Information Technology Audits Are Priority for Small Business Owners

Small businesses, whether public companies gearing up for Sarbanes Oxley (SOX) compliance, or privately held companies responding to customers’ demands for secure storage of personal data, are hiring internal Information Technology (IT) auditors in record numbers, according to networkworld.com. Also, internal and external auditors and IT personnel focused on security are working together to meet their goals.


Advertisement


Alex Bakman, CEO of Ecora Software Corp. in Portsmouth N.H., suggests five steps that information technology personnel should follow when preparing for a SOX audit, according to SearchWinIT.com:

  1. Select a set of controls – and test repeatedly.

  2. Develop a sound password policy. This involves password duration and password aging policies.

  3. Review permissions.

  4. Validate access control lists.

  5. Plug database holes.

Some IT security professionals have complained that audit compliance complicates their jobs, SearchSecurity.com reports, and security teams and audit teams often have an adversarial relationship. Trent Henry, senior analyst at Burton Group, Midvale, Utah, told attendees at their Catalyst Conference earlier this month that security professionals need to spend time with internal and external auditors and get to know their needs.

An auditor may ask if passwords are eight characters long, for example, Henry said, which sounds simplistic if the company uses strong authentication. But IT security teams may be using audit compliance as an excuse to justify pet projects like encryption, he said, SearchSecurity.com reports.

Auditors will be looking at fundamentals like segregation of duties, change control, access and records retention, Henry said, but they will also want to know if a security policy is kept up-to-date.

At the same time, auditors need to meet IT professionals halfway on the subject of security. “It’s not just about their methodology,” Henry said, according to SearchSecurty.com.

Small companies called upon to meet the Payment Card Industry (PCI) Data Security Standard may also need help from information technology auditors. To obtain a compliance certificate, companies processing fewer than 6,000,000 transactions a year may perform a self-assessment annually, and “can employ the services of an internal auditor or information security team,” Jason Chan, security manager with Symantec Advisory Services told ITAudit.com. The merchant submits the completed self-assessment to the financial institution that enables companies to accept payment cards and certifies the company as PCI compliant.

You may like these other stories...

By Cathy Stopyra and Todd SimmensUnderpayment interest, refund interest, and penalties charged to businesses are just a few of the considerations the IRS calculates when determining taxation for a given company. Though...
FASB mulling a revamped income statementDavid M. Katz of CFO wrote on Tuesday that the Financial Accounting Standards Board (FASB) is in the early stages of researching whether to launch a project aimed at improving and...
Renaissance avoided more than $6 billion tax, report saysThe Senate Permanent Subcommittee on Investigations said on Monday that a Renaissance Technologies LLC hedge fund’s investors probably avoided more than $6...

Upcoming CPE Webinars

Jul 24
In this presentation Excel expert David Ringstrom, CPA revisits the Excel feature you should be using, but probably aren't. The Table feature offers the ability to both boost the integrity of your spreadsheets, but reduce maintenance as well.
Jul 31
In this session Excel expert David Ringstrom helps beginners get up to speed in Microsoft Excel. However, even experienced Excel users will learn some new tricks, particularly when David discusses under-utilized aspects of Excel.
Aug 5
This webcast will focus on accounting and disclosure policies for various types of consolidations and business combinations.