Finished.

Finished.

Posted by EYHokie

I'm finished with the case with Sweet Mondays. It never really went anywhere. I had to met with the husband to get a non-emotional view of the company. The lady was over the top. My concern though is the guy wasn't really involved. I hoped he was the backbone but my fear is that he wasn't.  Oh well. I tried to get together with him several times and it never worked out. I'm dropping it for now.

I hope to pick the idea back up.

ITSecurity Blog - 10 Reasons to be an IT Auditor

ITSecurity Blog - 10 Reasons to be an IT Auditor

Posted by EYHokie

Robert just sent me this link:  http://itauditsecurity.wordpress.com/2012/10/02/top-10-it-auditor/#more-4238 

10. You have access to all systems, data, and people (with a business reason, of course). Employees rarely ignore you.

9. You can uncover fraud, mischief, ignorance, and just plain laziness. Either way, you “add value to the business” (yeah, I hate that term too, but it is what audit is about, and so appropriate).

8. You can work hand-in-hand with security to raise risk awareness.

7. You get a broad overview of all company operations and get to know people in all departments. That helps you know whether you want to stay with that company or whether to leave it before it implodes. If you choose to stay, all those contacts will be valuable in advancing into other areas of the company.

6. Sometimes your work enables IT to get the funding that it needs, which it hasn’t been able to get on its own.

5. You get to do some cool data analytics to discover misconfigurations, anomalies, trends, and more.

4. You can cross pollinate ideas from one area of the company to another (or one division to another).

3. You are able to constantly learn about technology without having to implement and support it. And when you identify problems, you get to provide guidance on how to fix them, but you don’t have to fix them.

2. You work with technology all day, but when you go home, your work doesn’t follow you. No phone calls at 2 a.m. for support.

1. It usually pays better than financial auditing!

I cannot tell you how many times I've used some of this when trying to pitch IT Audit to someone.

Where to go...

Where to go...

Posted by EYHokie

I've lost some excitement since my initial meeting with Look Better Than You Feel.  I think it part because I was sold this idea that there was no other product like this on the market.  A little research and I find out that there are many versions of the same/similar design.  One of them even had a removable pocket so that you could put it on any garment.  This seems a lot more simple given that you just have to buy the pouch and you get to keep your existing clothes.  I have no idea how well the project functions but it seems to be just as good of an idea.  That being said, LBTYF is currently going after hospital relationships.  While Kim wants to take things big, it seems like her biggest market right now are the local hospitals here in Richmond.  That may be the niche that Kim needs to exploit.

From our initial conversation we learned that LBTYF is working with the New Richmond Ventures. Avery has a relationship with Bob Moony so he is trying to set-up a meeting to understand their vision.  The last thing we want to do is write a case study that is contradictory to the advise that Bob and his team is providing.

I reached out to Kim today to find out if we could meet with her husband.  I am curious what his thoughts are.  Kim is very passionate and I want to know where her husband is coming from.  What does he want?  How does he play into the finances of the company?  I have high hopes, though I hope not too high, of getting the business side and practical day to day version of the company.  I need more than the excited sales pitch that we were given in our first meeting.

Avery and I are at an initial passing.  Where to go?  We are not sure of the direction to head in.  Right now, there are 3 options on the table.  1. (most likely) pitch the question of should she or should she not move into and invest heavily in social media.  2. With so much on her plate, how does a dreamer focus their dreams and make them become a reality?  3. Go in a completely different direction and ask NRV is we can build a case around them.  How/Why invest local?

I took a quick look through HBR and didn't really see anything about suggesting a company not move into the social media space.  Does everyone need to?  Does LBTYF need to?  If relationships are currently being built with local hospitals, does social media get you anywhere?  Does the invest in time going to drive sales?

Initial Meeting

Initial Meeting

Posted by EYHokie

Avery and I met with Kim Newlen on April 26nd at Baker’s Crust.  I was very excited as this is one of my favorite places in Richmond.

Avery and I met outside and walked in together.  It didn’t take long at all to see Kim.  As advertised, she wore a big pick flower on her shirt.  We barely sat down and Kim gave us her pitch.  She showed us all of her clothes, the progression to the current style and some of her advertisement.  I felt like she was going a mile a minute and was trying to get us to invest, though I know she wasn’t.

One of the funniest moments was when she was showing off her shirts and turned around to a table behind her and told them she was a breast cancer survivor and she was sharing with us her clothing line.  Personally, I would have kept on going and not mentioned anything to the couple.

