An Auditor's Report Investors Can Trust

In the spring of 2001, I heard a poignant requiem pronounced for the ability of the large accounting firms to survive in their present form. A senior managing partner for one of the now-surviving Big Four firms - a man given to neither overstatement nor irony - said to me, with a father's considerable pride, that he had achieved his wish for his two grown children: that neither was electing to follow his footsteps into public accountancy. With hindsight, this statement is extraordinary less for its content than for its timing. This was months before the explosion of Enron and the implosion of Arthur Andersen, before the proclaimed crisis of corporate governance and the legislative overreaction it spawned. Yet even then, the lions of the accounting profession were having grave self-doubts about their own viability.

It was clear to me then, and even clearer now, that the reason for this partner's malaise lies in deep-seated pessimism about the real value of the statutory auditor's statement - a dinosaur of a document that offers neither the reassurance nor the early warning that investors and regulators profess to need.

What is remarkable in this environment is the complete absence of debate or even contemplation of "the day after." What happens if, or when, the audit report as it has been known since early in the last century is no longer available?

Nothing. And here is why:

Imagine a late-winter morning after the deadline for the filing of annual accounts for the preceding year - perhaps early March 2004. The Big Four have quit or been driven out of the business of issuing auditors' reports under the securities laws of the world.

Of the companies in the FT-SE 100, the Nikkei stock average and the S&P 500, however, a large number - say, 50 percent - offer to their regulators and stock exchanges a report in this form: To: The Members of the Audit Committee of Large Global Company Inc. (the Company) The accompanying statement of financial position, results of operations and changes in financial condition of the Company, as of and for the period ended Dec. 31, 2003 (the financial statements) have been prepared by the Company, with our assistance. So far so good.

In the opinion of the Company and its senior management, the financial statements are free of material error and are fairly stated in accordance with preferred accounting principles. These principles, based upon International Accounting Standards, may or may not be deemed "generally accepted" in the Company's headquarters country or any of the countries in which it has significant operations.

We have performed those audit procedures respecting the financial statements that we reasonably believe necessary, and in accordance with the International Statements on Auditing. On the basis of those procedures, we are of the same opinion. Up to this point there are tweaks in emphasis, mainly for the scholars. But now buckle up. For purposes of our procedures and opinion, items and transactions less than $xyz million, individually and in the aggregate, have been deemed not material.

We are not the Company's statutory auditor, and we are not 'independent' under the rules of the Securities Exchange Commission or any other securities regulator claiming jurisdiction over the Company and its securities. We have designed and built and currently operate the Company's systems for the recording and reporting of its transactions, for which we have been paid $xyz million in the period covered by the financialstatements, pursuant to an engagement approved by the audit committee of the Company's board of directors. Signed: Surviving Accounting Firm

And to make plain that this really is a new day, the report carries the following footnotes: This report and opinion are available to interested persons through the Company's Web site. In accordance with the terms of access there provided, persons obtaining access to this report and opinion have agreed that we have no liability with respect thereto except upon a final determination of our knowing and willfully fraudulent conduct. Also note that, in addition to this report and opinion, we also perform certain procedures from time to time with respect to the Company's financial statements and operations, and periodically report to the Company on the results of those procedures.

Persons interested may, subject to certain limitations of liability and other conditions, have access to these reports, through the Company's Web site. This report essentially says: "We've done the best we could, given the time and money allotted us. We're also an interested party, doing work that adds value to our report, and which you should clearly know up front. We can help you to know more. But both our undertakings and our exposure to you are strictly limited."

What would happen? The world's stock exchanges would open as usual. Oh sure, politicians and regulators would have an apoplectic moment.

However, even in these hypothetical uncharted waters, real-life markets would bump gently and speed along. Because if markets move on information and founder on obscurity, this report has the virtue of providing the first and not the second. Jim Peterson's e-mail address is jrpllc@aol.com. In the spring of 2001, I heard a poignant requiem pronounced for the ability of the large accounting firms to survive in their present form. A senior managing partner for one of the now-surviving Big Four firms - a man given to neither overstatement nor irony - said to me, with a father's considerable pride, that he had achieved his wish for his two grown children: that neither was electing to follow his footsteps into public accountancy. With hindsight, this statement is extraordinary less for its content than for its timing. This was months before the explosion of Enron and the implosion of Arthur Andersen, before the proclaimed crisis of corporate governance and the legislative overreaction it spawned. Yet even then, the lions of the accounting profession were having grave self-doubts about their own viability.

