Home‎ > ‎

Internal Controls Integrity

Security notes on Integrity


·         Business managers need to have confidence in the integrity of their information systems and their data, and what challenges the industry is facing in ensuring integrity.

·         Status and direction of research and development in integrity and internal control.

·         Bridging the gap between business needs on one hand, and research and development on the other

New vulnerabilities are discovered frequently on most commercial operating systems and applications. Current intrusion and detection systems do not detect, or misidentify a large proportion of attacks, particularly new and slow attacks[1].

Remote server file integrity checking

Consequently, critical files must be checked frequently, for integrity, using one-way hash functions, after booting from secure storage, using the likes of Tripwire (or Verisys on Windows[2], or open-source GPL-ed AIDE, or Windows event logs (login, logout, audit), routing and remote access log checker OSSEC[3], tamper-resistant Samhain[4] integrity checker). On production systems, remote integrity checking is inefficient, without downtime. One solution is for the verification host to request the server to compute checksums of critical files on the server. This can be circumvented by an attacker modifying the checksum program on the server. To address this possibility, the challenge request can include a dynamically generated file (or salt), such that the response checksum is of the concatenation of the critical file and the file (or salt) sent by the verifier. This can be circumvented by the attacker maintaining the original and modified files, but the verifier may check the integrity of directories and system tables.

A solution based on the protocol of Diffie-Hellman,

m, the value of the remote file to be remotely verified, as an integer

N, a RSA modulus, with two prime factors or more of around 1024 bits. Publicly known.

L=Phi(N), known only to the verifier, if N=pq, then L=(p-1)(q-1)

a, element between 2 and N-2, randomly chosen and public

The verifier stores the precomputed value, a^m mod N=M. A theorem of Euler allows the replacement of the exponent m by the short value (m mod L), using the Chinese remainder theorem.

The verified chooses a random value r (with the same domain as a), send the following to the server,

a^r mod N = A

The server computes A^m mod N=B, and returns B

The verifier computes M^r mod N = C

And verifies if B=C, as per

B = A^m mod N = a^(rm) mod N = M^r mod N = C

SAP account and roles validation

Prolog may be used,

User(Karen, 1)


User_role(name, role_id, rname) :- user(name, role_id), role(name, role_id)

User_role_rule(name, role_id1, role_id2) :- user_role(name1, role_id1, X), user_role(name2, role_id2,Y), name1 = name2


User_role_rule(X, create_purchase,release_purchase)

Hysteresis signature

Chaining signatures, such that each document depends on hash values computed from all previous signed documents. This relies on the confidentiality and integrity of private keys of users from key stores. In the Hitachi Dependable Autonomous Realtime Manager (DARMA), the user OS (Windows) is separated from the key management system (Linux).

(AuthenticateW à GenerateSignatureW à LogoutW) ßà (DARMA) ßà (AuthenticateLà GenerateSignatureL à LogoutL) ß à Access Controller ßà Session manager

Role-Based Access Control

Core RBAC. Users (persons) assigned to roles (job function), roles to be associated with permissions (approval to perform operations on objects), users acquire permissions by becoming members of roles (job function)

Hierarchical RBAC, adds inheritance, role r1 inherits role r2 only if permissions of role r2 are also permissions of r1 and all users of r1 are users of r2

Static separation of duties, necessary to prevent conflict of interest

Dynamic Separation of duties

ISO/IEC 17799 Code of Practice for Information Security Management

Exposure to the IS manager, foundation for IT department security. Ten domains,

1.       Security policy

2.       Organising information security

3.       Asset classification

4.       Personnel security

5.       Physical and environment security

6.       Communications and operations management

7.       Access control

8.       Systems development and maintenance

9.       Business continuity management

10.   Compliance

ISO 17799 objective, control access to information on the basis of business and security requirements

ISO 17799 control, business requirements for access control should be defined and documented.

Link to CobiT 5, Identification, Authentication, Access

Link: Controls and objectives for both state that specific procedures need to be in place and that these procedures must be documented.