My first reaction is that she is trying to head in 10 different directions and doesn’t seem to have a plan.  I think her vision is to change hospital clothing into something fashionable and comfortable.  As a part of that she’s taking on too many different dreams and giving her product away to everyone.  We were both glad to hear that she has recently been introduced to a venture capitalist group here in Richmond.  She doesn’t seem to have much business sense so this should go a long way for her.  In my opinion, she just needs to hire a business manager to get things off the ground.  At the same time, its hard to say because I think she said she has been doing this for 9 years.  Here are some of the things that she has invested her time in:

-          Sweet Mondays – an organization for woman

-          Expanding Sweet Mondays internationally

-          Developing cloths for woman with breast cancer

-          Developing advertising material

-          Developing relationships with area hospitals

-          Writing a devotional book

-          Exploring the idea of creating a men’s line of clothing

-          Speaking engagements

-          Developing a web presence

-          General marking

I can see why she hasn’t gotten anywhere in 9 years.  Well, she has made a difference in woman’s lives but from a business/profitability stand point it would seem as though she hasn’t gotten anywhere.  She needs to focus on one thing and attack it.  Once she’s built that platform move onto another goal. 

The Case Begins

The Case Begins

Posted by EYHokie

I have to admit, some of the luster has worn off.  I still see the importance so I am pushing on.

Where was I going to find a willing company?  Do I just look up small business in the phone book and start calling?  No.  Having graduated from UR, I realized I have a great resource.  There are always companies that want to be a part of the Capstone projects.  However, we just don’t have enough students to work with every company.

I was initially given two companies to look into: Looks Better Than You Feel and RSVPHere.  I don’t want to go into the reasons I picked one of the other but I decided to go LBTYF as it was advertised to me.

I am going to be meeting Kim Newlen, owner, in a few weeks for lunch.  This will be my opportunity to understand her vision and hopefully start to get a framework around the learning objectives.

What do I know now?

Looks Better Than You Feel appears to be a great concept.  Women struggle in all sorts of ways as they go through cancer.  Kim is trying to provide an outlet for fashion specifically pointed at these women.   She is trying to improve the fashion of medical garments.  Who would have thought of such a niche market?  Kim Newlen.

Kim Newlen, what an amazing testament to the power Christ in one’s life.  Her and her mother both battled breast cancer.  She has been an active part of the Richmond community, bring woman together in support of each other.  Kim has been featured in several magazines and has had several public speaking engagements[i].  You cannot mention Kim without a reference to “Sweet Mondays” her create outreach to woman in the community.  You can read her story on the MD Mercy website.

---

[i] http://kimnewlen.wordpress.com/

Running with, not kicking, a can down the road!

Running with, not kicking, a can down the road!

Posted by EYHokie

I had intended to write part 2 but I've gone off in a different direction.  First, I'm trying to change around the look of the blog.  Its been 6+ years since I've done anything with HTML so its taking a bit to get back into the game.

As you can see, and I have said, I'd like to work with small/mid-sized business at some point.  I'd rather it be sooner rather then later.  In an effort to get the ball rolling, I'm going to be writing a case study.  At the moment, I do not have a company or an idea yet.  One of my advisers suggested, Look Better Than You Feel.  What a great concept for a business! Hopefully the owner is interested.

My initial thoughts are around segregation of duties in the accounting department.  For this company, I may need to move more into the risk management space.  We shall see.  I haven't even been introduced to the owner yet.

I'll keep things posted here and hopefully can continue to work on the format of the site.

Data (big?) part 1

Data (big?) part 1

Posted by EYHokie

I went to an event last night about “big data.”  Come to find out that is the hot topic right now.  Now I sat through an hour and 15 minutes and over 60 slides in a powerpoint presentation about “big data.”  After that, do I know what “big data” is?  The guy took a bunch of definitions that other organizations/people have said and tore them apart.  What was his idea: putting the Information back in IT.  Wow.  Deep. 

My best understanding at this point is taking all of the information that a company amasses and finding ways to use it.   Its all too easy to live in a bubble and not take into consideration what other departments are doing, what data they are storing.  If we talked together as an organization; how much more could we achieve?  The likely will never happen, atleast to the fullest extent possible. 

My concern with this whole idea is that we spend a bunch of time analyzing our data and forgetting our core.  When I write a research paper I spend a lot of time researching.  I often get lost in my research and forget where I was headed in the first place.  Might that happen with all the focus on “big data?”

