regulations for federal records management, SEC CFR 17 Rule no. 16900 affecting Clearing Corporations, the National Strategy to Secure Cyberspace and many associated Public Laws and Government guidelines (especially those affecting Security programs and implementation of appropriate standards such as various FIPS) are all a part of our audit universe. The PB&SP toolbox is a list of applications and industry tools, with special attention to the better companies and materials, as found most successfully implemented among our clients.

FAB FIVE - BIG FOUR - BIG EIGHT - HEAVY HITTERS - THE GURUS, as said by Garth "We're not worthy"...

Big 4 is a term that implies only four leaders. In the past it was the Big 8 and as Arthur Anderson fell, the number of leaders also declined.

Current Hall of Fame:

Deloitte (http://www.deloitte.com) "The Doors "
KPMG (http://www.kpmg.com) "Sly and the Family Stone"
BearingPoint (http://www.bearingpoint.com) "The Ramones" ***
Ernst & Young (http://www.ey.com) "Nirvana"
Grant Thornton (http://www.gt.com) "The Pixies"
PricewaterhouseCoopers (http://www.pwc.com) "Aerosmith"
Crowe Chizek (http://www.crowechizek.com) "The Grateful Dead"
Protiviti (http://www.knowledgeleader.com) "The Velvet Underground"
Jefferson Wells ( http://www.jeffersonwells.com) "Earth Wind and Fire"

Amid the noise and fan fair, class acts never go out of style, and we love a class act.

PB&SP is a small, highly talented US based company. Staffed entirely by degreed and certified professionals, we provide excellence and knowledge transfer, assuring your employees know how to meet and exceed regulatory requirements through the use of standards. The methods and frameworks we implement are influenced and set by the "class acts" sited above. They support all of us with research and contribution. PB&SP is certainly not their competition. We listen to and learn from every move they make...(or was that Sting?).

Walk this way:

Putting this in perspective: maybe you can't afford, or even don't have time for Aeorsmith to play at your wedding. That doesn't mean your band can't play "Walk This Way".

On the flip side, it would be our greatest honor to play as opening act for any of the talents above and you can probably schedule us with just a phone call. (Contact)

In fact, being a highly respected opening act is pretty much what we do.

Every single PB&SP client (public and private, most in excess of 50 billion annual revenue) marked the end of our project by earning the highest possible ratings from their registered third party audit firm. Be it SAS 70, 'SOX', Basel II or simply a need for IT Management consulting, these tool pages show you a little more about "who", "what", "when", "why" and "how".

(But wait! Hold on...Could it be true? Holy Sarbox Batman. Will Bearingpoint be tossed from the hall of fame??? Tune in next week. Same bat time, same bat channel. We actually wish them good luck in hard times.)

That, reminds me. Have you narrowed and refined your RegWatch™?

See sections on Security, Risk, Data Retention, and more for additional laws and regulation reviews. We also hope you will enjoy reading "The Perils of Mount Must Read™" This is our gift to the hurting, overwhelmed and confused.

Please check out FCM™, our product and custom solution for all form of compliance management.

Internal Control and Control Self Assessment

COBIT® On Line from ISACA and ITGI and COBIT® Advisor 3rd Ed from Methodware™

COBIT®.components include:		Other works based on the COBIT®.framework include:
Executive Summary Framework Control Objectives Control Practices Audit Guidelines Implementation Tool Set Management Guidelines		COBIT®.Quickstart™ COBIT®.Online® COBIT®.in Academia™ COBIT®.Security Baseline™

Grand slams go to the teams producing harmonization and synergy across standards and regulatory requirements.

COBIT® 4.0 and the recent release of Aligning COBIT®., ITIL® and ISO 17799® for Business Benefit: A Management Briefing, as well as the combined Booz Allen Hamilton, ISACA, ISSA and ASIS release "Convergence of Enterprise Security Organizations"

To paraphrase just a few of the points by Gary Hardy and Erik Guldentops, who introduced COBIT®4.0 in Volume 6, 2005 Information Systems Control Journal, (Professional publication produced by The Information Systems Audit and Control Association), COBIT®.4.0 adds to the already valuable framework:

Business requirements
Harmonization—(ITIL®, ISO 17799®, PMBOK® and PRINCE2)
Value creation—balance between risk and value, draws on recent new research on IT value management.
Enterprise architecture—COBIT®.4.0 provides RACI charts (who is Responsible, Accountable, Consulted and Informed) to address process roles and responsibilities for each IT process, and enterprise architecture principles are now explained within the framework, linking goals, resources, information and processes.
Process definitions and process flows—To improve understanding of the IT process model, COBIT®.4.0 now contains descriptions of each process together with process inputs and outputs with cross-references to other processes.