Only in Section 10.4 ISO 17799, Network access control

ISO objective: Protection of networked services. Access to internal and external network should be controlled

ISO control: Network routing control. Routing control should be implemented to ensure that connections and information flows do not breach access control policies.

Only in CobiT,

Firewall architecture and connections

CobiT objective: adequate firewall, to prevent denial of service and unauthorised access

CobiT control: firewall

Large Scale Attack Recorder

1.       Recorder. Tracks all events on each workstation and logs information to central integrity server. Process events and network events. A kernel module allows interception of system calls, and every new listening socket or session id change. All incoming connections are checked to verify whether they are trusted or not

2.       Database

3.       Analysis tool. Parses all events and in the integrity database and reconstructs all propagation paths within and between workstations

EMERALD, advanced intrusion detection system for large scale networks, comprising a classical IDS system on each node, and intelligent merging and correlation. LASCAR is lighter, and only collects evidence.

For database security, tagging has been proposed, to indicate if it is correct, damaged or unsafe to use. Such tags propagate when datasets are combined. The benefit is that only damaged data needs to be reconstructed, rather than the whole database.

Propagation of intrusions across multiple workstations


Challenges in Data Integrity and Quality

Integrity and quality are about maintaining correctness, accuracy and quality of data.


·         Integrating security and integrity. From a security perspective, integrity is about unauthorised modifications of data. Detection and prevention, as well as malicious corruption of data are challenges. Can data mining be used for detection and prevention? Recovery in a timely manner?

·         Quality of Service. Policies on security and integrity must be flexible. Trade-offs between security, integrity, fault tolerance and real-time computing.

·         Secure high integrity transactions. Integrity and data quality constraints must be ensured.

·         Semantic data quality

·         Algebra for data quality

·         Trust management and data quality


Executive’s Guide to COSO Internal Controls[5]

COSO is only a framework outlining professional practices for preferred business systems and processes. The sponsoring organisations are neither Governmental nor regulatory agencies.

An effective internal control system is one of the best defences against business failure, and it is an important driver of business performance. Internal controls manage risk, and preserve organisation value.

Figure 1. Enterprise Internal Controls


Control Environment

1.       Commitment to integrity and ethical values

2.       Independent board of directors’ oversight

3.       Structures, reporting lines authorities, and responsibilities

4.       Attract, develop, and retain competent people

5.       People held accountable for internal control

Risk Assessment

6.       Clear objectives specified

7.       Risks identified to achievement of objectives

8.       Potential for fraud considered

9.       Significant changes identified and assessed

Control Activities

10.   Control activities selected and developed

11.   General IT controls selected and developed

12.   Controls developed through policies and procedures

Information and Communication

13.   Quality information obtained, generated, and used

14.   Internal control information internally communicated

15.   Internal information externally communicated

Control Activities

16.   Ongoing and/or separate evaluations conducted

17.   Internal control deficiencies evaluated and communicated

Initial Risk Assessment

Qualitative Assessment

Rank the seriousness of threats and sensitivity of assets into grades or classes, e.g. low, medium, or high.

Quantitative Assessment

1.       Single Loss Expectancy (SLE) = Asset Value x Exposure Factor

2.       Threat assessment. Estimate the Annual Rate of Occurrence (ARO)

3.       Determine Annual Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO)

Threat level or Vulnerability

Exposure Factor

5 = Stolen or compromised data


4 = Hardware failure


3 = Virus or malware


2 = DoS attack


1 = Short-term outage



Vulnerability Assessment

A bastion host is a stronghold or area that is fortified against an expected attack. Hardening involves,[6]

1.       applying security patches

2.       configuring logical access control

3.       configuring operating-system specific settings

A Vulnerability assessment is a first step for hardening a bastion host. It is necessary to begin with a security baseline. Vulnerability scanning is the process of performing checks for known security weaknesses. The closer a scanner comes to executing an attack, the more accurate the estimate on the vulnerability.