It was clear to me then, and even clearer now, that the reason for this partner's malaise lies in deep-seated pessimism about the real value of the statutory auditor's statement - a dinosaur of a document that offers neither the reassurance nor the early warning that investors and regulators profess to need.

What is remarkable in this environment is the complete absence of debate or even contemplation of "the day after." What happens if, or when, the audit report as it has been known since early in the last century is no longer available?

Nothing. And here is why:

Imagine a late-winter morning after the deadline for the filing of annual accounts for the preceding year - perhaps early March 2004. The Big Four have quit or been driven out of the business of issuing auditors' reports under the securities laws of the world.

Of the companies in the FT-SE 100, the Nikkei stock average and the S&P 500, however, a large number - say, 50 percent - offer to their regulators and stock exchanges a report in this form: To: The Members of the Audit Committee of Large Global Company Inc. (the Company) The accompanying statement of financial position, results of operations and changes in financial condition of the Company, as of and for the period ended Dec. 31, 2003 (the financial statements) have been prepared by the Company, with our assistance. So far so good.

In the opinion of the Company and its senior management, the financial statements are free of material error and are fairly stated in accordance with preferred accounting principles. These principles, based upon InternationalAccounting Standards, may or may not be deemed "generally accepted" in the Company's headquarters country or any of the countries in which it has significant operations.

We have performed those audit procedures respecting the financial statements that we reasonably believe necessary, and in accordance with the International Statements on Auditing. On the basis of those procedures, we are of the same opinion. Up to this point there are tweaks in emphasis, mainly for the scholars. But now buckle up. For purposes of our procedures and opinion, items and transactions less than $xyz million, individually and in the aggregate, have been deemed not material.

We are not the Company's statutory auditor, and we are not 'independent' under the rules of the Securities Exchange Commission or any other securities regulator claiming jurisdiction over the Company and its securities. We have designed and built and currently operate the Company's systems for the recording and reporting of its transactions, for which we have been paid $xyz million in the period covered by the financial statements, pursuant to an engagement approved by the audit committee of the Company's board of directors. Signed: Surviving Accounting Firm

And to make plain that this really is a new day, the report carries the following footnotes: This report and opinion are available to interested persons through the Company's Web site. In accordance with the terms of access there provided, persons obtaining access to this report and opinion have agreed that we have no liability with respect thereto except upon a final determination of our knowing and willfully fraudulent conduct. Also note that, in addition to this report and opinion, we also perform certain procedures from time to time with respect to the Company's financial statements and operations, and periodically report to the Company on the results of those procedures.

Persons interested may, subject to certain limitations of liability and other conditions, have access to these reports, through the Company's Web site. This report essentially says: "We've done the best we could, given the time and money allotted us. We're also an interested party, doing work that adds value to our report, and which you should clearly know up front. We can help you to know more. But both our undertakings and our exposure to you are strictly limited."

What would happen? The world's stock exchanges would open as usual. Oh sure, politicians and regulators would have an apoplectic moment.

However, even in these hypothetical uncharted waters, real-life markets would bump gently and speed along. Because if markets move on information and founder on obscurity, this report has the virtue of providing the first and not the second. Jim Peterson's e-mail address is jrpllc@aol.com. In the spring of 2001, I heard a poignant requiem pronounced for the ability of the large accounting firms to survive in their present form. A senior managing partner for one of the now-surviving Big Four firms - a man given to neither overstatement nor irony - said to me, with a father's considerable pride, that he had achieved his wish for his two grown children: that neither was electing to follow his footsteps into public accountancy. With hindsight, this statement is extraordinary less for its content than for its timing. This was months before the explosion of Enron and the implosion of Arthur Andersen, before the proclaimed crisis of corporate governance and the legislative overreaction it spawned. Yet even then, the lions of the accounting profession were having grave self-doubts about their own viability.

It was clear to me then, and even clearer now, that the reason for this partner's malaise lies in deep-seated pessimism about the real value of the statutory auditor's statement - a dinosaur of a document that offers neither the reassurance nor the early warning that investors and regulators profess to need.