"COBIT®.Online is a web-based resource where you can browse and search the very latest best practices, download customized guidance, perform benchmarking and more. A variety of subscription levels are available, each allowing different amounts and types of access and functionality. ISACA membership provides for Basic access rights and discounts on purchasing Full access."

Resources and Publications on Internal Audit:

Excellence takes teams, time and money: Pay your dues, buy your tools, because none of us is as smart as all of us...

Leading IIA Guidance Reports, Papers, and Publications:

Please login now. If you are not a member of the IIA some of these links will not work.

Internal Auditing's Role in Sections 302 and 404
Role of Internal Auditing in Enterprise-wide Risk Management
20 Questions Directors Should Ask About Internal Audit (I urge others to become an IIA member)
COSO ERM – Integrated Framework Resources
ECIIA - Internal Auditing in Europe
Global Technology Audit Guides (GTAG)
- GTAG Guide 1: Information Technology Controls
- GTAG Guide 2: Change and Patch Management Controls: Critical for Organizational Success
Information Security Management and Assurance: A Call to Action for Corporate Governance, by Thomas Horton, Ph.D. and Charles Le Grand , CIA, CISA, CDP
Information Security Governance: What Directors Need to Know
Building, Managing, and Auditing Information Security
CISWG Security Practice Recommendations
CISWG Best Practices References
Corporate Governance in Australia – Executive Summary

Good stuff :

Why internal auditing exists by David Griffith

...more links in the security and IT resources section

Special Thanks to Bruce Winters for his article Compliance CHOOSE THE RIGHT TOOLS FOR INTERNAL CONTROL REPORTING Bruce I. Winters New federal regulations require public companies to assess the effectiveness of their internal control structure and financial reporting procedures. Complex software is essential to such analysis. Here’s how to determine what kind is needed and how it should link to—or replace—a company’s existing systems., Dan Swanson, ISACA List Serve Community. Special Thanks to the IIA and again especially, Dan Swanson, CIA, CMA, CISA, CISSP, CAP, who coauthored with others mentioned on every page of this site in his long and productive career as Director of Professional Practices, The Institute of Internal Auditors. He frequently writes on IT audit, IT security, and various management practices. He is a past Winnipeg chapter president for both The IIA and ISACA and chaired ISACA International's publication committee for two years. Swanson has also been on the Board of Directors of The IIA

ITGI is a not-for-profit research organization affiliated with the Information Systems Audit and Control Association® (ISACA®), a global not-for-profit professional membership organization focused on IT governance, assurance and security, with more than 47,000 members in more than 140 countries. ITGI undertakes research and publishes COBIT®. an open standard and framework of controls and best practice for IT governance. www.itgi.org

The following text is directly quoted from ITGI starting at page 6, "Aligning COBIT®. ITIL® and ISO 17799 for Business Benefit" © ITGI 2005

OGC is a UK government organization responsible for procurement and efficiency improvements in the UK public sector. OGC has produced world-class best practice guidance, including PRINCE (project management), MSP (Managing Successful Programs) and ITIL® (IT service management). ITIL® is used throughout the world and is aligned with the ISO/IEC 20000 international standard in service management. www.ogc.gov.uk

itgi

OGC

Logos belong to affiliated organizations and suggest PB&SP support and sponsorship/ membership. Use of logos is based in written agreement with the third party. They are not meant to imply ownership, creation or collaboration in any product. We stand behind experience and consensus among our clients to suggest these highlighted products / organizations are the best audit and compliance resources in the world. We are not paid to advertise and we do not sell software. Westand behind their greatness because we witness their results.

	Section Links
	Audit Tools

	IT Service Management & ICT Infrastructure Management

	Conformity ISO standards Quality and Documentation

	Enterprise Risk Assessment

	Risk Management Products

	Facilitated Compliance Management™

	Security Management

	Change Management

	Configuration Management

	Performance CAAT Continuous Audit

	Data Retention / Records Management

	Business Process Management

	Business Continuity

	New in ©2006
	Telcom Complexity
	Process Overview

PB&SP will not intentionally embed links designed to capture advertising data. Links to Magazine have cookies that may optionally be blocked. We make no statements beyond our own practice. Link addresses are visible on your lower left tool bar. If you are prompted to accept a cookie, you are no longer on the pbandsp site. IIA, AICPA, COSO and ISACA provide a combination of public and member only documents. Most substantial information is provided based in membership. If you are trying to access needed content and have no membership... JOIN. Please do not contact us with request for information you cannot access via our link. We do not condone distribution outside of membership.