1.       Nmap is typically the first tool an attacker may use.

2.       Nessus is a free, though no longer open source, vulnerability scanner.

3.       Microsoft Baseline Security Analyser

The following open ports are recommended by Microsoft to allow a Windows 2000 server running Exchange 2000 connectivity,

1.       TCP53 (DNS)

2.       UPD53 (DNS)

3.       TCP80 (Web)

4.       TCP88 (Kerberos to all domain controllers)

5.       UPD88 (Kerberos)

6.       UDP123 (NTP)

7.       TCP135 (EndPointMapper)

8.       TCP389 (Lightweight Directory Access Protocol, LDAP)

9.       UPD389 (LDAP)

10.   TCP445 (Server message block)

11.   TCP3268 (LDAP to global catalog servers)

12.   An additional port that must be configured in the registry on all domain controllers that the Exchange server uses

Removing optional components

1.       NetBEUI, IPX, IPv6 if the environment is not a dual-stack network

2.       Active Desktop

3.       Sound cards

Audit Policy

1.       Audit account logon events—No auditing. The event occurs when a local account is used to log onto another computer. A bastion host will never trigger this.

2.       Audit account management. Set to Success, Failure.

3.       Audit directory service access. Set to No Auditing. Since this is used to audit Active Directory (AD)

4.       Audit logon events, Set to Success, Failure. The most important event, who and when someone is trying to log on.

5.       Audit object access. Set at Success, Failure.

6.       Audit policy changes. Set at Success, Failure.

7.       Audit privilege use. Will audit each instance of a user exercising a user right. No auditing on production systems, or it may generate too much data.

8.       Audit process tracking. No auditing, unless diagnosing.

9.       Audit system events. Set at Success, Failure.

User Rights Assignment

1.       Access this computer from the network. Set Authenticated Users.

2.       Act as part of the operating system. No accounts need this privilege. If needed, LocalSystem should be used. Impersonation becomes possible.

3.       Bypass traverse checking. Allow directory traversal, while not allowing listing contents. Set to administrators only.

4.       Change the system time. Administrators only


IT Governance controls[7]

Enable and facilitate the running of information services. Relate to,

1.       IT procurement

2.       IT personnel management

3.       Systems development and maintenance

4.       Enterprise architecture

5.       IT applications operations

6.       IT standards

7.       IT security

8.       IT disaster recovery planning

9.       Computer insurance

10.   Physical protection policies and procedures

11.   Access policies and procedures (data, software, files, forms, reports, facilities, firewalls, encryption, electronic mail etc.)

12.   Health and safety policies and procedures

13.   Security and safety controls for personal computers

14.   Audit tools and methods.

IT management responsibility controls

The CIO (ITOR Control 1) will,

1.       Provide technology, vision, strategy, leadership in developing and implementing IT investments

2.       Lead the organisation in planning and implementing enterprise information systems

3.       Facilitate communication between staff, management, vendors and other technology resources

4.       Oversee back office computer operations

5.       Design, implement and evaluate systems that support end-users

IT administrative controls

Related to setting up and organising IT functions.

IT Policy (ITAD Control 1)

Establishes usage guidelines (ITAD Control 1), may be carried out by a committee and ratified by the board (large and medium companies), or senior executives and the IT manager (small company).

IT budget (ITAD Control 2)

An IT budget (ITAD Control 2) reflecting all IT management decisions, IT activities, IT actions, system development projects, application maintenance, IT solutions procurement and deployment, computer system support, outsourcing and off-sourcing activities. A typical IT budget will contain,

1.       Server hardware

2.       Software (OS, database, networking, application systems, security etc.)

3.       Personnel payroll

4.       Data-centre administration

5.       Personal computers

6.       Office equipment

7.       Smart devices

8.       Security administration

9.       Education and training

10.   Computer insurance etc.

IT procurement process control (ITAD Control 3)

To avoid IT fraud, increase effectiveness, efficiency, transparency, accountability, and utilisation of corporate and societal resources, IT procurement controls (ITAD Control 3) are necessary.

These correspond with controls for procurement by the company but with specific emphasis on IT.

Procurement usually involves,

Action 1; Establishing an IT procurement process

Action 2: Budgeting for procurement

Action 3: Executing the IT procurement procedure

Action 4: Considering infrastructure issues

Action 5: IT vendor management

Action 6: Undertaking effective project scoping

Action 7: Reviewing and improving the whole process.

