666
Chapter 15
■
Security Assessment and Testing
organizations, the chief audit executive reports directly to the president, chief executive
officer, or similar role. The chief audit executive may also have
reporting responsibility
directly to the organization’s governing board.
External Audits
External audits
are performed by an outside auditing firm. These audits have a high degree
of external validity because the auditors performing the assessment theoretically have no
conflict of interest with the organization itself. There are thousands of firms who perform
external audits, but most people place the highest credibility with the so-called Big Four
audit firms:
■
Ernst & Young
■
Deloitte & Touche
■
PricewaterhouseCoopers
■
KPMG
Audits performed by these firms are generally considered acceptable
by most investors
and governing body members.
Third-Party Audits
Third-party audits
are conducted by, or on behalf of, another organization. For example,
a regulatory body might have the authority to initiate an audit of a regulated firm under
contract or law. In the case of a third-party audit, the organization
initiating the audit gen-
erally selects the auditors and designs the scope of the audit.
Organizations that provide services to other organizations are frequently asked to par-
ticipate in third-party audits. This can be quite a burden on the audited organization if
they have a large number of clients. The American Institute of Certified Public Accountants
(AICPA) released a standard designed to alleviate this burden. The Statement on Standards
for Attestation Engagements document 16 (
SSAE 16
), titled
Reporting on Controls
, pro-
vides a common standard to be used by auditors performing assessments of service orga-
nizations with the intent of allowing the organization to conduct an external assessment
instead of multiple third-party assessments and then sharing the resulting report with cus-
tomers and potential customers.
SSAE 16 engagements produce two different types of reports.
■
Type I reports provide a description of the controls provided by the audited orga-
nization as well as the auditor’s opinion based upon that description. Type I audits
cover a single point in time and do not involve actual testing
of the controls by the
auditor.
■
Type II reports cover a minimum six-month time period and also include an opinion
from the auditor on the effectiveness of those controls based upon actual testing per-
formed by the auditor.
Building a Security Assessment and Testing Program
667
Type II reports are considered much more reliable than Type I reports because they
include independent testing of controls. Type I reports simply take the service organization
at their word that the controls are implemented as described.
Information security professionals are often asked
to participate in internal, exter-
nal, and third-party audits. They commonly must provide information about security
controls to auditors through interviews and written documentation. Auditors may
also request the participation of security staff members in the execution of control
evaluations. Auditors generally have carte blanche access to all information within an
organization, and security staff should
comply with those requests, consulting with
management as needed.
When Audits Go Wrong
The Big Four didn’t come into being until 2002. Up until that point, the Big Five also
included the highly respected firm Arthur Andersen. Andersen, however,
collapsed sud-
denly after they were implicated in the collapse of Enron Corporation. Enron, an energy
company, suddenly filed for bankruptcy in 2001 after allegations of systemic accounting
fraud came to the attention of regulators and the media.
Arthur Andersen, then one of the world’s largest auditing firms, had performed Enron’s
financial audits, effectively signing off on their fraudulent practices as legitimate. The
firm was later convicted of obstruction of justice and, although
the conviction was later
overturned by the Supreme Court, quickly collapsed due to the loss of credibility they
suffered in the wake of the Enron scandal and other allegations of fraudulent behavior.
Do'stlaringiz bilan baham: 
