20% of IT Managers Admit to Cheating

June 7, 2009 by ADMIN
Share |

By Steven Fox, Founder of SecureLexicon

“All warfare is based on deception.” – Sun Tzu

According to the ISACA, an auditor’s role is to “provide independent assessments and opinions on company operations and controls.” In some organizations, the auditor is embraced as a positive role in IT governance.

Unfortunately, there are those who view auditors in a negative light.

This attitude if often manifested in poor auditee-audit relationships that must be managed carefully.  Unfortunately, there are instances where an auditee will try to deceive the auditor.

A cross-industry survey of 150 IT managers and technical staff showed that 20% of that population either admitted to cheating on an IT audit or knew someone that did.

Ruvi Kitov, CEO of Tufin Technologies, noted that the rate of auditor deception is likely higher than the survey suggests.

Andy Bokor, COO of Trustwave, added that some IT professional respond to compliance pressures by describing their environments in a positive, yet false light.

The RMA Journal suggests some tactics that auditors should employ to recognize attempts at deception.

Due Diligence

The auditor must confirm that what he/she is told conforms with the system or business reality.  Information provided by an auditee should not be taken as gospel.  The auditor must ensure that all audit artifacts are accurate and true.

Review existing controls

A strong control environment makes deception more difficult. By the same token, a lack of controls increases the chance that deception will succeed.

The auditor must ensure that controls such as proper oversight, segragation of duties,and access controls are in place.  If they are not, the auditor must be cognizant of the related risks.

Corroborate all documents provided by the auditee

Skilled professional intent on deception are capable of fabricating convincing documents.  An auditor must understand the process behind the creation of that document in order to validate it.

Auditors must apply professional skepticism in their relationship with auditees.

This mindset echoes Sun Tzu contention that one shoud not assume they will not be deceived by a potential opponent.  Therefore, one must understand how to confirm all they are told.

Steven is an independent information security consultant. He holds a Masters in Business Information Technology from Walsh College, an NSA recognized Center of Excellence. He serves on the board of the Detroit ISSA chapter and is a columnist for the ISSA Journal. He is also the founder of SecureLexicon , a security advisory firm addressing the unique security concerns of nonprofit organizations.

He can be contacted at sfox@securelexicon.com
Follow him on Twitter - @SecureLexicon
Join Steven’s LinkedIn Network

ISR Security Editor’s Response:  Audit Information Disclosure Protection

By Kevin Nixon CISSP, CISM, CGEIT

Steve - I am following the advice in the last paragraph of your article and am applying my “professional skepticism”. I would like to share another view point if I may.

I will accept that the fact that 20% of the 150 IT Managers and Staff reported cheating on IT Audits or “knew someone who did”, but that only proves my humble opinion.

When I read the survey results, my interpretation is that somehow the survey actually managed to locate 30 honest people out of the 150 participants. Any parent or guardian of a teenager knows that you should never accept the 1st or 2nd version a story as 100% truth.

The survey somehow managed to locate 150 individuals that share the cave with Osama Bin Ladin!

My brutially honest opinion is the respondants misunderstood the questions and that the actual results are reversed. 80% cheat and 20% are honest.

It is naive to think “just 20%” cheat. I am sure they didn’t survey Bernie Madoff, or any of the Global Investment firms involved in the current financial crisis.

In 2002 when the deception within Worldcom was uncovered, Citigroup was one of 18 investment banks that underwrote Worldcom bonds. Citigroup investors alone, lost $54 Billion.

The Investment Banks, auditing and accounting firm Arthur Andersen, 16 former officers and directors, and CEO Bernie Ebbers were hit with huge Securities class-action lawsuits, in addtions to criminal charges in all 50 states, not to mention the SEC, FTC and DOJ Federal criminal charges.