Separation of purchasing duties, establishing of compensating controls to protect against potential purchase fraud are described below.

IT asset controls (ITAD Control 4)

IT asset controls (ITAD Control 4) include

1.       Hardware and software inventory

2.       Information asset register, describing the types of information existing and maintained in all files

3.       IT consumables inventory

4.       Maintenance registers for systems and application software and hardware

5.       Visitor’s logs for offices and computer rooms

6.       Hardware locks, hardware tagging with property labels, serial numbers etc.

7.       IT safe storage (ITAD Control 6)


IT management reporting controls (ITAD Control 5)

1.       Progress on IT projects

2.       Changes, problems, and backlog of requests

3.       Help desk related issues

4.       Development issues of new applications

5.       Project actual costs (against budgets)

6.       IT security incidents and resolutions

7.       Post-implementation review issues

IT governance standards, policies and procedures (ITGO Control 1)

These should follow well-accepted international standards. They are contained in IT policies, procedures, and practices manual.

1.       Analysis, development, design, implementation and evaluation of computer information systems

2.       Enterprise architecture and IT strategy

3.       IT security

4.       Back-up and disaster recovery for critical computer applications

5.       Documentation

6.       Data centre operations

7.       Computer availability management

IT strategic controls

1.       IT vision, mission, values (ITST Control 1)

2.       IT strategic process (ITST Control 2)

3.       IT strategy methodology (ITST Control 3)

4.       IT strategic plan (ITST Control 4)

5.       IT strategic projects budget (ITST Control 5)

6.       Enterprise architecture controls (ITST Control 6)

An IT strategic plan is necessary, formal or informal.

Data and information security practices and controls

‘Effective security is not only a technology problem, it is a business issue. It must address people’s awareness and actions, training and especially corporate culture, influenced by management’s security consciousness and the tone at the top.’

Standard practices and techniques are:

1.       Security policy, password controls and computer security incident controls

2.       Social engineering controls (7.5 Information Governance Controls)

3.       Vital records package (Ch. 14)

IT security policy (ITSE Control 1)

General objectives regarding control, protection and security, over critical information assets, such as information systems, information technology and application software, OS, database management system software, buildings, computer rooms, cabling, network and computer facilities, other related installations, technical infrastructure, data, back-up media and archived files and information resources in general.[8] Security incident monitoring and resolution[9]

Password controls (ITSE Control 2)

Computer security incident handling capability (ITSE Control 3)

For all incidents (potential and actual)

1.       Preparation

2.       Detection

3.       Containment

4.       Eradication

5.       Recovery

6.       Follow-up

7.       Reporting

8.       Feedback and review

IT systems development controls

Typical system development controls:

1.       IT systems development methodology(ITSD Control 1)

a.       System feasibility

b.       System definition

c.       System analysis

d.       System design

e.       System construction

f.        System implementation

g.       Post-implementation review

2.       System development products (ITSD Control 2)

3.       IT project management (ITSD Control 3)

4.       System development security plan (ITSD Control 4)

5.       IT system test plan (ITSD Control 5)

a.       Testing strategy

b.       Detailed testing design plan for each unit (program, sub-system)

c.       Components to be tested (function, load stress, volume, hardware configuration and portability, database loading and data conversion, security, performance, availability, out of sequence transactions, recovery, hardware maintainability, interfaces, documentation, human factors)

d.       Expected results of tests

e.       Formalised test procedures, including test scenarios, forms, test data

f.        Post implementation review

IT operational controls

1.       Data centre controls (ITOP Control 1)

2.       IT back-up and disaster recovery plan (ITOP Control 2)

3.       Hardware controls (ITOP Control 3)

4.       Personal computer controls (ITOP Control 4)

5.       Audit trails (ITOP Control 5)

6.       IT technical controls (ITOP Control 6). OS, application software, DB and data communication software remains in good operational status.

