- Email: [email protected]
Businesses at risk from distributed computer systems claims report
August 1995
Changes in the legal and regulatory framework The European Union is committed to the freedom of movement of goods, services, people and capital. To prevent the emergence of nontariff trade barriers and to ensure common protection of EU citizens, it is necessary to have common rules governing the way commerce operates. This leads to many of the European Commission directives such as the directive on the protection of personal information. That is well understood. Something that is not so well understood and which in my view has the greatest potential effect on internal auditors is the interdependency of trading parties on each others’ security. There are a number of drivers for this requirement including the growth in electronic trading and the growth in the incidence extended enterprises. At its launch, Marks and Spencer announced that they would require their trading partners to comply with the DTI Information Security Code of Practice. There are groups working on the accreditation of business systems. Business systems accreditation is something that internal auditors are already doing. If business systems accreditation is to become a contractual issue, internal auditors must ensure that their reviews and audits are acceptable to trading partners. If systems accreditation does have to be carried out by third parties, internal auditors will face a serious threat to their survival. I cannot see how businesses will be prepared to pay twice for systems reviews. Conclusion In this presentation I have looked at some of the changes taking place that have an impact on internal audit. I do not pretend to have the answers. I want to make two points: 0
My first point is that some existing audit principles will not always be applicable in the world that we will soon inhabit. Auditors must consider what new audit principles, tools and methods are needed to deal with this world.
01995 Elsevier Science Ltd
Computer Audit Update
l
My second point is that although they may have an adverse impact on security and control, attempts to resist the changes are doomed to failure. The pressure for change is too great. Failure to adjust to the changes may mean that like the dinosaurs, internal auditors will ultimately become extinct.
Ken Lindup is a senior consultant with SRI In terna tional’s Information Systems Management Practice.
NEWS Businesses at risk from distributed computer systems claims report A new report commissioned by computer storage specialists EMC Computer Systems has highlighted fears of IT managers that they are putting critical data at risk as they move from mainframe computers to client/server systems. The study was undertaken by New York based market research company, FIND/SVP and included structured interviews with 600 IT managers and directors from some of the largest IT users in each country. Respondents were polled in the USA (50%) and Europe (50%). In the rush to adopt client/server systems due to business pressures such as the need to cut costs, support flatter organizational structures and build new computer applications more quickly, professionals remain concerned about their ability properly to manage corporate data in distributed settings. High percentages of IT users are concerned about maintaining the accuracy and integrity of the data their companies store on distributed systems, many did not feel that they have adequate tools to manage migration to client/server systems and many have concerns about security.
19
Computer Audit Update
For more details contact: EMC Computer Systems UK Ltd, EMC House, Regent Park, Kingston Road, Leatherhead, Surrey, Kr22 7PY; tel: +44 (0)1372 360 000; fax: +44 (0)1372 361 050.
BSA to get tough on India’s software pirates In the hope of kerbing losses due to software piracy in India estimated at $127 million last year, the Business Software Alliance (BSA) is soon to begin raids on vendors of counterfeit software goods reports The Journal of Commerce. Software is one of the US’s largest exports, and Asia is one of the biggest customers with sales rising rapidly in Asia as computer use proliferates. The BSA has pursued software pirates around Asia and is now concentrating on India where it is alleged that the market consists of as much as 82% of pirated software goods. The BSA has been collaborating with India’s National Association of Software and Service Companies (Nasscom) in the fight against piracy. At a recent seminar organized by the two organizations, education was stressed as the first step in the battle. Amendments to Indian copyright law that came in to effect in May will help in the fight, and punishment has been made more stringent with prison sentences being possible for chief executives of companies found using illegal software. The BSA and Nasscom are to train law enforcement officers to gather evidence of illegal copying and the two organizations have retained the services of investigators and legal counsel. An antipiracy hotline has been set up in Delhi at Nasscom’s HQ with rewards of up to 50 000 rupees ($1600) being offered to anyone reporting the illegal use of software by companies.
20
August 1995
Survey finds that one third of UK companies have no policy to backup business data A market survey covering over 1000 PC users in five European countries has found that over a third of UK companies have no policy to back up their corporate data. The survey additionally found that more than three quarters of UK businesses consider backup to be the personal responsibility of the employee. The research covering the UK, France, Germany, the Netherlands and Spain was commissioned by the Quarter-Inch Cartridge Drive Industry Development Committee (QWIDC) and raises the market awareness of the need to back up. The findings reveal that the floppy disk is the most commonly used medium of backup but that more people in the UK discount this option than anywhere else. The chairman of the QIWDC European Subcommittee, Dave Ferraresi commented that users were certainly aware of the risks of losing data but that the extent of the problem is often underestimated. He added that equipment breakdown was just one of the causes of data loss and that there were many other causes including natural disasters, power surges, theft and sabotage. The most common error, human error, is estimated to account for 80% of all data loss. “Users need prompting to take backup more seriously and ensure rather than assume that someone in their company is taking responsibility to do this effectively”, he said. The committee additionally aims to highlight the wider benefits of data storage beyond backup, such as managing or archiving data and freeing up hard disk capacity, which it claims were little understood by the UK respondents to the survey.
