PraxIS April 2005

05-04 Contents: Compliance (SOX,CobiT,...), Data Quality, SEO, Spreadsheet audit course

ISSN 1649-2374 This issue online at   [Previous] [Index] [Next]

Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success  


1) Risk & Security
     Compliance: SOA, SOX, COSO, CobiT, ITGI, FDA, ODCE, FEE, SLAs, FLAs, TLAs...
2) Data quality
     IQ conference presentations available
3) Search Engine Optimisation
     The not so obvious stuff
4) Spreadsheets
     Course in Auditing Spreadsheets May 17-18
5) Off Topic
     April Firsts
24 Web links in this newsletter
About this newsletter and Archives
Subscribe and Unsubscribe information


Welcome to PraxIS

It's a week late this month - end of term wrap-up and the preparation of exams for the students on my module of Quantitative Methods in the Irish Management Institute took priority!

Patrick O'Beirne

_______________________________________________________ _______________________________________________________

1)  IT Risk and Security

Last week I gave a one-day presentation at the Irish Management Institute on Compliance and Validation. Here in Ireland, legislation on director's compliance statements is planned by the Office of the Director of Corporate Enforcement (ODCE). Most of my presentation focused on CobiT as a framework for addressing compliance from the IT perspective. Here are some of the highlights from my one-day course, with references to sources for further reading. I am available to present this material to your organisation, or to write an article for your magazine.

  1. The Compliance landscape

    Scandals have changed regulatory attitudes from a gentleman's club regime to mandatory regulation with Basel II, International Financial Reporting Standards (IFRS), Anti-Money Laundering, Sarbanes Oxley, the Approved Persons Regime, the Consumer Credit Act, the Distance Marketing Directive, the EU Electronic Commerce directives, and others for specific industries. In the UK, the Financial Services Authority's Handbook is a sourcebook for all FSA rules and guidance, at A report commissioned by the UK offices of Enterprise Ireland surveyed 35 decision-makers in UK financial institutions. The report found that high street banks in the UK are spending between 20 percent and 50 percent of their 2004 regulatory compliance budget on IT, a figure that is likely to increase by 10 percent in 2005. The survey also found that investment banks and insurance companies are spending between 10 percent and 40 percent of their compliance budget on IT. The discrepancy between the financial institutions reflects the fact that banks have a more centralised compliance model, by comparison with investment banks where compliance issues are dealt with on a regional or departmental level. IT was the second most important factor in the compliance budget. Training and education received between 50 percent and 70 percent of the budget in banks and between 40 percent and 80 percent of the budget in investment banks and insurance companies.  Reputational risk was cited as the most important driver of compliance – loss of reputation was widely described as being disastrous to share value and consumer confidence for financial institutions. Operational risk due to an inability to meet new regulations was also identified as a major concern. In terms of specific threats to the integrity of the organisation, money laundering was the most commonly cited issue, which has led to increased investment in combating this problem.


  2. Office of the Director of Corporate Enforcement (ODCE,

    The ODCE is an Irish government agency with about 35 staff whose remit is focused on the Companies Acts 1963-2003. Their website is  The guidance document is "Revised Guidance on the Directors' Compliance Statements to be prepared under the Companies Acts", 16 December 2004. They point out that "Auditors must opine if the Statements are 'fair and reasonable'" and "Reliance on self-assessment is not considered sufficient for the purposes of directors satisfying themselves as to the effectiveness of a company's internal financial and other procedures under the Companies (Auditing and Accounting) Act 2003."

    They Indicate internal financial/other procedures, adapted from 'Internal Control – Guidance for Directors on the Combined Code' (also known as the 'Turnbull Report') published by the Institute of Chartered Accountants in England and Wales. The full text of the Report can be downloaded at

  3. The Federation of European Accountants (FEE,

    FEE has published a discussion paper on  "Risk Management and Internal Control in the EU", March 2005. They comment "The Sarbanes-Oxley Act should be viewed in the context of the US legislative framework and the limited rights of shareholders in the United States. Company law in Europe generally gives shareholders powers to act which are not generally available to US shareholders under US state corporation law. FEE is currently not convinced about the usefulness of introducing across the EU published effectiveness conclusions on internal control over financial reporting as required by Section 404 of the Sarbanes-Oxley Act."

  4. The US Food & Drug Administration (FDA,

    The FDA has a minimum standard for accuracy and integrity of electronic records, to facilitate submissions for new drug applications. Industry wants to reduce the approval time because they estimate that delay costs about a million dollars for each day of sales lost for a successful drug. Other industries could well learn from the experience of the pharma companies in coping with these stringent requirements. After all, the Feds can shut them down by denying them a licence to operate. The 21st Code of Federal Regulations (CFR) Part 11 deals with electronic records and electronic signatures. It is described in: FDA Compliance Policy Guide 7153.17 says “Deviations are significant if numerous, make it difficult for the agency to audit or interpret data, or if the deviations undermine the integrity of the data. For example, FDA would consider the absence of an audit trail to be highly significant when there are data discrepancies and when individuals deny responsibility for record entries”


