05-04 Contents: Compliance (SOX,CobiT,...), Data Quality, SEO, Spreadsheet audit course
ISSN 1649-2374 This issue online at http://www.sysmod.com/praxis/prax0504.htm [Previous] [Index] [Next]
|Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success|
IN THIS ISSUE
|1) Risk & Security
Compliance: SOA, SOX, COSO, CobiT, ITGI, FDA, ODCE, FEE, SLAs, FLAs, TLAs...
|2) Data quality
IQ conference presentations available
|3) Search Engine Optimisation
The not so obvious stuff
Course in Auditing Spreadsheets May 17-18
|5) Off Topic
|24 Web links in this newsletter
About this newsletter and Archives
Subscribe and Unsubscribe information
It's a week late this month - end of term wrap-up and the preparation of exams for the students on my module of Quantitative Methods in the Irish Management Institute took priority!
Last week I gave a one-day presentation at the Irish Management Institute on Compliance and Validation. Here in Ireland, legislation on director's compliance statements is planned by the Office of the Director of Corporate Enforcement (ODCE). Most of my presentation focused on CobiT as a framework for addressing compliance from the IT perspective. Here are some of the highlights from my one-day course, with references to sources for further reading. I am available to present this material to your organisation, or to write an article for your magazine.
Scandals have changed regulatory attitudes from a gentleman's club regime to mandatory regulation with Basel II, International Financial Reporting Standards (IFRS), Anti-Money Laundering, Sarbanes Oxley, the Approved Persons Regime, the Consumer Credit Act, the Distance Marketing Directive, the EU Electronic Commerce directives, and others for specific industries. In the UK, the Financial Services Authority's Handbook is a sourcebook for all FSA rules and guidance, at http://fsahandbook.info/FSA/
http://www.electricnews.net/news.html?code=9566889 A report commissioned by the UK offices of Enterprise Ireland surveyed 35 decision-makers in UK financial institutions. The report found that high street banks in the UK are spending between 20 percent and 50 percent of their 2004 regulatory compliance budget on IT, a figure that is likely to increase by 10 percent in 2005. The survey also found that investment banks and insurance companies are spending between 10 percent and 40 percent of their compliance budget on IT. The discrepancy between the financial institutions reflects the fact that banks have a more centralised compliance model, by comparison with investment banks where compliance issues are dealt with on a regional or departmental level. IT was the second most important factor in the compliance budget. Training and education received between 50 percent and 70 percent of the budget in banks and between 40 percent and 80 percent of the budget in investment banks and insurance companies. Reputational risk was cited as the most important driver of compliance – loss of reputation was widely described as being disastrous to share value and consumer confidence for financial institutions. Operational risk due to an inability to meet new regulations was also identified as a major concern. In terms of specific threats to the integrity of the organisation, money laundering was the most commonly cited issue, which has led to increased investment in combating this problem.
The ODCE is an Irish government agency with about 35 staff whose remit is focused on the Companies Acts 1963-2003. Their website is http://www.odce.ie The guidance document is "Revised Guidance on the Directors' Compliance Statements to be prepared under the Companies Acts", 16 December 2004. http://www.odce.ie/_fileupload/publications/Revised_Guidance_on_Directors_Compliance_Statements_Final.doc They point out that "Auditors must opine if the Statements are 'fair and reasonable'" and "Reliance on self-assessment is not considered sufficient for the purposes of directors satisfying themselves as to the effectiveness of a company's internal financial and other procedures under the Companies (Auditing and Accounting) Act 2003."
They Indicate internal financial/other procedures, adapted from 'Internal
Control – Guidance for Directors on the Combined Code' (also known as the
'Turnbull Report') published by the Institute of Chartered Accountants in
England and Wales. The full text of the Report can be downloaded at
FEE has published a discussion
paper on http://www.fee.be/secretariat/Whatsnew%20FEE%20News.htm "Risk
Management and Internal Control in the EU", March 2005. They comment "The
Sarbanes-Oxley Act should be viewed in the context of the US legislative
framework and the limited rights of shareholders in the United States. Company
law in Europe generally gives shareholders powers to act which are not
generally available to US shareholders under US state corporation law. FEE is
currently not convinced about the usefulness of introducing across the EU
published effectiveness conclusions on internal control over financial
reporting as required by Section 404 of the Sarbanes-Oxley Act."