IT backup and disaster recovery plan (ITOP Control 2)

1.       Back up procedure

2.       Recovery invocation process

3.       Recovery procedures

4.       Organisation and personnel

Application systems controls (ITAP Control 1)

1.       Input controls

2.       Processing controls

3.       Output controls

4.       Database controls (file updated report, critical transactions report, application specific access authorisation, database health checks)

5.       Change controls

6.       Testing controls

7.       Spreadsheet controls (ITAP Control 2)

a.       Inventory control

b.       Standards

c.       Testing

d.       Documentation

e.       Backup

Information governance controls

Framework for handling information ins a confidential and secure manner, to appropriate ethical and quality standards.

1.       Information governance office (may be CIO)

2.       Compliance officer

3.       Information sensitivity and data privacy policies

4.       Personnel administration procedures

5.       Data privacy officer

6.       Social media governance management plan

7.       Laptop and smart device control

8.       Confidentiality policy

9.       Social engineering controls

10.   Internet and email policy

Social engineering controls (IGOV Control 1)

1.       Risk assessment

2.       Data classification

3.       Data off-site storage

4.       Data release

5.       Disclosing information over the phone

6.       Documenting suspicious calls

7.       Sending passwords to remote users

8.       Personal identification

9.       E-mail handling

10.   Fax relaying

11.   Domain registration

12.   Personnel roaming

13.   External contractor handling

14.   Items left for pick-up

15.   Garbage handling

16.   Audit review

IT governance performance controls

IT governance performance measures

IT governance compliance indicators


Business Management Controls to Mitigate Fraud and other risks

At a corporate level, organisation should operate on the basis of the triple bottom-line principle, to be more responsible socially and economically.[10] This guides operations to consider their values, transparency, remain environmentally-aware in relation to their products and services, adopt a long-term view and improve corporate governance. However, deviant behaviour is seen. Most corporate fraud involves falsification of financial information, self-dealing by corporate insiders and obstruction of justice. Practically, management must establish better performance and compliance controls, and ensure more efficient monitoring of organisation activities.

Relevant risks by business functional area,

1.       Area 1: Business management of the organisation

a.       Damage to company name and reputation

b.       Loss of control of company’s activities

c.       Loss of property and other corporate assets

d.       Loss of market share

e.       Loss of research and other critical patents

f.        Fraud and abuse of resources

2.       Area 2: Financial management

a.       Damage to company financial integrity

b.       Loss of funds

c.       Loss of property and other corporate assets

d.       Incorrect postings in the books

e.       Incorrect calculation and reports

f.        Fraud, theft, revenues not collected, inappropriate refunds given

g.       Abuse of resources and mismanaged financial operations

3.       Area 3: Purchasing operations

a.       Damage to the company name due to improper dealing

b.       Purchases awarded to an employee’s relative without proper justification

c.       Loss of funds, property and other corporate assets

d.       Conflict of interest for company staff

e.       Kickbacks received by vendors, overpayment for goods or services, payment for goods or services not received, duplicate payments to vendors

f.        Fraud, theft, or inappropriate purchases awarded

g.       Abuse of resources, addition fictitious vendors, supplier cartels

4.       Area 4: Information Technology (IT) operations

a.       Lack of business plan, IT strategy, IT budget, IT security policy, security of computer systems, security of physical environment

b.       Deviations from the company’s established procedures

c.       Inadequate separation of duties

d.       Failure to anticipate market trends

e.       Computer systems and software not properly supported

f.        Improper or inadequate or non-existent maintenance contracts

g.       No adequate management monitoring and reporting

h.       Inadequate documentation for information systems

i.         Incomplete IT standards, procedures and policies

j.         Unauthorised software packages

k.       Business interruption

l.         Incorrect recording/maintaining/processing of information/data

m.     Not evaluating needs properly and failing to control development costs

n.       Incorrect hardware selection and sizing

o.       Delays in implementation

p.       Inadequate back-up of software and data, and lack of contingency and fall-back procedures

q.       Unauthorised disclosure of confidential information

r.        Loss of extremely valuable information (stored in application systems)

s.        Lack of audit trail

Additionally, segregation of duties may be applied in purchasing, operations, IT systems development and operations, and cash handling.