What is remarkable in this environment is the complete absence of debate or even contemplation of "the day after." What happens if, or when, the audit report as it has been known since early in the last century is no longer available?

Nothing. And here is why:

Imagine a late-winter morning after the deadline for the filing of annual accounts for the preceding year - perhaps early March 2004. The Big Four have quit or been driven out of the business of issuing auditors' reports under the securities laws of the world.

Of the companies in the FT-SE 100, the Nikkei stock average and the S&P 500, however, a large number - say, 50 percent - offer to their regulators and stock exchanges a report in this form: To: The Members of the Audit Committee of Large Global Company Inc. (the Company) The accompanying statement of financial position, results of operations and changes in financial condition of the Company, as of and for the period ended Dec. 31, 2003 (the financial statements) have been prepared by the Company, with our assistance. So far so good.

In the opinion of the Company and its senior management, the financial statements are free of material error and are fairly stated in accordance with preferred accounting principles. These principles, based upon International Accounting Standards, may or may not be deemed "generally accepted" in the Company's headquarters country or any of the countries in which it has significant operations.

We have performed those audit procedures respecting the financial statements that we reasonably believe necessary, and in accordance with the International Statements on Auditing. On the basis of those procedures, we are of the same opinion. Up to this point there are tweaks in emphasis, mainly for the scholars. But now buckle up. For purposes of our procedures and opinion, items and transactions less than $xyz million, individually and in the aggregate, have been deemed not material.

We are not the Company's statutory auditor, and we are not 'independent' under the rules of the Securities Exchange Commission or any other securities regulator claiming jurisdiction over the Company and its securities. We have designed and built and currently operate the Company's systems for the recording and reporting of its transactions, for which we have been paid $xyz million in the period covered by the financial statements, pursuant to an engagement approved by the audit committee of the Company's board of directors. Signed: Surviving Accounting Firm

And to make plain that this really is a new day, the report carries the following footnotes: This report and opinion are available to interested persons through the Company's Web site. In accordance with the terms of access there provided, persons obtaining access to this report and opinion have agreed that we have no liability with respect thereto except upon a final determination of our knowing and willfully fraudulent conduct. Also note that, in addition to this report and opinion, we also perform certain procedures from time to time with respect to the Company's financial statements and operations, and periodically report to the Company on the results of those procedures.

Persons interested may, subject to certain limitations of liability and other conditions, have access to these reports, through the Company's Web site. This report essentially says: "We've done the best we could, given the time and money allotted us. We're also an interested party, doing work that adds value to our report, and which you should clearly know up front. We can help you to know more. But both our undertakings and our exposure to you are strictly limited."

What would happen? The world's stock exchanges would open as usual. Oh sure, politicians and regulators would have an apoplectic moment.

However, even in these hypothetical uncharted waters, real-life markets would bump gently and speed along. Because if markets move on information and founder on obscurity, this report has the virtue of providing the first and not the second. 

International standards take on new importance

Two years ago, the International Accounting Standards Board was a mere benchwarmer in the standards-setting game. It was a group with a goal that in the eyes of many was little more than altruistic-to develop a single set of global accounting standards. Well times have changed.

A Q&A WITH IASB MEMBER MARY BARTH

Last fall, the Financial Accounting Standards Board in USA announced a convergence effort with the IASB and more recently that effort took on tangible meaning as FASB members unanimously agreed that stock optionsshould be treated as an expense. The board's announcement followed the lead set by the IASB.

CalCPA member Mary Barth, an accounting professor and senior associate dean at the Stanford UniversitySchool of Business, is a founding member of the IASB. Barth has been a member of the AICPA's Accounting Standards Executive Committee, as well as the Financial Accounting Standards Advisory Council and FASB's Financial Instruments Task Force.

This spring, Barth sat down with fellow CalCPA member Zaf Iqbal, an accounting professor at Cal Poly San Luis Obispo, to discuss the emerging importance of the IASB.

Q: Why, in 2001, did the International Accounting Standards Committee reorganize as the IASB? 

A: People were realizing how important global standards were going to be and they wanted an international accounting standards board that was structured so that people could believe in the process and have confidence in the outcome.

Our No. 1 goal is to converge to the same set of standards, which means that there won't be any differences between international standards and U.S. standards or Canadian standards. Everybody wants to make this happen.