Enron was America’s seventh largest company. Employing more than 20,000 people worldwide, it was one of the world’s largest energy suppliers. At its peak, the company reported revenues of $100b, and at the end of 2000 the share price stood at over $80, valuing the company at $60b or more than 70 times its earnings.

Enron was named “America’s Most Innovative Company” six times by Fortune magazine! The only real innovation was in its accounting and auditing practices. Enron, together with its accountants Arthur Andersen, had been systematicly and audaciously making up the audit numbers for years.

The WorldCom, Enron and Arthur Andersen collusive securities frauds, led to enactment of the Sarbanes-Oxley Act of 2002. A piece of legislation with good intentions which also contains some obvious loopholes. The largest loophole is simply, the law only applies to companies listed with the Securities and Exchange Commission to sell stocks or bonds to finance debt. So, what’s the problem? Take a look at the number formerly Public companies which are now Privately financed. Why? They do not want to disclose everything to the SEC and External Auditors.

My final point. A “SAS 70 Audit” is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes.

The reality of SAS 70 is that the company and auditors collectively agree on the areas of the company and IT policies, procedures and processes that will be audited.

Confidence based on a SAS 70 alone is myth. The auditor issues a cover letter that simply states that they either agree or disagree that the company performs exactly as stated.

A carefully constructed SAS 70 examination avoids the really rotten areas and highlights the best qualities. Remember, the auditor attests to truth in findings and does not provide any opinion if the company is really setting a good example.

So a company can simply state: We have very poor security controls. We get hacked every week. All personal and confidential data is not protected in any way.

The auditor statement and letter of attestations would say: “we attest and affirm that all the statements made are true”. The company passes!

The current global economic crisis is the direct and clear result of these Audit Deception practices and trust me we wouldn’t be here now if ONLY 20% cheated. I only wish!

Kevin M. Nixon, MSA, CISSP®, CISM®, CGEIT®, has testified as an expert witness before the Congressional High Tech Task Force, the Chairman of the Senate Armed Services Committee, and the Chairman of the House Ways and Means Committee. He has also served on infrastructure security boards and committees including the Disaster Recovery Workgroup for the Office of Homeland Security, and as a consultant to the Federal Trade Commission.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Stay Informed With RSS Feeds or Email Alerts Here:

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • TwitThis
  • LinkedIn
  • Google Bookmarks
  • Digg
  • StumbleUpon
  • YahooBuzz
  • del.icio.us
  • Wikio
  • Propeller
  • Facebook
  • MySpace
Share |


Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Government, Insider Threat, PCI, Sarbanes-Oxley, Steven Fox, Uncategorized, national security, privacy 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments

2 Comments on 20% of IT Managers Admit to Cheating

  1. George Bollhorst on Mon, 15th Jun 2009 10:51 am

    2. I still believe that true CISSP’s have good ETHICS and due their work according to the rules and regulations. As a practical matter I DO know that sometimes outside sources like the SEC may ask one to OVERLOOK indescressions. This is where we MUST remember that it is OUR name on that document we sign. OUR ETHICS and reputation go and will follow that wherever that document goes. IF we do NOT play by the rules we signed on for then WE should GET OUT. ONE possible solution, although it would add a few dollars to an audit would to hire a shadow auditor. I have been hired a few times to follow behind to test or prove the reliability or a given report. I would like to DISPUTE the 80/20 rule. I don’t have enough data to express futher information. DO YOU??? Let’s see your report.

  2. Andy Barratt on Tue, 14th Jul 2009 4:33 am

    3. Whilst I agree with what you are saying in relation to SAS 70’s to some extent. The front page isn’t meant to be relied upon without reading through the controls that have been tested. Its the same with ISO27001 certification. If the scope is small enough then its easier to become certified. This could then lead to parts of the business misrepresenting the certification. However with a SAS 70 the full report not just the opinion statement should be reviewed by anyone wishing to place reliance on it. It also covers what testing the auditor has done so that if as the relying party or relying auditor you can test the control in a way you are happier with.

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!