What if I don’t have a lot of data to start off with?  Well, start with what you have.  As a small business owner, you most likely have a lot more data than you think you do.  Lets say your business is lighting and your job is to bid on large projects.  Should you focus on every single project available?  Probably not.  That would be a waste of your time.  You will spend too much time focusing on bids you’ll likely never get.  Which projects, historically, have you won?  Start there.  What are the characteristics of those projects?  I’ll stop here with the business side.  I’m sure I could write for hours.

Now lets start thinking of what an audit program may look like for this lighting business.

Governance:

1.       Organization

a.       Is there a clear structure and position descriptions?

b.      What is the mission of this organization?

c.       Are they in a niche market?  Do they have a direction?

2.       Talent Management – keep in mind this isn’t a large organization

a.       Are the right people hired for the right job?  Do you have qualified people making bids?

b.      For new hires, is there a mentorship program? 

c.       Is there a methodology for sharing information?

d.      Is there a clear path for career progression?

As with any governance review, there a lot more topics to cover.  Just keep in mind we are talking about small businesses so don’t go overboard.

Access: This is where its at.

1.       Administration

a.       Who is responsible for managing the applications used for bidding?

b.      Is that person qualified?

c.       What other tasks does that person do?

2.       Access to data

a.       Who has the ability to enter data?

b.      Who has the ability to change existing data?

c.       How can you change data? Is it possible?

d.      What type of application are you using to enter in bid information?

3.       View data (key part to consider):

Social Media for Small Businesses

Social Media for Small Businesses

Posted by EYHokie

Monday night we discussed auditing Social Media.  Our discussion (really my short lecture) focused on anything from twitter, facebook, LinkedIn to Google Docs.  My suggested approach focused more on a corporations and less on small businesses. For this post, lets focus on the small business.

Understanding the Organization:

The first place to start should always be to understand the business and the business processes. 

·         What exactly does the company do? 

·         What is the culture like? 

·         What are the short and long-term goals? 

·         What is the company structure? 

·         What social media formats are being used?

·         How do they align with the company goals/direction?

Understand the Business Unit

Now that you have an overall understanding of the organization, its important to understand the business units. Here we are taking one step closer to the business processes.

·         What is the breakdown of the organization (structurally) by department?

·         What are the department’s goals?

·         How do they align with the companies short and long-term goals?

·         What does the business unit do?  How do they fit into the organization?

Understand the Business Processes

This can be a difficult piece to understand.  Above we explored the organization and then dove into a specific business unit.  We know what the groups do at a high level but what does the day to day look like?  This will take some skill.  We want to get enough detail that we can identify what can go wrong with the business processes.  At the same time, we don’t want to get stuck in the details.  The conversation should be an open-ended conversation.  Repeating your understanding or drawing pictures is a great was to feel comfortable that you can speak to the department at a later date.

Porter’s Five Forces[1]

Why analyze the industry?  To fully complete any audit, I think it is important to step away from the details and take a look at the overall industry.  We can then move into the company and then down to the business processes.   There are many sites online that can help with this step.

SWOT/TOWS Matrix

Now to understand the internal company, a SWOT analysis should be completed.  This will further give guidance on the risks the company faces.  This will also help determine how the use of social media aligns with the strengths and opportunities in the organization.  Some of the notable business risks may include:

·         Disclosure of corporate assets/sensitive information

·         Violation of law/regulation

·         Loss of customer confidence

·         Loss of reputation

·         Dissemination of fake/fraudulent information

Let’s stop here.  We’ve spent a good bit of time understanding the industry, the company and the business processes.  This is a discussion on social media.  Why all the extra work?  From this point forward, we can either assume you knew all of this information or you were new to the company and needed to get a strong foundation.  By now, we’ve identified the major risks to the organization and should have determined how the use of social media fits into the organization.  If the company cannot get past this point, there is no real value in moving forward.  The company can have all the controls in the world but if it doesn’t align with the external and internal strengths, then why are they even using these tools?

Governance[2]

Surprisingly enough, the Citizenship and Immigration Canada provides an interesting audit of IT Governance.  Ok, surprisingly may be a push.  The following are some topics to consider:

·         Policies and procedures

o   Legal counsel review of all policies

o   Personal use (social media) at work

o   Personal use (social media) outside of work.  Why care?  The image portrayed outside of the work environment can have an impact on the greater image of the company.

o   Who can use the tools for business purposes

·         Strategy

o   Risk Management

§  Approval of social media projects

§  Inventory of all media outlets

o   Ongoing assessments

·         People (Office Manager)

o   HR Function

§  HR review of all policies

§  Defined violation policies (up to and including termination)

o   Training and Awareness

§  Associate/contractor/customer awareness of responsibility related to social media

·         Update training/people on a regular basis.

o   Staffing

§  Evaluate staffing levels related to support

·         Internal support (IT)

·         Customer facing (marketing)

§  Background checks

§  Employment criteria

·         Processes

o   Social media align with business/department processes

o   Brand protection

§  Protect from negative publicity

§  Response channel for negative events (hacking facebook, credit cards, internal data storage)

§  Consistency in branding

o   Monitoring of adverse posts/publicity

§  When identifies, how is this addressed? 