Q: How has FASB's attitude toward the IASB shifted?

A: A lot of things have happened. There was a belief that U.S. GAAP was superior. But a new board is in place and the FASB is committed to a partnership.

One thing that people have a misconception about is that there is a competition going on. They think that the FASB and the IASB are competing with each other to be the premier standard setter. That's not what's going on. We are partner standard-setters with the FASB.

The accounting scandals of last fall and the year before pointed out that although the United States has what I believe are the most comprehensive and best set of standards, they aren't perfect. And maybe all of the U.S. rules and guidance are not all a good thing.

The scandals resulted in some people saying, "We aren't perfect and maybe someone else might have a good idea now and again."

The market demand is out there. Global investors and so many people want this [international standards] to happen.

Q: Do you think a day might come when we won't need national standard-setting parties like the FASB? 

A: This whole thing is going to evolve. We're seeing some of that now. The European Union, Australia and New Zealand will be going to international standards in 2005, but there still is a UK accounting standards board and an Australian accounting standards board, a French and a German.

In some sense, we need organizations in these countries to be the eyes and ears on the ground to help make sure we understand the transactions and what's going on in those countries. We're always going to need some local standard-setting body to help us. We can't just sit in London and know what's going on throughout the world.

I don't see them going away, but the role will change. I don't see the United States giving up its standard-setting body.

Q: Can you explain the convergence of standards? 

A: We have to ask-whenever we do a joint project-who is going to lead? Is it the FASB or us? We've decided that if the IASB recently has looked at an issue and made a decision, then the FASB needs to look at its standard and see whether the more current thinking of the IASB is what they want to follow, and vice versa.

There are differences and we want to get rid of them. Sometimes it's just a matter of issues that haven't been looked at for a long time, but things have changed and changes need to be made. What's going on is that these two boards are trying really, really hard to agree.

Q: Do you think there will be a day when all countries will agree on one set of standards? 

A: I have confidence that there will be a day when the differences among the standards will be so small that we won't notice. I don't think that it's a matter of all the countries adopting the same standards-a bunch of countries will. I don't know if the U.S. ever will, but the day will come when the differences are small. That's the day we're striving for.

Q: How can international standards balance any differences- cultural or regulatory-between countries? 

A: The frameworks that standard-setting bodies have around the world are very similar. They aren't identical, but that's one of the things we're going to converge.

If you think about it, the definition of assets, liabilities, revenues and expenses are very broad and very general-and there are some subtleties. But for the most part, they aren't controversial.

Is it an asset or isn't it? Is it a liability? Are you obligated to someone to pay? These are fundamental things.

If the standards are principles-based, which is what we try to do, then we are putting on the books assets and liabilities and we give enough guidance about what those are so that you can apply it to a particular situation.

The focus of the IASB is the investor. Why does an investor in Sri Lanka have different needs that an investor in Hong Kong when they look at a company? The answer is they don't.

Q: Should U.S. educators be changing their approach to teaching GAAP? 

A: I would encourage them to teach the principles. Then you can talk about how those principles are implemented in the U.S. and internationally. They are implemented slightly differently. But once students see what the principles are, they can see there are implementation details, but the principles are constant.

Q: Do international accounting standards follow a principles or rules-based philosophy? 

A: Some think principles-based standards mean loose. That's not what it means. In every standard there are five, six, seven principles. Then you go through a series of paragraphs that explains what is meant by that. Those paragraphs are very specific-the entity shall do this and shall do that. At the end, if you follow thoseintermediate paragraphs and follow the standard and have gotten an answer that does not meet that principle, then you have to do something else.

Whereas with a rules-based standard, the assumption is that if you follow all the rules, you will get to the right place. There is no second-guessing.

With rules-based, you follow the rules and you're done. You don't then ask yourself if you meet the principles. What we've done is a combination of clearly setting out the principle with a series of "thou shalts" after it and a requirement to double check at the end that you've met the principle.

A standard setter can't anticipate every single transaction or form of transaction that can take place. We have rules in the international standard, it's just a question of how far down in the level of detail do you go? The farther down you go and the more specific you get with rules, the more you run a risk of ending up in the wrong place by following all the rules because we can't know all the possible transactions, so we can't set out rules for all of them.