The FDA has a minimum standard for accuracy and integrity of electronic records, to facilitate submissions for new drug applications. Industry wants to reduce the approval time because they estimate that delay costs about a million dollars for each day of sales lost for a successful drug. Other industries could well learn from the experience of the pharma companies in coping with these stringent requirements. After all, the Feds can shut them down by denying them a licence to operate. The 21st Code of Federal Regulations (CFR) Part 11 deals with electronic records and electronic signatures. It is described in: http://www.fda.gov/ora/compliance_ref/part11/ FDA Compliance Policy Guide 7153.17 says “Deviations are significant if numerous, make it difficult for the agency to audit or interpret data, or if the deviations undermine the integrity of the data. For example, FDA would consider the absence of an audit trail to be highly significant when there are data discrepancies and when individuals deny responsibility for record entries”
The Act was created to restore investor confidence in US public markets, damaged by business scandals and lapses in corporate governance. The full text is at http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf
For a layered view see Dave Barnett's presentation on the ISACA web site: http://www.isaca.org/complianceframeworkv3.
CobiT covers all controls relevant to IT organization. It was created
by Information Systems auditors and the IT Governance Institute or the CIO.
CobiT can be obtained from the Information Systems Audit and Control
Assciation (ISACA) at http://www.isaca.org.
CobiT®, Control Objectives for Information & related Technology, is a
comprehensive framework for managing risk and control of IT. CobiT provides 4
domains of IT control: Plan, Acquire, Deliver, Monitor, 34 IT processes and
318 detailed control objectives including operational and compliance
http://www.ITGI.org provides guidance for IT professionals on how to
address Sarbanes-Oxley from an IT perspective “Sarbanes-Oxley; The
importance of information technology in the design, implementation and
sustainability of internal control” (July 2004). It has three key appendices:
Appendix A—IT Control Objectives for Sarbanes-Oxley; Appendix B—Company-level
Questionnaire; Appendix C—IT Control Objectives. I used this outline to work
through the twelve CobiT control objectives and discussed with the group
examples of controls and tests of the existence and adequacy of the controls.
Many financial reports are prepared using spreadsheets.
Auditors are really doing this and companies are disclosing lack of controls on spreadsheet use. See http://www.eusprig.org/stories.htm for these reports:
Assessing the Effectiveness of Internal Control, by Michael Ramos, Wiley, Mar'04. 5 star review: "the best, most comprehensive guide to Section 404 compliance out there"
Composed of Maturity Models, Critical Success Factors, Key Goal Indicators, and Key Performance Indictors, these Management Guidelines will help answer the questions of immediate concern to all those who have a stake in the effective union between business processes and information systems. In addition, COBIT 3rd Edition consists of an Executive Summary, Framework, high-level and detailed Control Objectives, Audit Guidelines and an Implementation Tool Set. A key-word searchable CD-ROM containing all of COBIT’s text and graphics is also included.
Last month I mentioned the setting up of an Irish chapter of the International Association for Information and Data Quality (IAIDQ). The conference presentations from their first meeting can be downloaded from http://www.computing.dcu.ie/research/dataquality/iqireland/Reviews/Feb2005/ReviewFeb2005.htm
The conference details for the IAIDQ/DAMA conference can be found at http://www.irmuk/dm2005
The IAIDQ website is www.iaidq.org
http://sysmod.com/az.php?a=0471253839&b=Information_Quality Larry English walks readers through a 6 process methodology for implementing TiQM (Total Information Quality Management), building on proven techniques and practices from manufacturing management.
As you know, the standard advice on how to achieve high-ranking and popular web pages is to include the key words of interest, and their synonyms, antonyms, and misspellings, and have plenty of high-quality content on the topic.
I recently noticed an unusual result that showed that that is not the whole story. Number one in Google for a popular search term was a site that did not use that term at all! I posted this as a challenge puzzle to members of the Enterprise Ireland eBusiness list http://www.enterprise-ireland.com/ebusiness/news-mailing-list.asp
On the Eircom home page, search for 'Amazon'. That is the same as searching
in Google with "pages from Ireland" selected which means that Google will only
return pages from servers in the Irish IP address space. Explain how this got to
http://sdec.reach.ie/papers/psb-overview/ sdec - PSB Overview. An overview of the Public Services Broker Architecture. This document is a briefing document for those interested in the ...
Brian McAuliffe of aviadirect.co.uk was the first back with the chain of reasoning.
As the word Amazon does not appear anywhere on the page, the reference must be from an external link. Search google for "Link:sdec.reach.ie/papers/psb-overview/" to see a list of pages that link to this and you get a highly page ranked Blog: http://42.blogs.warnock.me.uk/2004/06/ which contains the following text and link. "I think that the Internet Operating system he talks about is going to look more like what Sean McGrath is doing with Reach in Ireland than what Amazon are doing. " Now reach.ie has links to the SDEC page and http://seanmcgrath.blogspot.com/ also has a link to the page, but as this is also a blog, the link probably now rests in the archives. A search for Amazon, based on pages on Irish servers only, revealed a piece of text with two links on it. This text sits on a website with a very high PR, so google treats it with some respect. Following the two links take you to two similarly ranked sites with many links on each with a common link to Amazon.
