“All warfare is based on deception.” – Sun Tzu
According to the ISACA, an auditor’s role is to “provide independent assessments and opinions on company operations and controls.” In some organizations, the auditor is embraced as a positive role in IT governance. Unfortunately, there are those who view auditors in a negative light. This attitude if often manifested in poor auditee-audit relationships that must be managed carefully. Unfortunately, there are instances where an auditee will try to deceive the auditor.
A cross-industry survey of 150 IT managers and technical staff showed that 20% of that population either admitted to cheating on an IT audit or knew someone that did. Ruvi Kitov, CEO of Tufin Technologies, noted that the rate of auditor deception is likely higher than the survey suggests. Andy Bokor, COO of Trustwave, added that some IT professional respond to compliance pressures by describing their environments in a positive, yet false, light.
The RMA Journal suggests some tactics that auditors should employ to recognize attempts at deception.
Due Diligence
The auditor must confirm that what he/she is told conforms with the system or business reality. Information provided by an auditee should not be taken as gospel. The auditor must ensure that all audit artifacts are accurate and true.
Review existing controls
A strong control environment makes deception more difficult. By the same token, a lack of controls increases the chance that deception will succeed. The auditor must ensure that controls such as proper oversight, segragation of duties,and access controls are in place. If they are not, the auditor must be cognizant of the related risks.
Corroborate all documents provided by the auditee
Skilled professional intent on deception are capable of fabricating convincing documents. An auditor must understand the process behind the creation of that document in order to validate it.
Auditors must apply professional skepticism in their relationship with auditees. This mindset echoes Sun Tzu contention that one shoud not assume they will not be deceived by a potential opponent. Therefore, one must understand how to confirm all they are told.
Steve - I am following the advice in the last paragraph of your article and am applying my "professional skepticism". I would like to share another view point if I may.
I will accept that the fact that 20% of the 150 IT Managers and Staff reported cheating on IT Audits or "knew someone who did", but that only proves my humble opinion.
When I read the survey results, my interpretation is that somehow the survey actually managed to locate 30 honest people out of the 150 participants. Any parent or guardian of a teenager knows that you should never accept the 1st or 2nd version a story as 100% truth.
The survey somehow managed to locate 150 individuals that share the cave with Osama Bin Ladin!
My brutially honest opinion is the respondants misunderstood the questions and that the actual results are reversed. 80% cheat and 20% are honest.
It is naive to think "just 20%" cheat. I am sure they didn't survey Bernie Madoff, or any of the Global Investment firms involved in the current financial crisis.
In 2002 when the deception within Worldcom was uncovered, Citigroup was one of 18 investment banks that underwrote Worldcom bonds. Citigroup investors alone, lost $54 Billion.
The Investment Banks, auditing and accounting firm Arthur Andersen, 16 former officers and directors, and CEO Bernie Ebbers were hit with huge Securities class-action lawsuits, in addtions to criminal charges in all 50 states, not to mention the SEC, FTC and DOJ Federal criminal charges.
Enron was America's seventh largest company. Employing more than 20,000 people worldwide, it was one of the world's largest energy suppliers. At its peak, the company reported revenues of $100b, and at the end of 2000 the share price stood at over $80, valuing the company at $60b or more than 70 times its earnings.
Enron was named "America's Most Innovative Company" six times by Fortune magazine! The only real innovation was in its accounting and auditing practices. Enron, together with its accountants Arthur Andersen, had been systematicly and audaciously making up the audit numbers for years.
The WorldCom, Enron and Arthur Andersen collusive securities frauds, led to enactment of the Sarbanes-Oxley Act of 2002. A piece of legislation with good intentions which also contains some obvious loopholes. The largest loophole is simply, the law only applies to companies listed with the Securities and Exchange Commission to sell stocks or bonds to finance debt. So, what's the problem? Take a look at the number formerly Public companies which are now Privately financed. Why? They do not want to disclose everything to the SEC and External Auditors.
My final point. A "SAS 70 Audit" is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes.
The reality of SAS 70 is that the company and auditors collectively agree on the areas of the company and IT policies, procedures and processes that will be audited.
Confidence based on a SAS 70 alone is myth. The auditor issues a cover letter that simply states that they either agree or disagree that the company performs exactly as stated.
A carefully constructed SAS 70 examination avoids the really rotten areas and highlights the best qualities. Remember, the auditor attests to truth in findings and does not provide any opinion if the company is really setting a good example.
So a company can simply state: We have very poor security controls. We get hacked every week. All personal and confidential data is not protected in any way.
The auditor statement and letter of attestations would say: "we attest and affirm that all the statements made are true". The company passes!
The current global economic crisis is the direct and clear result of these Audit Deception practices and trust me we wouldn't be here now if ONLY 20% cheated. I only wish!
Post new comment