§  Is there a plan in place to handle such situations?

o   Access to social media data

§  Location of data (appropriateness)

§  Data encryption

§  Data classification (define the critical data)

o   Access management

§  Authorization and authentication

§  Contractor access

Technology

At this point, we should be feeling good about the company.  Now lets take the next step into the actual technology.

·         Social media technology infrastructure

o   Anti-virus software management

§  Current licenses

§  Up to date virus definitions

§  Continually monitoring for latest viruses patches

§  Update/deploy virus definitions

·         Incident response

o   Handling outages when they arise

o   Timely response to customer/associate issues

·         Content filtering

o   Are there limitations to content

§  Content the associates can view at work

§  Restricted access to content (internal and customer)

o   Web browser settings

§  Cookie retention

§  Server certifications

§  HTTPS/SSL

§  Popups

§  Java scripts

·         Monitor social media and effect on technology

o   Monitor key matrices

§  Align with business goals

§  Customer “hits”

§  Bandwidth

o   Processes for monitoring (Incident response)

o   Involvement of key stakeholders

§  Owner/President

§  Head of IT

§  Legal Council (legal retainer)

§  Office Manager

As you can see there is a lot to take into consideration.  I would suggest, if there is going to be a big investment in social media, a full FTE be brought on-staff to manage content.  Think of this as your marketing.  Do you have a full time marketer?  If so, social media is a clear interaction with your customer, good or bad.  Proper attention needs to be made.

While modified, the core structure of the last half of this post was supported by ISACA’s Social Media information.  Strategy, People, Processes and Technology

---

[1] http://www.quickmba.com/strategy/porter.shtml

[2] http://www.cic.gc.ca/english/resources/audit/governance.asp

Segregation of Duties for Small Businesses

Segregation of Duties for Small Businesses

Posted by EYHokie

Small businesses, by the nature of their size, often do not have the ability/resources to fully segregate their back-office operations.  For some companies, the visionary is driving the direction of the company and controls are not at the forefront.  The objective is to grow, grow, grow.  With success, the company continues to focus on the strategy, marketing and operations.  What about the back-office? 

Upon a quick search, I found a great SOD matrix developed by University System of Georgia.  Their definition of SOD is as follows:

“The concept of Segregation of Duties is to separate the major responsibilities of authorizing transactions, custody of assets, recording of transactions and reconciliation/verification of transactions for each business process.”[1]

A document I found from the Technology Evaluation Centers Inc. has a great matrix to use[2].  Due to the size of a small business the matrix is a bit excessive and impossible to fully implement.  Remember, we are talking about that visionary that isn’t worried about the accounting and supporting technology.  What are some of the key functions the firm should care about?  How do they handle them?  I’m going to do a bit of research and find out what some companies do.  Nothing big or formal.

---

[1] www.busfin.uga.edu/controller/Segregation_of_duties_matrix.xls

[2] http://blog.technologyevaluation.com/files/2008/09/sox-sod.xls

Craft Beer

Craft Beer

Posted by EYHokie

An article on CNN Money about craft beer got me wondering, what’s the risk for craft breweries?

Protection of storage

As the beer is being made, the vats of beer must be secured. Contaminates introduced into the product can and likely will have a big impact on taste and longevity.

Length of storage

How long can beer sit in storage?  That I am not sure of.  Regardless, inventory must be tracked and the storage date should always be known. LIFO? FIFO?

Transportation of goods

In the beginning, control of goods is very important. The company cannot lose product when their volume is low.  Do you keep shipment in-house? Do you work with a distributer that will carry your inventory? I would image as you grow you will have to work with a distributer.

Lack of back-office expertise

The brew master is likely a dreamer. As I’ve seen on shark tank several times, the investors are willing to invest in the product with the caveat that an MBA be hired to direct the company. I know, an MBA Is not required but you atleast know they have the training.

Inadequate software (GL package)

Similar to above, how much was invested in their GL package? Tracking the finances does little to get the product on the street, as a brewer may think. Their goal is to make a good product and get it in restaurants and grocery stores. Spend on back-office software may not appear important.  If not spend, adequate software.

