The Sarbanes-Oxley Act (SOX)was the big event

of the last year. Auditdepartments and exter-nal audit firms werescrambling to com-plete the requiredwork by the deadline.Business processeswere being document-ed and analyzed. Con-trol issues were docu-mented. Timelyremediation of the issues, fol-lowed by further testing,ensured that many organizationswere able to comply with SOXwithout the dreaded disclosureof serious control weaknesses. Amonumental effort was requiredto ensure SOX compliance.Auditors had to be divertedfrom other tasks, and the auditplan had to be curtailed so thatthe SOX objectives could bemet. Many of us can see thelight at the end of the tunnel.Now, we can begin to lookbeyond SOX from an internalaudit standpoint.

Let us start with analyzingthe impact of SOX. For this arti-cle, I want to address two topics.The first is what I like to callAuditing for Profit—a method of

utilizing the information wehave to enhance profits. The sec-ond topic is the impact of defer-ring some critical audits or limit-ing the testing performed duringthe SOX review process. This isparticularly obvious in the areasof information security.

AUDITING FOR PROFIT

Over 15 years ago, I puttogether my first Auditing forProfit seminar. It was one ofthe most successful courses ourcompany offered, as it provideda proven methodology forenhancing profits whileimproving control. This courseran its life cycle and wasretired. After looking at thewealth of business process

information nowavailable to usbecause of the SOXeffort, I haveredesigned this semi-nar from the groundup. My new premiseis to use the SOXdocumentation toidentify unneeded orinefficient processes.It is obvious to methat we documentedmany inefficiencies

and labor-intensive processes.Now is the time to analyzethese processes, determine thecost of the inefficiencies, iden-tify short-term improvementswith low implementation costs,and create an audit report thatpresents these to managementon a business process-by-busi-ness process basis.

My first target in Auditingfor Profit is labor inefficiencies.I ask two questions to assist mein identifying the value added bya business process. The first is“Why are we doing what we arenow doing?” The second is“What value does this add to thecorporation?” If these can beidentified and categorized usingthe existing SOX documentation,then we achieved additional ben-

The Sarbanes-Oxley Act (SOX) was the big eventof last year. Auditors were scrambling to meet thedeadline. It was a monumental effort. But how canwe turn SOX to our advantage? The author, anauditing consultant, gives us some tips from thefront lines in the ongoing battle to comply withSOX. What key questions should we be askingourselves? How can we change the SOXprocess—a necessary but expensive headache—into a valuable business resource? © 2005 Canaudit, Inc.

Gordon Smith

Auditing after SOX: Some Tips from theFront Lines

featu

reartic

le

57© 2005 Canaudit, Inc. Printed with permission.Published online in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/jcaf.20119

efits from the SOX process. Thisturns the SOX process from anecessary but expensive over-head item into a valuable busi-ness resource. Another techniqueI use is to gather the staff audi-tors into a group and then askthem to identify the ten mostwasteful processes in the compa-ny. The auditors are given 24hours to think about waste in theorganization. They then comeback together with their ideas. Ilike to offer prizes for the bestideas. Be prepared to award theprize to more than one person,as several people often have thesame truly brilliant idea.

It does not take very long toset up this process. Bringthe auditors together andthen use an example, suchas ineffective meetings.Ineffective meetings aresomething everyone canidentify with, and thisserves to introduce theprocess. As we all know, thecost of meetings is very high.Many people who attend meet-ings do not want to be there, butthey are there so they will not beassigned tasks in absentia. Otherpeople attend because theyalways have attended. Often, top-ics are bandied about, consuminga great deal of time, yet theseitems are not resolved by the endof the meeting. Another meetingis scheduled to rehash the sameconversations in the hope that aconsensus can be reached.

I suggest several techniquesto reduce the cost of meetings.The first is to determine theimportance of each agenda item.Then I calculate the salaries ofthe people who will be in theroom and develop a cost perminute. This should be placed onan overhead display so thatmeeting participants can see themeeting costs on a minute-by-minute basis. This helps partici-

pants to focus on the topics andthe value of the time spent dis-cussing the issues.

Another example I like touse is the wasted time resultingfrom having people in meetingswho do not need to be there.Some people only need to bethere for certain topics. I like tohave these people rotate in andout of the meeting as required. Ameeting assistant can call thepeople when they are needed andarrange for a graceful exit whenthey are no longer required. Itmay be useful to have some peo-ple attend the meeting by tele-conference. They can listen infrom their desk as they do other

work. If they hear somethingthey would like to comment on,they do so. If someone has aquestion for them, they answerit. When their presence is nolonger required, they leave theteleconference.

