Mobilizing the PCI Resistance, Part II: First Let's Re-Examine The SOX-404 Problem...

Friday

Jun112010

Friday, June 11, 2010 at 5:13AM

Previously, I wrote about my blog post "Upset about the subjectivity and ambiguity in the PCI DSS compliance standards? My #BSides submission on the answer..." In that article, I suggested that in order to improve the state of the practice for PCI, we should look at the similar symptomology that happened in Year 1 and Year 2 for the IT portions of SOX-404.

Last week, during one of the working calls I had with my PCI Scoping SIG team, I dug out some of the early presentations I did as we were launching the GAIT project at the Institute of Internal Auditors.

The approximate timeline of the project began in July 2005 when we held our first summit, to February 2007 when the GAIT guidance was officially announced.

We held the first summit in July 2005, where we assembled internal auditors and security executives from publicly held companies (i.e., SEC registrants), external auditors from the Big Four and probably most importantly, Bill Powers from the Public Company Accounting Oversight Board (PCAOB, created by SOX-404 to audit the auditors).

Instead of showing you slides from that summit, I'm going to show you slides from the January 2006 summit, because we were much better talking about the problem by then.

The Problem

When I showed the slide above to the PCI Scoping SIG team, most everyone seemed startled at how similar the SOX-404 IT problem statements are to the current PCI problem statements.

Let's talk about each one of these in turn in the SOX-404 context:

No well-established guidance for scoping IT work results in inconsistency and the process being overly subjective

One of the problems was that auditors were often guilty of auditing anything, just because it looked important. Sure, all the applications that talk to SAP may look important, but is there anything in those apps that could result an undetected material error?

The problem is that in a risk-averse environment, management and internal auditors could rarely effectively challenge the external auditor. In other words, the external auditor could say, "Well, I can't give a clean, unqualified opinion on your 10-K unless we audit everything."

So, these were always lonely battles against the external auditor.

(It sort of feels like a Mafia protection racket. "Sure is a nice, clean 10-K financial statement you got there. Shame if something bad were to happen to it. (wink)")
Significant key controls reside inside IT and IT processes as well as in the business processes

Incidentally, the real control where reliance is placed may not even be an IT control, instead it's some manual reconciliation process! So in that case, auditing that IT systems would be totally inappropriate.
Sometimes result in overly broad scope and excessive testing costs

If you're auditing areas where there is little risk, you're wasting resources, time and money.

I remember vividly talking to a controller at a Fortune 20 company who was furious that his compliance costs for the IT and financial portions was the same. I think he said something like, "The Enron failure was not caused by a DBA. So, why am I paying so much for IT control compliance, when that's not where the risk is?"

So this is when scope is overly broad: we're testing stuff that doesn't matter.
Significant risks to financial assertions may be left unaddressed

This is the case when scope is too small: we never test something that's actually really important, that could cause an undetected material error in the financial statement!
Suboptimal use of scarce resources

This doesn't require any explanation.

I will describe in my next post why there was a problem. This is one of my favorites, because it shows the real gap that existed between COSO and COBIT. I'm hoping you'll find that as interesting as I do!

In the meantime, do you see the similarities between the problem statements of SOX-404 and PCI? Please comment.

(Also, if anyone interested in the slides, let me know -- I can post them on Slideshare or something...)

Gene Kim |

1 Comment |

53 References |

tagged

GAIT,

PCI,

SOX-404,

Security/compliance,

talks in

GAIT,

PCI,

financial reporting,

security/compliance

References (53)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Response: Columbus Day 2014

by Miki at Columbus Day on October 2, 2014

dde
Response: Install Bluestacks without Graphics card

by tweaks at Hill Climb racing for PC on December 4, 2014
Response: Whatsapp for Laptop download

by droid at Snapchat for PC download on December 4, 2014
Response: googlemaps.com

by techrism at MultiTopics on December 4, 2014
Response: Yeni Yıl 2015

by Yeni at Yeni Yıl 2015 on December 13, 2014
Response: Bonne Année 2015

by Feliz at Feliz año nuevo 2015 on December 13, 2014
Response: Ramadan calendar 2015

