Information Technology Audits Are Priority for Small Business Owners

Small businesses, whether public companies gearing up for Sarbanes Oxley (SOX) compliance, or privately held companies responding to customers’ demands for secure storage of personal data, are hiring internal Information Technology (IT) auditors in record numbers, according to networkworld.com. Also, internal and external auditors and IT personnel focused on security are working together to meet their goals.


Advertisement


Alex Bakman, CEO of Ecora Software Corp. in Portsmouth N.H., suggests five steps that information technology personnel should follow when preparing for a SOX audit, according to SearchWinIT.com:

  1. Select a set of controls – and test repeatedly.

  2. Develop a sound password policy. This involves password duration and password aging policies.

  3. Review permissions.

  4. Validate access control lists.

  5. Plug database holes.

Some IT security professionals have complained that audit compliance complicates their jobs, SearchSecurity.com reports, and security teams and audit teams often have an adversarial relationship. Trent Henry, senior analyst at Burton Group, Midvale, Utah, told attendees at their Catalyst Conference earlier this month that security professionals need to spend time with internal and external auditors and get to know their needs.

An auditor may ask if passwords are eight characters long, for example, Henry said, which sounds simplistic if the company uses strong authentication. But IT security teams may be using audit compliance as an excuse to justify pet projects like encryption, he said, SearchSecurity.com reports.

Auditors will be looking at fundamentals like segregation of duties, change control, access and records retention, Henry said, but they will also want to know if a security policy is kept up-to-date.

At the same time, auditors need to meet IT professionals halfway on the subject of security. “It’s not just about their methodology,” Henry said, according to SearchSecurty.com.

Small companies called upon to meet the Payment Card Industry (PCI) Data Security Standard may also need help from information technology auditors. To obtain a compliance certificate, companies processing fewer than 6,000,000 transactions a year may perform a self-assessment annually, and “can employ the services of an internal auditor or information security team,” Jason Chan, security manager with Symantec Advisory Services told ITAudit.com. The merchant submits the completed self-assessment to the financial institution that enables companies to accept payment cards and certifies the company as PCI compliant.

You may like these other stories...

With tax season in the past, it's time to think about the tax implications of decisions your clients may be making about their homes in 2014. The rules are complicated and because of the huge amounts involved, the...
IRS revokes group’s tax exemption over anti-Clinton statementsGregory Korte of the USA Today reported on Monday that the IRS has revoked the tax-exempt status of a conservative-aligned charity, the Patrick Henry Center...
Clawback policies vary by company, industry: PwCAccording to a report issued to clients by PwC on April 17, companies have instituted a wide range of so-called clawback policies – with no two exactly alike – in...

Upcoming CPE Webinars

Apr 24
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
Apr 25
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.
Apr 30
During the second session of a four-part series on Individual Leadership, the focus will be on time management- a critical success factor for effective leadership. Each person has 24 hours of time to spend each day; the key is making wise investments and knowing what investments yield the greatest return.
May 1
This material focuses on the principles of accounting for non-profit organizations’ expenses. It will include discussions of functional expense categories, accounting for functional expenses and allocations of joint costs.