  5. The Sarbanes-Oxley Act (SOA)

    The Act was created to restore investor confidence in US public markets, damaged by business scandals and lapses in corporate governance.  The full text is at

    1. SOA Section 302 makes certifying officers responsible for establishing and maintaining internal control over financial reporting (ICOFR), disclosing changes that materially affect ICOFR, material weakness, and not making misleading disclosures
    2. SOA Section 404 requires the management of public companies specified by the Act to assess the effectiveness of the organization's ICOFR and annually report the result of that assessment; and auditors attest to management's assessment. Organizations must also provide their independent auditors with documentation, evidence of functioning controls and the documented results of testing procedures.
    3. Standards for the auditor's attestation are the responsibility of the Public Company Accounting Oversight Board (PCAOB). The PCAOB state that the auditor should perform limited procedures quarterly to become aware of any material modifications.
    4. The US Securities and Exchange Commission (SEC) mandated the use of a recognized internal control framework: Committee of the Sponsoring Organizations (COSO) of the Treadway Commission.
    5. COSO is addressed to the Executive Board and covers organisation-wide controls for integrity, ethical values, and competence. Risk assessment leads to control activities around approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties. For more details, see
    6. Cap Gemini Ernst & Young auditors will ask CIOs these tough questions:  48 Questions You Need to Be Able to Answer.
  6. COSO, CobiT, ITIL, and ISO17799

    For a layered view see Dave Barnett's presentation on the ISACA web site:

  7. Control Objectives for Information and related Technology (CobiT,

    CobiT covers all controls relevant to IT organization.  It was created by Information Systems auditors and the IT Governance Institute or the CIO. CobiT can be obtained from the Information Systems Audit and Control Assciation (ISACA) at CobiT®, Control Objectives for Information & related Technology, is a comprehensive framework for managing risk and control of IT. CobiT provides 4 domains of IT control: Plan, Acquire, Deliver, Monitor, 34 IT processes and 318 detailed control objectives including operational and compliance objectives.

  8. The IT Governance Institute (ITGI, provides guidance for IT professionals on how to address Sarbanes-Oxley from an IT perspective  “Sarbanes-Oxley; The importance of information technology in the design, implementation and sustainability of internal control” (July 2004). It has three key appendices: Appendix A—IT Control Objectives for Sarbanes-Oxley; Appendix B—Company-level Questionnaire; Appendix C—IT Control Objectives. I used this outline to work through the twelve CobiT control objectives and discussed with the group examples of controls and tests of the existence and adequacy of the controls.

  9. End User Computing (

    Many financial reports are prepared using spreadsheets.

    1. An example control is: End-user computing (EUC) policies and procedures for security, availability and processing integrity exist and are followed.
    2. An example test is: Obtain a copy of EUC policies and procedures and confirm that they address security, availability and processing integrity controls. Interview a sample of users – are they are aware of policy and in compliance with it?
    3. Another control is: EUC/user-developed programs, including spreadsheets, are documented; regularly reviewed for integrity, including the ability to sort, summarize and report accurately; backed up regularly and securely; protected from unauthorized access; checked for inputs, processing, outputs; independently verified for completeness and accuracy.
    4. A test would be to: inquire as to management's knowledge of EUC. Sample & review approaches followed to review EUC for processing integrity, access protection. Review user-developed systems and test their ability to sort, summarize and report in accordance with management intentions. Inquire who reviews and approves outputs from user-developed systems prior to their submission. Re-perform or review the logic used in EUC and conclude on its ability to process completely and accurately.
  10. This is happening now.

    Auditors are really doing this and companies are disclosing lack of controls on spreadsheet use. See for these reports:

    1. CECO's in-house accounting staff discovered a $1,969,000 accounting error in the spreadsheet calculations used by the Company's construction division. Phillip DeZwirek, Chairman and CEO of CECO stated that, “[We] immediately reported it to our independent auditors. As our business expands it is important to know that our Sarbanes-Oxley compliance preparation is working.“
    2. Tweeter Entertainment Group Inc. announced that its auditor, Deloitte & Touche LLP, said its spreadsheet controls were 'not sufficient' in the fourth quarter. A spokeswoman declined to say how much in 'recorded adjustments' the company made. Tweeter said the errors did not affect prior periods.
    3. Carrizo Oil & Gas, Inc. discovered an error in a spreadsheet which tracks the average number of warrants and options outstanding. This error impacted Carrizo's financial results. The actual diluted net income per share was $0.19 rather than $0.21.


Book: How to Comply with Sarbanes-Oxley Section 404
Assessing the Effectiveness of Internal Control, by Michael Ramos, Wiley, Mar'04. 5 star review: "the best, most comprehensive guide to Section 404 compliance out there"

Book: COBIT® 3rd Edition.©: Control Objectives for Information and related Technology
Composed of Maturity Models, Critical Success Factors, Key Goal Indicators, and Key Performance Indictors, these Management Guidelines will help answer the questions of immediate concern to all those who have a stake in the effective union between business processes and information systems. In addition, COBIT 3rd Edition consists of an Executive Summary, Framework, high-level and detailed Control Objectives, Audit Guidelines and an Implementation Tool Set. A key-word searchable CD-ROM containing all of COBIT’s text and graphics is also included.