Liam Morrison of Search Matters (http://morrison.typepad.com) was next:
He found http://ch.kitaguni.tv/u/5250/XML/0000148432.html with a page title "Amazon Simple Queue Service". A few lines down is an Entry Heading labelled "Amazon Simple Queue Service" Quite close under this paragraph heading are links to the SDEC page and to http://seanmcgrath.blogspot.com/2004_05_30_seanmcgrath_archive.html#108600923863974409 where the words "Amazon Simple Queue Service" are within a link and so become anchor text and the word "this" links directly to SDEC and he goes on to mention Amazon again within that paragraph. Liam comments " We now know why that page ranks for the term 'Amazon' even when the word is not mentioned on the page, but only Google knows why it ranks number one as opposed to other pages. It's interesting though that the links are from blogs." "...for more competitive phrases, it's likely that who is linking to you and how they are linking to you is more important."
Liam also pointed to this US patent
which has the following interesting points that optimizers might wish to consider:
- ...if a particular document appears as a hit for a discordant set of queries, this may (though not necessarily) be considered a signal that the document is spam
- A typical, "legitimate" document attracts back links slowly. A large spike in the quantity of back links may signal attempts to spam a search engine (to obtain a higher ranking and, thus, better placement in search results) by exchanging links, purchasing links, or gaining links from documents without editorial discretion on making links.
- Individuals who attempt to deceive (spam) search engines often use throwaway or "doorway" domains and attempt to obtain as much traffic as possible before being caught.
- Information regarding a name server associated with a domain may be used to predict the legitimacy of the domain. A "good" name server may have a mix of different domains from different registrars and have a history of hosting those domains, while a "bad" name server might host mainly pornography or doorway domains, domains with commercial words (a common indicator of spam), or primarily bulk domains from a single registrar, or might be brand new.
- A sudden growth in the number of apparently independent peers, incoming and/or outgoing, with a large number of links to individual documents may indicate a potentially synthetic web graph, which is an indicator of an attempt to spam.
http://sysmod.com/az.php?a=0764567586&b=Search_Engine_Optimization 384 pages (May 17, 2004)
http://www.isaca.org.uk/northern/formal_training.htm ISACA course at Salford University, 17-18 MAY 2005.
Spreadsheet models are widely used to inform vital business decisions and processes, and are known to be about the most error-prone and high-risk applications in any business. Despite the risks, they are often not tested, or are tested around, leaving businesses exposed to error (and potentially in breach of regulatory and legal requirements) Testing can be an enormous sink of time and effort, much of it tediously repetitive for the auditor or reviewer, and as a result errors can easily be overlooked. If it is contracted out to any of the excellent specialist service companies in the field, it can be expensive and open-ended.
ISACA Northern England presents a two-day course in auditing spreadsheet models led by two leading experts in the field - Ray Butler and Patrick O'Beirne. Over two days, you will learn by a combination of lectures and practical hands on work:
You will gain this experience by working through the risk assessment and audit of a live spreadsheet model of your choice from your business. You should leave the seminar with the confidence to use the tools / methods shown to risk-assess and test further spreadsheets in your organisation. If you do not wish to bring one of your own spreadsheets, a large practice spreadsheet will be available You will be supplied with full documentation, a guide to risk assessment, and working (but time limited) copies of two leading spreadsheet auditing tools, SpACE and ExChecker for evaluation.
ScanXLS reports for all your .XLS files their file properties, attributes, the presence of unusual features or settings that may represent a risk or are prone to human error, Excel's error checking summaries, a list of other files that a workbook depends on through links, and a scoring on how 'problematic' it might be. SCANXLS can also compare two workbooks to check whether their formulas and/or values are identical.
Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM
Thank you! Patrick O'Beirne, Editor
http://www.amadan.net/spec/csvml.html For the nerds: XML Specification for CSV
http://images.thesun.co.uk/picture/0,,2005130872,00.jpg For the rest: Google goes postal
Copyright 2005 Systems Modelling Limited,
Reproduction allowed provided the newsletter is copied in its entirety and with
this copyright notice.
We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to EuroIS-subscribe (at) yahoogroups (dot) com - it's free!
For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the sysmod.com web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.
Patrick O'Beirne, Editor
ABOUT THIS NEWSLETTER
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to www.sysmod.com from your web site!
To read previous issues of this newsletter please visit our web site at http://www.sysmod.com/praxis.htm
This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website a onmousedown="return go(this)" href="http://finance.groups.yahoo.com/group/EuroIS/"> http://finance.groups.yahoo.com/group/EuroIS/