Q: Do you think that we are moving toward fair value rather than strict adherence to historical cost? 

A: I think so. I'm a fair value advocate. Fair value is the most relevant information to investors. I'm not sure they care about what you paid for it; they want to know what it's worth.

Also, it will solve many of the difficult accounting problems we have today because we deal with using a "mixed attribute model." We use historical cost sometimes and fair value other times.

The problems it brings is that fair values are hard to calculate and there's uncertainty. But one of the reasons you're seeing more of it now is that markets are more and more sophisticated and people are getting used to these things and its becoming easier to come up with reliable estimates of value.

Q: What has been your most surprising moment as an IASB member? 

A: When companies outside the United States want to have an international set of financial statements, they have two choices: international standards or U.S. GAAP. There are companies out there, outside the U.S., using U.S. GAAP as an international set of standards.

But it's been surprising to me since the new IASB has been formed how much the world has changed and how fast we are making this transition. Things are different.

People are reading in the press what the IASB is up to. And when you see the FASB issue documents and make decisions that you can see are motivated by their relationship with us, then all of a sudden people realize there is another player here and they need to pay attention. 

Accountant! It is time to reform thyself

As the noise on level playing field, rotation, advertising and fair competition is rising, the real issue is being brushed under the oriental rug — the regulations of the Institute of Chartered Accountants of India (ICAI) has remained unaltered, although the world around us has completely changed. The Rip Van Winkle that has now woken up after years of slumber is ICAI’s Code of Ethics (CoE). Here is a sampler: a CA firm cannot advertiseor solicit business.

In the days of felt pens, tall desks and bound ledgers, it was not considered ethical or courteous to attract clients of other firms. Business development had not entered the lexicon of the accountants. But even today, if a CA firm does compete for an information technology assignment with an EDS or an IBM or a Satyam, it cannot market itself or “solicit” business. Though the ICAI’s CoE has evolved from the days when members played only bridge to boxing, it appears that they must go to the boxing ring with their hands tied behind their backs.

The mandarins of Indraprastha Marg, responsible for this lack of playing field, refuse to change with the times. They forget that the mighty dinosaur vanished because it failed to adapt. As the Prime Minister has recently said, “Life is forcing us to find new answers to old questions”. We cannot survive by providing ancient answers to brand new questions. In a proposal, the Council has passed — with a slender majority of one and with several members abstaining — that the CoE will be amended to introduce rotation of auditors. Apparently, the CoE will be amended to make it a professional misconduct, if an auditor does not rotate out of a client, say, every two years. Imagine the All India Medical Association inserting a regulation that a doctor must rotate out of a patient every two years. Can the Bar Association do the same? Does the customer have the right to choose? Does Parliament have the right to legislate?

The Naresh Chandra Committee appointed by the finance minster went into this issue, looked at the experience of other countries and came to the conclusion that rotation, wherever adopted, has not furthered the cause of investors. In fact, it has actually been an unmitigated disaster. If the ICAI believes that rotation is a good idea, it should approach the government with a proposal to change the law. Parliament will debate the proposed legislation and investors opinions heard.

Equally troubling is the current process of disciplinary action against members. The ICAI has a self-disciplining mechanism and its quasi-judicial process is conducted by a disciplinary committee which consists of members who are elected. The concept of electing the judiciary is worrying as it will be very difficult for an elected politician to take stern action against members of his own constituency, particularly against those who belong to his own party. On the other hand, if I am such a person and a case comes before me asking for the conviction of a member of a rival party, I would have to be a saint to be objective.

The current ICAI president has said that he has written to the Department of Company Affairs to curb the consultancy and audit activities of the Big Four global audit firms (PricewaterhouseCoopers, Ernst & Young, KPMG and Delloitte) in India, “although he does not have any hard evidence”. By this, he has declared his bias in public and has therefore forfeited his right to preside over any disciplinary proceedings concerning them. Even if he claims to be completely fair and objective, the world will say otherwise. Once you have publicly declared your bias against one team you cannot be the umpire. Imagine what the Indian cricket team and Saurav Ganguly would say if they were asked to play a match between India and Pakistan with only Pakistani umpires swearing to be fair judges!!