If participants attend viavideo conferencing, rememberthat there are communicationcosts as well as salary costs.Video conferencing is an excel-lent tool. It enables people toparticipate in meetings withoutincurring travel time and expens-es. Do not forget that video con-ferencing can also be done fromthe desktop or from local orremote meeting rooms. Thisenables people to attend the con-ference on an as-required basis,coming in for a few momentsand then leaving. Others can stayfor longer periods and may evenstay for the entire meeting. Thisexample helps auditors realize

that there are no sacred process-es and that they should look atall company processes, not justtransactional processes. Obvi-ously, I have many more exam-ples relating to the various busi-ness processes. I am sure youcan think of many as well.

AUTOMATING AUDITING FORPROFIT

Automating the Auditing forProfit process is one of my petprojects. I am concerned that weare missing many cost-reductionor revenue-enhancing opportuni-ties because we do not use auditsoftware as frequently or as

deeply as we should. Oneof the constant annoyancesof modern e-commerce isthe time wasted when try-ing to buy a product, solv-ing a problem with a reser-vation, or seekingassistance with a Webtransaction that just will not

work. Often, I end up in auto-mated assistance hell. When Idial, I get seven or eight options,none of which quite apply. OnceI get close to what I want, I getput on hold until the ice melts inthe spring—or so it seems. ThenI cannot get an answer, as I mustgo through level-one triagebefore I can get to someone whoreally knows the answer. Notonly is this frustrating, but Ioften hang up. This could resultin a lost sale or an unnecessaryreturn of perfectly good mer-chandise. It could cost you theclient’s future business.

Since this happens to me, Iexpect it happens to other cus-tomers. To determine if it is aproblem, I suggest using auditsoftware on the Call Manage-ment System. This software canbe used to identify the numberof clients who hang up withoutmaking a touchtone selection,

58 The Journal of Corporate Accounting & Finance

© 2005 Wiley Periodicals, Inc.

Video conferencing is an excellenttool. It enables people to participatein meetings without incurring traveltime and expenses.

those that hang up without get-ting through to a human, and thenumber of excessively long calls(which indicate that the client isnot getting a timely solution).These are just the high-leveltests that indicate a problemexists. There are many moretests that we can create toenhance revenues and providebetter customer service. Thesame software that was writtenfor call management could pos-sibly be adapted to identify cus-tomers who are having difficultywith Internet transactions. Myobjective is to identify howmany customers attempt to com-plete an order, then quit before itis completed. While theseare information technologyAuditing for Profit issues, Ialso believe we should uti-lize Auditing for Profitsoftware for more tradition-al uses, such as collectingreceivables sooner, reduc-ing bad debts, and identify-ing and recapturing duplicatedvendor payments.

I suggest that you takeanother look at your SOX work-papers and documentation toidentify areas for profitenhancement or labor reduction.I like to identify items with afast recovery cycle. If your com-pany can spend less than$50,000 and produce a definitecash return of $200,000 withinthree months, then the itemshould be a high priority onyour list. Setting return-on-investment (ROI) thresholds,such as items that produce a 200percent return in less than threemonths, enables a speedy returnon the audit effort. Obviously,these items should be researchedand implemented first. This willprovide an immediate result foryour Auditing for Profit pro-gram. Then you can work on theitems that require a larger capi-

tal investment, but have an evenhigher ROI potential.

INFORMATION SECURITY: ANEXAMPLE OF SOX AUDITCASUALTIES

The next item I would like todiscuss is the diversion of inter-nal audit resources from plannedaudits to the SOX efforts. WhileI understand the need for this, Ithink the sooner we return to ouraudit plans the better. I am par-ticularly concerned with infor-mation technology audits thathave been deferred. Our techni-cal audits of clients in the lastsix months have shown that

security is not at the levelrequired to protect essentialfinancial and business informa-tion assets. Most of the items weidentify are housekeeping issuesthat enable disgruntled staff andcontractors, competitors or elec-tronic espionage agents, andhackers to gain unauthorizedaccess to your organization’senvironment. In my opinion,2005 should be the year wefocus on information security.

In 2004, we did not see anyimprovement in informationsecurity, as most of our clientswere focusing their auditresources on SOX. This year, Ibelieve that auditors shouldfocus on validating basic infor-mation security. I would startwith a network audit, followedby UNIX/Linux, Windows serv-er, and desktop and mainframeoperating system and securityaudits, as well as database

audits. Using our methodology,these audits can be completedin four to six weeks and willprovide a high return on audithours invested. In the next fewparagraphs, I will provide abrief description of the majoritems we uncovered in the pastyear. These identified items canbe used to assist in your ownrisk assessment.