In the 10 minutes I have, I’ve created the short list above. 

http://money.cnn.com/2013/02/07/smallbusiness/craft-beer/index.html?iid=SF_SB_River

System Accounts

System Accounts

Posted by EYHokie

What do I find to be one of the biggest misses in companies today? 

The biggest issue is controlling system accounts.  How can a company control an account that is not tied back to an individual user?  Likely, for ease of management, passwords are the same across all system accounts with the same naming convention.   For example, Windows has a built-in administrator account called “BUILTIN\Administrator.”  Depending on the size of the company, it may be easiest for the IT department to use the same password on all servers for this account.  They’ve changed it from the default, so they feel good about the control.  Well as MicroSoft points out, once a hacker gets control of the password they now have control of every Windows server.  My point though is not a discussion about hacking.  Rather my point is around controlling the activity run under these types of accounts.

The easiest way I can see to control the account is to control the password.  Give one person, typically in a leadership role, ownership of the password.  They are responsible for logging into the system and changing the password.  Therefore, the manager knows exactly who has used the account.  However, the concern remains is that the manager knows who used the account but not what they did with the account.  In a mid-size company, this may not be feasible.  The password may need to be distributed to associates from time to time.  It is the responsibility of the manager to change the password periodically.  How often is up for debate.  If one associate is on-call for a week, the manager changes the account at the beginning of the next week.  Again, this only controls the who not the what.  I am sure there are logging tools available on the market for tracking the activity.  If the tool and password control were put together there would be a reasonable assessment of the who and the what.

How does audit fit into the picture? In a mid-sized company with limited resources, we are going to have to rely on the password controls. The company likely does not have the resources, financial or FTEs, to log and review all activity.  Faith in associates becomes critical.  The system can provide some comfort if the last password change date is available.  Entity level control may provide additional comfort.  Are the IT associates properly trained? Is there a password policy that requires system account passwords to be changed periodically? Are there background checks performed for new hires? While at the entity level, they do start to describe the culture of the company.

http://technet.microsoft.com/en-us/magazine/2006.01.securitywatch.aspx

Employee Access - Facebook

Employee Access - Facebook

Posted by EYHokie

I did a quick search for security breach and up came an article about Apple getting hacked.  In reading through the article, I came across a link to a Facebook post.  It looks like there has been a string of high profile companies that have gotten hacked recently.

The article talks about how Facebook employee's went to a website with malware.  That got me thinking!  How do you control employees from an audit standpoint?

As an industry there has been a push to move towards a risk-based approach.  What does that mean?  For me, I believe there are several ways to look at this.  My initial reaction is to approach the issue from a financial standpoint.  For some companies there may be areas of the business that are just as important (i.e. customer information, credit card information, health care information, proprietary data, etc.).  To focus solely on the financials (GL package and those systems feeding it) may not be enough. I hope you have already scoped out the areas of focus.

Lets stick with financials first since Facebook has already have issues (on wall street) with that.  Though I will say, they have a pretty sweet gig with paying no taxes. I believe a malware virus can hit Facebook and, without knowing their accounting structure, should have little financial reporting impact.

Sure.  As IT Auditors we want to dive into all the IT controls that need to be in place in the application and the database.  However, lets take into consideration the bigger picture.  Whats the potential risk? Ultimately it is the risk that the 10K filing is inaccurate.  Is that possible from a malware virus?  I suppose anything is possible, but not likely.  Why?  The accounting department must have strong manual controls in place.  We are not in a state where the accounting department cannot step completely away from manual controls.  There should still be monthly account reconciliations at a minimum.

Do I think Facebook faced a big risk? Absolutely.  Did they face a financial risk, probably not. Should they work to control (either systematically or via policies/training) the websites their employees visit? Absoluately.




http://www.fastcompany.com/3005987/fast-feed/facebook-says-it-was-target-sophisticated-attack
http://www.wsav.com/story/21140135/facebook-stock-slides-after-analysts-downgrades
http://www.forbes.com/sites/robertwood/2013/02/19/tax-increases-why-facebooks-billion-dollar-income-isnt-taxed-at-all-by-irs/

Mid-term Exam

Mid-term Exam

Posted by EYHokie

Tonight is the Spring 2013 class' mid-term exam.  I am very excited for the students.  I know this is a hard exam but it should really show them what they have learned.  My exam is very open ended so they have a lot of room to share with me what their thoughts are.  I want to know they have learned something.

Good luck!