There is a new answer. In the US, following the enactment of the landmark Sarbanes-Oxley Act of 2002, a five-member Public Company Accounting Oversight Board (PCAOB) has been set up. The members of PCAOB have been appointed by the Securities and Exchange Commission (SEC) in consultation with the Federal Reserve chairman and the secretary of the Treasury. The Act requires that all members be full-time and that only two of the five be certified public accountants. In addition, the Act requires that all be “Prominent individuals of integrity and reputation who have a demonstrated commitment to the interests of investors and the public, and an understanding of the responsibilities for and nature of the financial disclosure required of issuers under the securities laws and the obligations of accountants with respect to the preparation and issuance of audit reports with respect to such disclosures.”

Investor protection is at the heart of integrity of the capital markets and as the world changes around us, there will be legitimate questions whether the SEBI, investors, finance ministry and RBI should watch one scam after another while the auditors carry on with self-regulation via its elected representatives. India is also known for its independent and vigorous judiciary. Perhaps members of the judiciary could play a crucial role in such a quasi-judicial board. That would be a new answer to an old question. 

8 Steps for Smart Security Auditing

Security problems are on the rise—but that's not news. What is newsworthy, however, is the exponential nature of this increase. The Computer Emergency Response Team (CERT) says there has been an annual twofold increase in the number of vulnerabilities and security incidents reported. These numbers signify quite clearly the necessity of security management for all IT decision makers.
Knowing where your company stands currently on security practices is the first step in proactive security management, and a full security audit is the best way to achieve this goal. A security audit is a systematic way to test for vulnerabilities or weaknesses in your IT systems, policies, and procedures. When completed, an audit will provide you with a comprehensive picture of your security status. This will help you to assess your current level of compliance or risk, and compare these levels with where you need or want your security to be.
What you will likely find as the result of your audit is that the most common audit failure points aren't grounded in poor technology. Most failures can be attributed to poor compliance with practices and procedures. A recent audit of federal government agencies found that the major failing points were poor password control, end-user security practices and policies, and access controls. This article will introduce you to the primary steps involved in conducting a security audit, so you can assess the areas your organization needs to do a better job of securing.
Step 1: Conduct a Risk Analysis
A risk analysis helps you prioritize your company's IT assets and decide the level of "toughness" required to protect it adequately. A risk analysis isn't considered part of the audit because it generally occurs before the actual audit. However, conducting a risk analysis is essential because it defines the reasons for your audit and the overall scope of your auditing activities. It will help you determine which assets your security measures are trying to protect (such as data and systems), the value of the assets you're trying to protect, all potential threats to these assets, and the impact of threats, in terms of losses, should they be realized.
Understanding the relative "value" of systems and data will help you decide the level of scrutiny to apply to each audit subject. For example, two sets of data files might have the same levels of security applied, but one might pass the audit and the other might not because one is more sensitive and requires tighter security than currently afforded. A risk analysis will help you set the line between security success and failure.
Step 2: Get Prepared 
Audits are systematic in nature. Therefore, you must plan carefully to ensure seamless execution and comprehensive coverage. In the preparation stage of the audit you must prioritize audit targets; decide on the objectives, depth, and scope of your audit, identify and verify the resources (time, people, tools, information) you'll need to conduct your audit, plan your audit procedure, and communicate your plans to others in your organization.
Based on your risk analysis, you should have a good idea of your audit priorities concerning systems and data. However, you'll need to approach each asset from several angles. These include the virtual security of the asset, the physical security of the asset, and security maintenance procedures for that asset. Given the size of a full-scale audit, you might choose to focus on one or two areas at a time. However, most systems are interrelated. Be sure to include assessment of the interconnections between these systems in your plans.
When planning your audit, start by identifying the systems you'll need to restrict access to during your tests. Then, pick appropriate times for performing your audit, such as after regular business hours, to minimize disruptions to the business. You need to identify key personnel—data owners, department managers, security administrators,tech support workers, and typical business users—for information-gathering interviews. If necessary, use an organizational chart to help you target the appropriate people.
Once you know who you want to interview, prepare a series of questions to ask staff, end users, and other individuals who are exposed to your systems. Focus your questioning on how personnel interact with the system, what they can gain access to, and how they perform security procedures (if at all).