Overall, network securityremains poor. Very few organiza-tions have implemented theintrusion prevention (IPS) andintrusion detection (IDS) soft-ware. Those that have often missa few critical settings. When wego into a client’s environment,

we normally just plug intoa network jack, install ourown hub, and go to work.Network jacks should notbe active unless they areused by authorizedemployees and contractors.In addition, the uniquecomputer identifiers, such

as the Media Access Control(MAC) address, should bechecked before the software acti-vates the jack. If an unauthorizedmachine plugs into the network,an alert should be sent to thesecurity staff so that they cantake immediate action.

Access to services such asGoToMyPC and tools such asnetcat and cryptcat enable some-one on the inside of the networkto create a session to an externalmachine. The external machinecan then control the internalmachine, which can be used toattack the rest of the network.We call these inside-out/outside-in attacks. Most of our clientsare unaware of these types ofattacks and have not taken mea-sures to prevent them.

In the Windows environ-ment, some of the older threatshave not been remediated. Usinganonymous null sessions, we

May/June 2005 59

© 2005 Wiley Periodicals, Inc.

In my opinion, 2005 should be theyear we focus on information security.

nearly always identify accountswith poor passwords. In the pastfew audits we have performed,capturing the passwords for theentire domain has only taken anhour or two of effort. In somecases, clients have moved toActive Directory, which is moresecure, yet they often leave theold domains up and running. Asa result, we are able to compro-mise an account in the ActiveDirectory to gain administrativerights. Another one of the olderthreats that we have failed to seeremediated is the MS03-026DCOM vulnerability. This vul-nerability, with exploit code pub-licly available and in the wild,enables an unauthenticated userfull access to the system, allow-ing an attacker to add an admin-istrative account/backdoor to thesystem. A fix for this exploitwas issued well over a year ago,yet in every environment, wehave found a few machines thatwere not patched. In the Win-dows environment, one or twopoorly secured systems can bethe crack in the dike. WithoutHans Brinker to put his thumb inthe crack before the securitydike collapses, the entire Win-dows environment may fall.

In the UNIX environment,there are several issues that can

lead to a security domino effect.The first issue is missing patch-es. In the SUN environment, thetwo vulnerabilities we find mostoften are the Integer Overflowexploit and the SAdmin feature.Implementing patches and con-figuration changes effectivelynegates these risks. In almostevery UNIX environment wehave audited, we have found thatunnecessary services are active.These unnecessary services varyin risks, from letting an attackeruse trust relationships to gainingroot access to a machine to enu-merating accounts or performinga denial-of-service attack. Ser-vices such as Telnet and FTPcan also be used to sniff unen-crypted passwords as they tra-verse the network. Clearly, theUNIX environment is worthy ofan audit.

Lastly, I am concernedabout poorly secured Internetconnections. Many of ourclients permit staff to use e-mail from home. This is a greatidea and a productivityenhancer, provided it is donesecurely. The most commonflaw is to enable Web mailusers to log on using theirinternal network account andpassword. As I mentionedabove, these passwords are eas-

ily compromised in a poorlysecured Windows environment.The control is to use two-fac-tored authentication. Thisrequires the use of securitytokens (RSA/SecurID), digitalcertificates, or biometricdevices. Without this additionallayer of authentication, it isvery easy for a disgruntledemployee or contractor withinternal network access to com-promise the Web mail applica-tion, view e-mail, and evensend e-mail from another per-son’s account.

As you can see, internalaudit as a profession has a lot toaccomplish in the next year. Ihave just scratched the surfaceof the workload ahead of us.Now that we have the SOX doc-umentation, let us use it to makeour organizations more prof-itable. Also, let us refocus onmaking our computer devices,business applications, and net-works more secure. It would bevery embarrassing if yourorganization signs off on SOX,only to have attackers trampleyour controls and steal yourdata. By focusing on security,we can ensure that controls arein place to prevent your organi-zation from being front-pagenews in the Wall Street Journal.

60 The Journal of Corporate Accounting & Finance

© 2005 Wiley Periodicals, Inc.

Gordon Smith is the president and CEO of Canaudit, Inc., a consulting firm in Simi Valley, California. Hecan be contacted via e-mail at gordon@canaudit.com.