Information Technology Audits Are Priority for Small Business Owners

Small businesses, whether public companies gearing up for Sarbanes Oxley (SOX) compliance, or privately held companies responding to customers’ demands for secure storage of personal data, are hiring internal Information Technology (IT) auditors in record numbers, according to networkworld.com. Also, internal and external auditors and IT personnel focused on security are working together to meet their goals.


Advertisement


Alex Bakman, CEO of Ecora Software Corp. in Portsmouth N.H., suggests five steps that information technology personnel should follow when preparing for a SOX audit, according to SearchWinIT.com:

  1. Select a set of controls – and test repeatedly.

  2. Develop a sound password policy. This involves password duration and password aging policies.

  3. Review permissions.

  4. Validate access control lists.

  5. Plug database holes.

Some IT security professionals have complained that audit compliance complicates their jobs, SearchSecurity.com reports, and security teams and audit teams often have an adversarial relationship. Trent Henry, senior analyst at Burton Group, Midvale, Utah, told attendees at their Catalyst Conference earlier this month that security professionals need to spend time with internal and external auditors and get to know their needs.

An auditor may ask if passwords are eight characters long, for example, Henry said, which sounds simplistic if the company uses strong authentication. But IT security teams may be using audit compliance as an excuse to justify pet projects like encryption, he said, SearchSecurity.com reports.

Auditors will be looking at fundamentals like segregation of duties, change control, access and records retention, Henry said, but they will also want to know if a security policy is kept up-to-date.

At the same time, auditors need to meet IT professionals halfway on the subject of security. “It’s not just about their methodology,” Henry said, according to SearchSecurty.com.

Small companies called upon to meet the Payment Card Industry (PCI) Data Security Standard may also need help from information technology auditors. To obtain a compliance certificate, companies processing fewer than 6,000,000 transactions a year may perform a self-assessment annually, and “can employ the services of an internal auditor or information security team,” Jason Chan, security manager with Symantec Advisory Services told ITAudit.com. The merchant submits the completed self-assessment to the financial institution that enables companies to accept payment cards and certifies the company as PCI compliant.

You may like these other stories...

The law makes it difficult for itemizers to deduct medical expenses. To reap any write-off, you must pay bills that aren't covered by insurance, reimbursed by employers or otherwise satisfied by, for example, a company-...
Drug patents held overseas can pare makers’ tax billsAs the Obama administration tries to stop companies from avoiding taxes by moving their headquarters overseas, the makers of some of the world’s most lucrative...
Starting in October, the IRS will send warning letters to tax return preparers who appear not to be complying with Earned Income Tax Credit (EITC) due diligence requirements.Section 6695(g) of the Internal Revenue Code...

Already a member? log in here.

Upcoming CPE Webinars

Oct 9In this jam-packed presentation Excel expert David Ringstrom, CPA will give you a crash-course in creating spreadsheet-based dashboards.
Oct 15This webinar presents the requirements of AU-C 600, Audits of Group Financial Statements (Including the Work of Component Auditors).
Oct 21Kristen Rampe will share how to speak and write more effectively by understanding your own and your audience’s communication style.
Oct 23Amber Setter will show the value of leadership assessments as tools for individual and organizational leadership development initiatives.