Next, take a look at the security technology you use currently. Collect and review the manuals for all securitypackages. They might contain helpful auditing checklists or even an audit program that you can use. You should also assess and acquire established automated audit and utility programs. Conducting an audit manually can be a painstaking process, and might lead to errors.
As you pick and prepare your auditing platform, the operating system you choose will affect the auditing tools you can use, and vice versa. Choose wisely. You might also want to opt for a notebook computer for your auditing command center given its portability. Also, ensure your auditing platform runs no network services and is configured much like any other secure host, such as a firewall.
Verify your audit and testing environments to ensure that they have not been tampered with. Burn a copy of your secure platform to a CD and store it in a secure location to ensure that you have a "tamperproofed" version at hand.
Your next step: Develop a prioritized plan. This plan should itemize all tests, evaluations, and inquiries you intend to make. It should also list timelines and all resources required to perform your evaluations. Attach step-by-step procedures for all tests you intend to perform. When setting timelines, leave adequate room for contingencies—you might run across unexpected elements or problems, or might have an insight into a new way to approach a specific test.
Finally, communicate your plans to perform an audit to whoever needs to know. This includes executives, department heads, your staff, and others who you wish to interview. Explain why an audit is necessary, and specify the times and dates of any required system downtimes. Remember that the quality of your findings is important because it will form a comparative benchmark for future audits. If you don't have the appropriate training for conducting a security audit, or haven't experienced one firsthand, it might be wise to get some training through self-education or a course.
Another alternative is to outsource to a professional auditing firm. This approach can ensure an unbiased approach. In-house staff members might have their pride (or perhaps something more sinister) to protect, or might be unable to approach the system being audited with an objective eye.
Step 3: Review Policy Documents and Reports 
The audit should answer a fundamental question: Are your systems and procedures in compliance with your policy? Without a clear and comprehensive policy, you can't be entirely sure of which security problems you're looking for. A policy provides an important baseline your IT systems and practices will be measured against.
If you don't have a security policy in place prior to conducting an audit, you should make some effort to build one that addresses the overall security goals of your IT installation, and the scope of security protection your department offers currently. It should also identify who has ownership over various IT resources, including systems and data, as well as who is responsibility for the integrity of these resources. Establish the requirements to access resources (passwords, permissions), and include descriptions of all security system access rules. You'll also need to categorize according to sensitivity.
Include descriptions of all security procedures, including security maintenance, password handling, violation handling, backup and recovery, and emergency and troubleshooting. Note user rights and accountabilities, remote access procedures, and account protection requirements. Make sure to establish who's responsible for supporting and enforcing the security direction (for example, the rights and accountabilities of the security administrator). Finally, set consequences for non-compliance with the policy.
Having a security policy isn't enough. An unclear, out-of-date, unenforceable, or meager policy is a security problem in itself and you should treat it as a threat. The security policy is also a threat if it hasn't been disseminated and explained to end users properly. Consider your policy an extension of your risk management practices.
Step 4: Gather "People" Information 
People, not technologies, are the number one barrier to effective enterprise security. In a recent survey, conducted jointly by the Federal Bureau of Investigation and Computer Security Institute, 81 percent of respondents said the most likely source of a security attack was from within a company.
Conducting both formal and informal interviews with those who have access to your systems is an often overlooked, but a critical, step in your security audit. Interviews will help you discover how well personnel understand and adhere to security policies and procedures, as well as uncover what access people actually have to systems beyond what is documented or "sanctioned."
Start by talking to your IT staff. Find out how they actually go about handling security procedures. Next, quiz them about their understanding of documented security procedure, controls, and responsibilities. Compare what they actually do with what is documented, and itemize the gaps.
Next, interview end users. Start with data owners and department heads, but also talk to general end users. Find out what they can and can't do (such as accessing certain resources). Get a take on their understanding of security practices and loopholes. Ask them to show you their copies of security policies and procedures, or have them point out where they can be found (for example, online, in a centralized binder). This will help you determine if they've ever even seen the security policies and procedures in the first place.
Finally, talk to any other workers that have access to your physical building, such as maintenance and janitorial staff. They have access to more than you might think, including passwords (written on sticky notes), desktop computers, and servers. They also have a good idea of the general "comings and goings" of staff, what sensitive material ends up in the garbage instead of the shredder, and the overall physical security of the building.