Corporate management controls

1.       Corporate management responsibility controls

2.       Corporate audit responsibility controls

3.       External audit service controls

4.       Corporate risk management controls

5.       Corporate organisational structure controls

6.       Business unit/function management controls

7.       Strategy controls

8.       Policies and procedures controls

9.       Ethics and compliance controls

10.   Performance management controls

Financial controls

1.       Financial management responsibility

2.       Financial standards, systems, policies and procedures controls

a.       Establish financial standards

b.       Develop, implement, financial systems, policies and procedures

3.       Computerised financial systems controls

4.       Responsibilities and segregation of duties controls

5.       Locked safe controls

6.       Post transaction and update books controls

a.       Post transactions to books on a daily basis

b.       Resolve all errors as quickly as possible

c.       Balance inputs to processed items

d.       Balance accounts on a pre-determined basis (daily, monthly etc.)

e.       Produce interim financial reports and audit specific transactions, as needed

f.        Produce and distribute, as authorised, the final company financial report

7.       Manage petty cash controls

8.       Manage cheque controls

9.       Manage accounts receivable controls

10.   Manage accounts payable controls

11.   Manage payroll controls

12.   Manage performance controls

Recommendations for closing the Information Security risk gap[11]

1.       Fallacy of Technical Security Controls. Information security risks now have organisation scope, as information use is integral to business strategy and operations. Centres not only on data but intended use, requiring smarter rules about treatment, classification and flow.

2.       Shifting boundary, with employees on the periphery. Locus of control has shifted. 93% admit to violating information policies. Bad hygiene is root cause of 48% of security incidents according to Verizon Data Breach Report. Responsiveness must be checked, not just awareness.

3.       Senior management are susceptible to insecure behaviour. They circumvent policies when using personal devices.

4.       Business-led (shadow) IT creates security blind spots.

5.       Third-parties are the weakest link. Analysis of 450 data breaches in 2013 by Ponemon Institute showed two-thirds were related to third-party IT providers.

6.       Shortened lifespan of control. Effective lifespan of IT operating controls, technical safeguards and employee policies is short. Effect diminishes quickly as a result of changing threat landscape, rapid adoption of new technologies. There is a need to identify static controls, and test if they are applicable in dynamic risk environments. Does the organisation suffer from, “set and forget”?

7.       Risk prevention versus detection. More than two-thirds of executives believe they cannot keep up with sophistication of cyber threats. Some firms are re-evaluating the balance between preventive and detective controls.

8.       Governance conundrum. 70% of auditors report ineffective oversight as a root cause of significant control weakness, from governance fragmentation. IT is focused on risk containment within technology systems, legal and compliance on regulatory and reputational risks, HR on employee behaviour. Line management assumes no responsibility. Audit must scrutinise whether governance clarifies risk ownership, improves operational decision making and drives consistency across the enterprise.

9.       Board’s knowledge gap. Board members’ anxiety is aggravated by their lack of detailed technical and controls knowledge. Auditors, legal counsel and information security experts devote time to educating audit committee members on the foundations of information security, adequate breach crisis management and real threat landscape. Such training must prepare directors to ask the right probing questions and fulfil their fiduciary duties following incidents.

10.   Balance between utility and security of information.

Business Management Controls (BMC) framework

First level of business operation (organise phase)

1.       Board, management and committee roles, structure and responsibilities

2.       Business functions and resources

3.       Standards, policies and procedures

4.       Internal controls framework and manual

Second level of business operation (envision phase)

1.       Corporate culture, vision, mission, values

2.       Strategy, goals, objectives and targets

3.       Performance framework and management

Third level (govern phase)

1.       Strategy

2.       GRC (governance, risk and compliance) controls

3.       Operational controls (purchasing, finance, IT, data, security, fraud, etc.)

4.       Personnel administration, including segregation of duties, compensating controls, etc.

5.       Management and compliance reporting

Fourth level (audit phase)

1.       Monitoring controls

2.       Internal audits

3.       Self-assessments

4.       External audits

5.       Regulatory audits

Fifth level (augment phase)

