Category: Regulations

“These controls and suggested tests are generic and should apply to all systems,” says Heriot Prentice, director of technology practices at the IIA in Altamonte Springs, Fla.

For one, all transactional systems such as ERP and financial systems–as well as support applications such as e-mail programs and design software–pose risks stemming from how they are configured, managed and used by employees. Another reason for regular audits and tests of software controls is that any configuration changes or modifications to business applications can introduce additional risk. For instance, tolerance levels can be manipulated to disable controls.

For this reason, the GTAG guidance recommends that auditors should be part of any software-implementation or upgrade team to ensure controls are in place and working. Prentice recommends that companies make their software-control audits a joint effort involving the chief internal auditor, the CFO and the CIO. “One of the biggest issues I’ve found when it comes to I.T. is that the chief audit officer or the CFO in many cases may not understand the technology, while at the same time, the CIO may not understand the auditors’ needs,” he says.

Software controls are used to monitor a variety of aspects of the application, including input, processing, output and data integrity, as well as data storage and retrieval. Some controls are embedded into transactional and support applications, such as an automated accounts-payable match of invoice with purchase order and notice of receipt of shipment. Other controls are configurable, such as an accounts-payable system’s limit on the amount of an invoice that can be processed without certain approvals.

Management trail—Processing-history controls, often called an audit trail, allow management to identify the transactions and events they record by tracking each transaction from the source to the output and by tracing backward.

http://www.baselinemag.com/article2/0,1397,2143482,00.asp?kc=BARSS02129TX1K0000533

A group of Web sites, including Google and CNET Networks, that rely on interactive advertising have lobbied for nearly a dozen changes (PDF) to the bill.

The Information Technology Association of America, the American Bankers Association and the Interactive Advertising Bureau have all favored the I-SPY Act over the SPY Act, stated an CNET News.com article.

http://www.securityfocus.com/brief/519?ref=rss

“If it passes, it will allow companies and auditors to worry more about the things that matter when it comes to financial fraud,” says Patrick Taylor, CEO of Oversight, which makes software for analyzing the accuracy and security of financial transactions. Companies will be able to focus their attention on the more common paths to fraud, such as changes to the general ledger and revenue recognition, and not worry about unlikely paths, like backup.”

The chief problem is that the law, which is designed to keep public companies from cooking their own books, is extremely vague in its requirements, particularly with regard to IT. “For example, the current guidelines require the auditor do a walk-through of every transaction path that might result in a change to financial data,” says Davis. “In a large company, you can imagine how many transaction paths there are.”

But the PCAOB’s proposed changes to the audit standards would allow companies to perform a risk assessment of their systems and practices, and then focus their efforts on the most likely paths of financial fraud, instead of trying to close every possible loophole. “Those are going to be changes that somebody makes to the general ledger, which are relatively easy to detect. “That’s the kind of thing that could make the difference between an audit lasting two weeks or lasting two months,” Davis says.

http://www.darkreading.com/document.asp?doc_id=124538&WT.svl=news1_1

Employee communications are also covered by human rights legislation if the organization has no explicit acceptable-use policy and fails to inform employees of the monitoring of personal e-mail.

Privacy experts at law firm Pinsent Masons, based in London, said that although businesses now have clear guidance for monitoring work communications under the Regulation of Investigatory Powers Act 2000, personal communications at work may be protected by the European Convention on Human Rights, and the Human Rights Act 1998.

“The lawful business practice regulations allow an employer to monitor and intercept business communications, so the court is implying that private use of a telecommunications system, assuming it is authorized via an acceptable-use policy, can be protected (by human rights legislation),” said Chris Pounder, a privacy specialist. “The ruling is important in that it reinforces the need for a statutory basis for any interference with respect to private use of a telecommunications system by an employee,” Pounder added. The college had no policy in place at the time informing employees that their communications might be monitored.

“According to the court’s case-law, telephone calls from business premises are prima facie covered by the notions of ‘private life’ and ‘correspondence’ for the purposes of Article 8,” said the court’s ruling.

http://news.com.com/E-mail+monitoring+may+violate+European+laws/2100-7348_3-6175495.html?tag=nefd.top

The internet is strictly monitored and censored in Saudi Arabia, with online pornographic material and politically themed websites blocked from public viewing.

While the cabinet passed the proposal, the king must give the final approval.

http://tech.monstersandcritics.com/news/article_1283704.php/Saudi_government_gets_tough_on_cybercrime_and_criminals

This move by the Swedish government follows several well-publicized incidents in 2006 when government and police websites were brought down by DoS attacks.

Up until now Sweden had no laws that specifically addressed DoS attacks, but a new draft amendment to hacking laws proposed by the government this week would punish such offences by a maximum of 2 years in jail.

Last summer’s incidents with the government and police sites have gone unpunished because the authorities could not prove who the perpetrators were, even though there was speculation that these attacks were related to raids on prominent pirate exchange site The Pirate Bay.

http://www.viruslist.com/en/news?id=208274043