by when at when is ramadan 2015 on December 13, 2014
Response: when is Chinese New Year 2015

by web at web hosting reviews 2015 on December 13, 2014
Response: Ramadan calendar 2015

by Bonne at Bonne Année 2015 on December 13, 2014
Response: ano novo 2015

by ano novs at ano novs on December 22, 2014
Response: essay paper writing

by Backstrom at Backstrom on January 20, 2015

This blog providing mobilizing the PCI resistance so many people enjoying this information. So much interesting your essay writing and content writing services. Many college students lot information providing your blog. Thanks a lot.
Response: cute valentines day quotes

by John at cute valentines day quotes on February 5, 2015
Response: Ascension Day 2016

by TomCruise at 2016 Ascension Day on May 2, 2016
Response: Happy Ramadan

by Ranjith at Ramadan Wishes on May 2, 2016
Response: Memorial Day 2016

by Ramman at Memorial Day Wishes 2016 on May 2, 2016
Response: Mass Effect 4 release date

by Charles at Mass Effect 4 on February 20, 2017

Mass Effect 4
Response: magazine design

by photocut.doodlekit at photocut.doodlekit on January 20, 2018
Response: Dissertation Writers UK

by Henry Carter at BDW on February 14, 2018

He is the biggest name of research industry I have learned many thinks in my professional career.
Response: heat trace Cabe in dubai

by edwar at pl on February 14, 2018

This blog giving preparing the PCI protection such a significant number of individuals getting a charge out of this data. So much intriguing your exposition composing and substance composing administrations. Numerous undergrads part data giving your blog. Much obliged.
Response: Universty Coursework Help

by matthewwade at Universty Coursework Help on March 21, 2018
Response: Coursework Writing Help

by chrislynn at Coursework Writing Help on March 27, 2018
Response: Help With Coursework Writing

by Albert at Coursework Camp on April 12, 2018

As associations assemble to follow the PCI Data Security Standard they're finding that it's an immense venture. Like extremely gigantic. Numerous associations are finding that conforming to PCI DSS will require more undertaking hours than the association has! Regardless of whether the main venture they needed to finish was conform to ...
Response: Visit Here

by my digital land at digital land on May 9, 2018
Response: Video Animation Company

by Samantha at Hello Animations on July 23, 2018

Turnover is down speed is up consumer loyalty is up. feeling of individual control. Another case utilization of gamification Google travel cost arrangement Google needs to cut travel costs and lessen carbon impression strategy in movement framework simple to diversion.
Response: custom dissertation help

by Lee at Caspar on June 10, 2019
Response: Online Assignment Writing Service UK

by James Owens at British Assignments Help on June 11, 2019
Response: UK Essay Writers

by Smith Sera at British Essay Writing on August 25, 2019
Response: Bulk SMS

by Becky Spencer at Expert Texting on October 21, 2019
Response: Online UK Dissertation Wrter

by matt simons at Dissertation Pros on March 11, 2020
Response: UK Top Writers

by Monika Jacob at Dissertation Writing Help on April 2, 2020
Response: management essays for You

by Debora at Management essay for You on April 10, 2020
Response: http://www.arminob.com/

by sammi at http://www.arminob.com/ on May 20, 2020
Response: Online Class Help

by Maria John at Take My Classes Online on October 7, 2020
Response: Do My Online Class

by Kaven John at bestmentorsonline on November 20, 2020
Response: Dissertation Proofreading and Editing

by Jasmin Mark at Crowd Content on June 1, 2021

Crowd Content offers you with the best of the dissertation writers who are professional in delivery quality dissertation that meets your expectations.
Response: Dissertation Help Near Me

by Markjasmine at Dissertation Help Near Me on January 26, 2022

Dissertation Help Near Me aims to provide its clients with assistance and help in researching and developing content (editing and proofreading) appropriate for their study as per the requirements they have. This service is not meant to provide WRITING services in any capacity.
Response: the academic papers

by romandavis at The Academic Papers on February 25, 2022

Great interesting blog and here are different artists are talking with one and others
Response: Take My Classes For Me

