Craft Beer

Craft Beer

Posted by EYHokie

An article on CNN Money about craft beer got me wondering, what’s the risk for craft breweries?

Protection of storage

As the beer is being made, the vats of beer must be secured. Contaminates introduced into the product can and likely will have a big impact on taste and longevity.

Length of storage

How long can beer sit in storage?  That I am not sure of.  Regardless, inventory must be tracked and the storage date should always be known. LIFO? FIFO?

Transportation of goods

In the beginning, control of goods is very important. The company cannot lose product when their volume is low.  Do you keep shipment in-house? Do you work with a distributer that will carry your inventory? I would image as you grow you will have to work with a distributer.

Lack of back-office expertise

The brew master is likely a dreamer. As I’ve seen on shark tank several times, the investors are willing to invest in the product with the caveat that an MBA be hired to direct the company. I know, an MBA Is not required but you atleast know they have the training.

Inadequate software (GL package)

Similar to above, how much was invested in their GL package? Tracking the finances does little to get the product on the street, as a brewer may think. Their goal is to make a good product and get it in restaurants and grocery stores. Spend on back-office software may not appear important.  If not spend, adequate software.

In the 10 minutes I have, I’ve created the short list above. 

http://money.cnn.com/2013/02/07/smallbusiness/craft-beer/index.html?iid=SF_SB_River

System Accounts

System Accounts

Posted by EYHokie

What do I find to be one of the biggest misses in companies today? 

The biggest issue is controlling system accounts.  How can a company control an account that is not tied back to an individual user?  Likely, for ease of management, passwords are the same across all system accounts with the same naming convention.   For example, Windows has a built-in administrator account called “BUILTIN\Administrator.”  Depending on the size of the company, it may be easiest for the IT department to use the same password on all servers for this account.  They’ve changed it from the default, so they feel good about the control.  Well as MicroSoft points out, once a hacker gets control of the password they now have control of every Windows server.  My point though is not a discussion about hacking.  Rather my point is around controlling the activity run under these types of accounts.

The easiest way I can see to control the account is to control the password.  Give one person, typically in a leadership role, ownership of the password.  They are responsible for logging into the system and changing the password.  Therefore, the manager knows exactly who has used the account.  However, the concern remains is that the manager knows who used the account but not what they did with the account.  In a mid-size company, this may not be feasible.  The password may need to be distributed to associates from time to time.  It is the responsibility of the manager to change the password periodically.  How often is up for debate.  If one associate is on-call for a week, the manager changes the account at the beginning of the next week.  Again, this only controls the who not the what.  I am sure there are logging tools available on the market for tracking the activity.  If the tool and password control were put together there would be a reasonable assessment of the who and the what.

How does audit fit into the picture? In a mid-sized company with limited resources, we are going to have to rely on the password controls. The company likely does not have the resources, financial or FTEs, to log and review all activity.  Faith in associates becomes critical.  The system can provide some comfort if the last password change date is available.  Entity level control may provide additional comfort.  Are the IT associates properly trained? Is there a password policy that requires system account passwords to be changed periodically? Are there background checks performed for new hires? While at the entity level, they do start to describe the culture of the company.

http://technet.microsoft.com/en-us/magazine/2006.01.securitywatch.aspx

Employee Access - Facebook

Employee Access - Facebook

Posted by EYHokie

I did a quick search for security breach and up came an article about Apple getting hacked.  In reading through the article, I came across a link to a Facebook post.  It looks like there has been a string of high profile companies that have gotten hacked recently.

The article talks about how Facebook employee's went to a website with malware.  That got me thinking!  How do you control employees from an audit standpoint?

As an industry there has been a push to move towards a risk-based approach.  What does that mean?  For me, I believe there are several ways to look at this.  My initial reaction is to approach the issue from a financial standpoint.  For some companies there may be areas of the business that are just as important (i.e. customer information, credit card information, health care information, proprietary data, etc.).  To focus solely on the financials (GL package and those systems feeding it) may not be enough. I hope you have already scoped out the areas of focus.

Lets stick with financials first since Facebook has already have issues (on wall street) with that.  Though I will say, they have a pretty sweet gig with paying no taxes. I believe a malware virus can hit Facebook and, without knowing their accounting structure, should have little financial reporting impact.

Sure.  As IT Auditors we want to dive into all the IT controls that need to be in place in the application and the database.  However, lets take into consideration the bigger picture.  Whats the potential risk? Ultimately it is the risk that the 10K filing is inaccurate.  Is that possible from a malware virus?  I suppose anything is possible, but not likely.  Why?  The accounting department must have strong manual controls in place.  We are not in a state where the accounting department cannot step completely away from manual controls.  There should still be monthly account reconciliations at a minimum.

Do I think Facebook faced a big risk? Absolutely.  Did they face a financial risk, probably not. Should they work to control (either systematically or via policies/training) the websites their employees visit? Absoluately.




http://www.fastcompany.com/3005987/fast-feed/facebook-says-it-was-target-sophisticated-attack
http://www.wsav.com/story/21140135/facebook-stock-slides-after-analysts-downgrades
http://www.forbes.com/sites/robertwood/2013/02/19/tax-increases-why-facebooks-billion-dollar-income-isnt-taxed-at-all-by-irs/

Mid-term Exam

Mid-term Exam

Posted by EYHokie

Tonight is the Spring 2013 class' mid-term exam.  I am very excited for the students.  I know this is a hard exam but it should really show them what they have learned.  My exam is very open ended so they have a lot of room to share with me what their thoughts are.  I want to know they have learned something.

Good luck!