2) Information Quality

Last month I mentioned the setting up of an Irish chapter of the International Association for Information and Data Quality (IAIDQ).  The conference presentations from their first meeting can be downloaded from

The conference details for the IAIDQ/DAMA conference can be found at http://www.irmuk/dm2005 

The IAIDQ website is

Book: Improving Data Warehouse and Business Information Quality Larry English walks readers through a 6 process methodology for implementing TiQM (Total Information Quality Management), building on proven techniques and practices from manufacturing management.


3) Search Engine Optimisation

As you know, the standard advice on how to achieve high-ranking and popular web pages is to include the key words of interest, and their synonyms, antonyms, and misspellings, and have plenty of high-quality content on the topic.

I recently noticed an unusual result that showed that that is not the whole story. Number one in Google for a popular search term was a site that did not use that term at all! I posted this as a challenge puzzle to members of the Enterprise Ireland eBusiness list 

On the Eircom home page, search for 'Amazon'. That is the same as searching in Google with "pages from Ireland" selected which means that Google will only return pages from servers in the Irish IP address space. Explain how this got to #1 position: sdec - PSB Overview.  An overview of the Public Services Broker Architecture. This document is a briefing document for those interested in the ...

Brian McAuliffe of was the first back with the chain of reasoning.

As the word Amazon does not appear anywhere on the page, the reference must be from an external link.  Search google for "" to see a list of pages that link to this and you get a highly page ranked Blog: which contains the following text and link.  "I think that the Internet Operating system he talks about is going to look more like what Sean McGrath is doing with Reach in Ireland than what Amazon are doing. "  Now has links to the SDEC page and  also has a link to the page, but as this is also a blog, the link probably now rests in the archives.  A search for Amazon, based on pages on Irish servers only, revealed a piece of text with two links on it. This text sits on a website with a very high PR, so google treats it with some respect. Following the two links take you to two similarly ranked sites with many links on each with a common link to Amazon.

Liam Morrison of Search Matters ( was next:

He found with a page title "Amazon Simple Queue Service". A few lines down is an Entry Heading labelled "Amazon Simple Queue Service" Quite close under this paragraph heading are links to the SDEC page and to   where  the words "Amazon Simple Queue Service" are within a link and so become anchor text and the word "this" links directly to SDEC and he goes on to mention Amazon again within that paragraph.  Liam comments " We now know why that page ranks for the term 'Amazon' even when the word is not mentioned on the page, but only Google knows why it ranks number one as opposed to other pages. It's interesting though that the links are from blogs." "...for more competitive phrases, it's likely that who is linking to you and how they are linking to you is more important."

Liam also pointed to this US patent

which has the following interesting points that optimizers might wish to consider:


Book: Search Engine Optimization for Dummies(r) by P Kent 384 pages (May 17, 2004)


4) Spreadsheets

Course in Auditing Spreadsheets May 17-18  ISACA course at Salford University, 17-18 MAY 2005.


Spreadsheet models are widely used to inform vital business decisions and processes, and are known to be about the most error-prone and high-risk applications in any business. Despite the risks, they are often not tested, or are tested around, leaving businesses exposed to error (and potentially in breach of regulatory and legal requirements) Testing can be an enormous sink of time and effort, much of it tediously repetitive for the auditor or reviewer, and as a result errors can easily be overlooked. If it is contracted out to any of the excellent specialist service companies in the field, it can be expensive and open-ended.


ISACA Northern England presents a two-day course in auditing spreadsheet models led by two leading experts in the field - Ray Butler and Patrick O'Beirne. Over two days, you will learn by a combination of lectures and practical hands on work:

You will gain this experience by working through the risk assessment and audit of a live spreadsheet model of your choice from your business. You should leave the seminar with the confidence to use the tools / methods shown to risk-assess and test further spreadsheets in your organisation. If you do not wish to bring one of your own spreadsheets, a large practice spreadsheet will be available You will be supplied with full documentation,  a guide to risk assessment, and working (but time limited) copies of two leading spreadsheet auditing tools, SpACE and ExChecker for evaluation.



ScanXLS reports for all your .XLS files their file properties, attributes, the presence of unusual features or settings that may represent a risk or are prone to human error, Excel's error checking summaries, a list of other files that a workbook depends on through links, and a scoring on how 'problematic' it might be. SCANXLS can also compare two workbooks to check whether their formulas and/or values are identical. 



Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

5) Off Topic - April 1st Tara Calishain's roundup of April Fool stories including the spoof MSN "search". For the nerds: XML Specification for CSV,,2005130872,00.jpg For the rest: Google goes postal


Copyright 2005 Systems Modelling Limited, . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to   EuroIS-subscribe (at) yahoogroups (dot) com - it's free!

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to from your web site!
To read previous issues of this newsletter please visit our web site at

This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website a onmousedown="return go(this)" href="">