by Jennifer Garner at takeyourclassonline on June 15, 2022
Response: Best Sosum Dermal Fillers Near Me

by Jassonmark at fyaestheticboutique on July 28, 2022

The Sosum dermal filler range boasts very smooth products that are easy to work with, have great retention and absolutely minimal swelling. JBP Nanoneedles included as standard. 3 variations of Non-Lidocaine available – S,M and H. Each box of Sosum Non-Lidocaine contains 2x1ml syringe packets, each with 2 JBP Nanoneedles. (2ml ...
Response: furnace parts

by Brainamanda at JAHeatingPlumbing on September 21, 2022

There are a lot of determining factors that can change the price of a furnace install. Furnaces came in all different models with all different kinds of bells and whistles. But a “ballpark price” you can range anywhere from $4,500-$5,000 for a single stage $5,000-$6,000 for a two-stage and $6,000 for ...
Response: Fresh coffee

by waynedanielle at Rampage Coffee on October 4, 2022

In our C - 4 blend you will find premium South American and South Asian coffee beans specifically blended in a way that will punch you out of your morning slippers. Be careful with this blend as it is our highest caffeine blend and it has been known to start wild, ...
Response: diyprinting

by jasonsharon at Diy printing on November 3, 2022

We are a full-service printer serving North America since 2001. Our goal is to make it easy and simple for you to create stunning business stationery and promotional pieces that will effectively present your image and help you communicate proficiently. We have designed a customizable online template with many sample designs ...
Response: Flappy Bird

by Alisha Kihn at Flappy Bird on November 3, 2022

This is precisely why it's so successful, because it sucks you in with just the right amount of difficulty and makes you want to keep trying it one more time. Flappy Bird currently dominating the mobile gaming market is now available on PC.
Response: bbq spices

by henryoliver at RaveBBQRubs on November 23, 2022

We don’t call this a ‘Bomb’ without reason. The balanced melange of spices we blend into this little package of boom detonates as soon as it hits your tongue, sending a barrage of salty, sweet, and slightly smoky shrapnel raining down onto your palate. We recommend pairing this with open skies ...
Response: Kona Extra Fancy

by Steevjoes at J A Coffee on February 26, 2023

A delicious Kona Fancy from the Cancino Estate has distinctive and powerful notes of cocoa flavors accompanied by a medium, lemon like acidity and a creamy finish that will please many Kona enthusiasts. Try it in our small green bean sizes today.
Response: Seedlings Early Learning Arana Hills

by selc at Seedlings Early Learning Centre on March 8, 2023
Response: Cartagena Walled City Two Bedroom

by dpm at Shortlet apartment near florida lake on March 9, 2023
Response: Best CPU Coolers for Ryzen 5 3600

by Buy CPU Coolers at Tech Builds Hub on March 13, 2023

Top 8 Best CPU Cooler for Ryzen 5 3600; Scythe Mugen 5 Rev.C · Noctua NH-D15 · Noctua NH-L12S · Corsair Hydro Series H100i PRO RGB AIO Liquid Cooler.
Response: Furnace parts in meadow lake

by We do it Plumbing at We do it Plumbing on April 1, 2023

At We do it Plumbing and Heating, we can help you with all of your furnace installation needs. Whether you need a new furnace or want to replace an existing one, we’ll provide you with the best possible service at affordable prices. Our technicians are fully trained and ready to tackle ...
Response: Early Learning Centre Branyan

by jovasn at Branyan Early Learning Centre on April 19, 2023
Response: Seedlings Early Learning Rochedale

by selc at Seedlings Early Learning Centre on April 26, 2023
Response: Best fashion photoshoot in Delhi

by tte at TTEproductions on April 26, 2023
Response: I Need Someone To Do My Online Class

by frank at onlineclasseshub on June 9, 2023

Reader Comments (1)

thanks your posting very interesting for me please visit Berita Android | Informasi

Seputar Handphone Android

December 30, 2014 |

fajarimamm

Post a New Comment

Enter your information below to add a new comment.

My response is on my own website »

Author:

Author Email (optional):

Author URL (optional):

Post:

↓ | ↑

Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>