Conduct your interviews with caution: Many interviewees might be concerned about getting themselves, or someone else, into trouble, and might not wish to fully disclose what they know. You might want to ensure them that your conversation is confidential and that their names won't be mentioned in your report. Also, reinforce the idea that your questions are addressing the security of IT systems and data, not their job performance.
Step 5: Conduct Testing 
Running a full battery of tests on your network might be too time consuming to be practical. Prioritize the components that you'd like to test, and choose the most important areas. These could include major routers and servers, platforms, applications, data files, and interconnects. Be very cautious in pursuing active testing of live applications using real data—you could inadvertently cause damage. Such tests could include mock denial of service attacks or exploits. If you decide to run active tests, do a full backup of the system to be tested and run your tests after hours. If you're not completely familiar with the testing tools and can't implement full controls, consider not doing these types of tests at all.
Step 6: Evaluate Your Data 
The testing phase will generate a lot of data and observations. Be sure you leave yourself enough time to organize and assess your results adequately. Analyze all data collected by the automated tools you used, and look for trends and irregularities. Then, separate and analyze your findings by system. You'll also want to itemize all application backdoors and loopholes, as well as all areas where security practice does not comply with policy or procedure. A good dividing line to impose is by staff type and/or levels (for example, separate IT staff procedures from general end user procedures). Label each of your security components (systems, procedures, and so on) by their level of security compliance and the urgency required to bring non-compliant components into compliance.
Next, create a prioritized list of fixes to be made. Systems or procedures labeled red for both compliance and urgency should be at the top of the list, followed in order by other high-ranking problems. Finally, assess the time and resources it will take to make each required change. You can then put the information gleaned here into a final report, which will serve as the basis for your ultimate action list and work plan.
Step 7: Report Your Findings 
The reporting phase will take the most time in your audit. Not only do you have to assemble your findings and build a clear report, but also you need to meet with the appropriate people to review and explain your findings, decide on a course of action, and develop a work plan.
The purpose of your report is to drive business decisions to invest in securing your IT assets. Aim to create a report that is clear, jargon-free, and speaks to business objectives. In your report, be sure to include an executive summary stating the purpose of the audit and high priority action recommendations. Also provide an explanation of the scope of the audit, and details on any changes from the last audit (if prior audits have been conducted). The report should also have a statement of overall compliance of current security with policies, including an overall grade of total system security, and an explanation of what wasn't tested and why.
Finally, include a detailed, prioritized list of recommended actions, with full justifications and costs to make each fix. Once you've completed your report, book time to discuss your findings with key executives and decision makers. The outcome of this meeting should be decisions on final prioritized action items.
Step 8: Take Post-Audit Action
Once your audit is complete, your report is in, and the recommendations on fixes to be made have been approved by senior management, you're ready to take the final steps. First, follow up with your IT staff to discuss your course of action, resources required, and appropriate due dates for all fixes and changes. This will form the basis for your work plan.
Then make copies of all your test data for future reference. Store these copies securely—they qualify as sensitive information about your company's vulnerabilities and should be kept away from prying eyes. Preferably, store encrypted copies off-site, as you would with any other important company data.
You'll also want to consider redrafting your security policy and procedures in light of your findings. Make sure any changes to the security policy and procedures are well communicated to end users and your staff. For better results in your next audit, ensure your new policies and procedures can be monitored and enforced.
Finally, assess your audit tools and procedures. Write a debriefing report that includes answers to these questions:

• Did you engage in too many manual processes that could have been sped up by using automated tools?
• What automated tools did you use and why?
• How effective and easy to use were the tools you selected?
• Which tools would you use again, which would you replace, and why?
• Did you have any problems in getting affected parties to comply with your audit requirements, such as participating in interviews or disclosing information?
• Did you allocate sufficient time and resources to performing your audit?
• What were the major challenges of conducting your audit?
• What were the major surprises that surfaced in conducting your audit?
• What do you plan to audit next time that you didn't audit this time?
• What changes would you make to future audit procedures?

At this point, the only thing that remains is making the actual fixes. Plan to repeat your audit on at least an annual basis.
Performing a full security audit of your systems, practices, and policies is an essential first step in managing your organization's overall security infrastructure. Without an audit, you are simply guessing at your organization's security weaknesses and the appropriate fixes.