Information Technology Audits Are Priority for Small Business Owners

Small businesses, whether public companies gearing up for Sarbanes Oxley (SOX) compliance, or privately held companies responding to customers’ demands for secure storage of personal data, are hiring internal Information Technology (IT) auditors in record numbers, according to networkworld.com. Also, internal and external auditors and IT personnel focused on security are working together to meet their goals.


Advertisement


Alex Bakman, CEO of Ecora Software Corp. in Portsmouth N.H., suggests five steps that information technology personnel should follow when preparing for a SOX audit, according to SearchWinIT.com:

  1. Select a set of controls – and test repeatedly.

  2. Develop a sound password policy. This involves password duration and password aging policies.

  3. Review permissions.

  4. Validate access control lists.

  5. Plug database holes.

Some IT security professionals have complained that audit compliance complicates their jobs, SearchSecurity.com reports, and security teams and audit teams often have an adversarial relationship. Trent Henry, senior analyst at Burton Group, Midvale, Utah, told attendees at their Catalyst Conference earlier this month that security professionals need to spend time with internal and external auditors and get to know their needs.

An auditor may ask if passwords are eight characters long, for example, Henry said, which sounds simplistic if the company uses strong authentication. But IT security teams may be using audit compliance as an excuse to justify pet projects like encryption, he said, SearchSecurity.com reports.

Auditors will be looking at fundamentals like segregation of duties, change control, access and records retention, Henry said, but they will also want to know if a security policy is kept up-to-date.

At the same time, auditors need to meet IT professionals halfway on the subject of security. “It’s not just about their methodology,” Henry said, according to SearchSecurty.com.

Small companies called upon to meet the Payment Card Industry (PCI) Data Security Standard may also need help from information technology auditors. To obtain a compliance certificate, companies processing fewer than 6,000,000 transactions a year may perform a self-assessment annually, and “can employ the services of an internal auditor or information security team,” Jason Chan, security manager with Symantec Advisory Services told ITAudit.com. The merchant submits the completed self-assessment to the financial institution that enables companies to accept payment cards and certifies the company as PCI compliant.

You may like these other stories...

IRS audits less than 1 percent of big partnershipsAccording to an April 17 report from the Government Accountability Office (GAO), the IRS audits fewer than 1 percent of large business partnerships, Stephen Ohlemacher of the...
Legislation coming out of Washington just might reduce homeowners' burden for disaster insurance. It's a topic very much on everyone's minds since the mudslide in Oso, Washington. The loss of human life was...
Divorce is hard, and the IRS isn't going to make it any easier. The IRS generally says "no" to tax deductions that might ease the pain of divorce. In certain circumstances, however, you might be able to salvage...

Upcoming CPE Webinars

Apr 22
Is everyone at your organization meeting your client service expectations? Let client service expert, Kristen Rampe, CPA help you establish a reputation of top-tier service in every facet of your firm during this one hour webinar.
Apr 24
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
Apr 25
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.
Apr 30
During the second session of a four-part series on Individual Leadership, the focus will be on time management- a critical success factor for effective leadership. Each person has 24 hours of time to spend each day; the key is making wise investments and knowing what investments yield the greatest return.