1.       Compare organisation to external entities

2.       Conduct studies by external experts

3.       Certify personnel

4.       Certify organisational components (structure, service quality, policies, procedures)

5.       Instil corporate social responsibility, including community involvement, etc.

6.       Consider, and implement, soft controls.

Red flags from auditor’s experience

1.       Policies and procedures. Inadequate design, development, implementation, annual review and improvement of corporate policies and procedures

2.       Board and management roles. Ineffective oversight by Board, insufficient discharge of duties and responsibilities by all senior levels of management

3.       Auditing. Audit (internal and external) findings not acted upon within time-frame agree, or forgotten all together

4.       Fines and legal breaches. Fines imposed by regulators and government authorities on compliance, tax, customs, accounting, performance results, data privacy, environmental, worker safety, health issues etc. Or penal and civic code litigations, breaches etc.

5.       Training of staff. Inadequate or ineffective supervision of staff activities by management, including guidance, coaching and training, discussing issues and problems etc.

6.       Personnel supervision. Inadequate or ineffective execution of personnel administration controls, including segregation of duties, hiring and dismissal of personnel, due diligence of staff, vacation taking, etc.

7.       Personnel adequacy. Inadequate skills, dexterities, knowledge and experience including professional certifications, for all board members, managers and critical staff (accountants, auditors, IT resources etc.)

8.       Corporate performance. Very high or very low achievement of strategic and operational objectives as evidence by financial and non-financial performance reports and results

9.       Morale. Very high or very low morale of board, management and employees

10.   Turn-over. Very high or very low turn-over of board, management and employees

11.   Accuracy of data. Inaccurate data, unsupported or unauthorised transactions, discrepancies and large number of errors in business records, transactions, balances, files, bank accounts etc.

12.   Conflicts of interest. Too close a relationship with customers, competitors, regulators and other parties.

Control Environment

1.       Organisational values and norms, legal, ethical etc.

2.       Management philosophy and business operating style

3.       Reward and remuneration system

4.       Human resource development and organisational system

5.       Organisational structure

6.       Customer support function

7.       Production and services functions

8.       Management systems, policies, procedures and methods.

Golden rule of Pythagoras

‘Consult and deliberate before you act, so that you may not commit foolish actions,’ and ‘Never do anything which you do not understand.’ – Pythagoras (570-c. 495 BC)

‘Succeed in what you want to do with persuasion and not with violence.’ – Filolaos (from Croton) the Pythagorean (480-400 BC)


[1] [Green et al. 1999] from, Sushil Jajodia and Leon Strous (Eds.). Integrity and Internal Control in Information Systems VI. The International Federation for Information Processing (IFIP) TC11/WG11.5 Sixth Working Conference on Integrity and Internal Control in Information Systems (IICIS), 13—14 November 2003, Lausanne, Switzerland. Kluwer Academic Publishers, 2004.

[2] http://serverfault.com/questions/148100/recommend-alternative-to-tripwire

[3] http://en.wikipedia.org/wiki/OSSEC

[4] http://en.wikipedia.org/wiki/Samhain_(software)

[5] Robert R Moeller. Executive’s Guide to COSO Internal Controls. Understanding and Implementing the New Framework. John Wiley & Sons, 2013.

[6] Hal Flynn. Designing and building enterprise DMZs. Syngress Publishing, 2006.

[7] John Kyriazoglou. Business Management Controls: A Guide. IT Governance Publishing, 2012

[8] ISO 27001 and Information Security resources. www.itgovernance.co.uk/iso27001.aspx

[9] ISO 17799 checklist, SANS Institute. www.sans.org

[10] John Elkington. The Chrysalis Economy: How Citizen CEOs and Corporations can Fuse Values and Value Creation. Capstone Publishing/John Wiley, 2001.

[11] Friso Van Der Oord and Ruth Shaikh. “10 information security lessons we learned from audit executives in 2014: from how top leaders are vulnerable to security missteps to the fragmentation of risk oversight, this is a lineup of weaknesses in the governance of information security and recommendations for closing the risk gaps.” Directors & Boards. Fall 2015: 22+. Academic OneFile. Web. 7 Jan 2016