01995 Elsevier Science Ltd
Changes in the legal and regulatory framework The European Union is committed to the freedom of movement of goods, services, people and capital. To prevent the emergence of nontariff trade barriers and to ensure common protection of EU citizens, it is necessary to have common rules governing the way commerce operates. This leads to many of the European Commission directives such as the directive on the protection of personal information. That is well understood. Something that is not so well understood and which in my view has the greatest potential effect on internal auditors is the interdependency of trading parties on each others’ security. There are a number of drivers for this requirement including the growth in electronic trading and the growth in the incidence extended enterprises. At its launch, Marks and Spencer announced that they would require their trading partners to comply with the DTI Information Security Code of Practice. There are groups working on the accreditation of business systems. Business systems accreditation is something that internal auditors are already doing. If business systems accreditation is to become a contractual issue, internal auditors must ensure that their reviews and audits are acceptable to trading partners. If systems accreditation does have to be carried out by third parties, internal auditors will face a serious threat to their survival. I cannot see how businesses will be prepared to pay twice for systems reviews. Conclusion In this presentation I have looked at some of the changes taking place that have an impact on internal audit. I do not pretend to have the answers. I want to make two points: 0
My first point is that some existing audit principles will not always be applicable in the world that we will soon inhabit. Auditors must consider what new audit principles, tools and methods are needed to deal with this world.
01995 Elsevier Science Ltd
Computer Audit Update
l
My second point is that although they may have an adverse impact on security and control, attempts to resist the changes are doomed to failure. The pressure for change is too great. Failure to adjust to the changes may mean that like the dinosaurs, internal auditors will ultimately become extinct.
Ken Lindup is a senior consultant with SRI In terna tional’s Information Systems Management Practice.
NEWS Businesses at risk from distributed computer systems claims report A new report commissioned by computer storage specialists EMC Computer Systems has highlighted fears of IT managers that they are putting critical data at risk as they move from mainframe computers to client/server systems. The study was undertaken by New York based market research company, FIND/SVP and included structured interviews with 600 IT managers and directors from some of the largest IT users in each country. Respondents were polled in the USA (50%) and Europe (50%). In the rush to adopt client/server systems due to business pressures such as the need to cut costs, support flatter organizational structures and build new computer applications more quickly, professionals remain concerned about their ability properly to manage corporate data in distributed settings. High percentages of IT users are concerned about maintaining the accuracy and integrity of the data their companies store on distributed systems, many did not feel that they have adequate tools to manage migration to client/server systems and many have concerns about security.
19
Computer Audit Update
For more details contact: EMC Computer Systems UK Ltd, EMC House, Regent Park, Kingston Road, Leatherhead, Surrey, Kr22 7PY; tel: +44 (0)1372 360 000; fax: +44 (0)1372 361 050.
BSA to get tough on India’s software pirates In the hope of kerbing losses due to software piracy in India estimated at $127 million last year, the Business Software Alliance (BSA) is soon to begin raids on vendors of counterfeit software goods reports The Journal of Commerce. Software is one of the US’s largest exports, and Asia is one of the biggest customers with sales rising rapidly in Asia as computer use proliferates. The BSA has pursued software pirates around Asia and is now concentrating on India where it is alleged that the market consists of as much as 82% of pirated software goods. The BSA has been collaborating with India’s National Association of Software and Service Companies (Nasscom) in the fight against piracy. At a recent seminar organized by the two organizations, education was stressed as the first step in the battle. Amendments to Indian copyright law that came in to effect in May will help in the fight, and punishment has been made more stringent with prison sentences being possible for chief executives of companies found using illegal software. The BSA and Nasscom are to train law enforcement officers to gather evidence of illegal copying and the two organizations have retained the services of investigators and legal counsel. An antipiracy hotline has been set up in Delhi at Nasscom’s HQ with rewards of up to 50 000 rupees ($1600) being offered to anyone reporting the illegal use of software by companies.
20
August 1995
Survey finds that one third of UK companies have no policy to backup business data A market survey covering over 1000 PC users in five European countries has found that over a third of UK companies have no policy to back up their corporate data. The survey additionally found that more than three quarters of UK businesses consider backup to be the personal responsibility of the employee. The research covering the UK, France, Germany, the Netherlands and Spain was commissioned by the Quarter-Inch Cartridge Drive Industry Development Committee (QWIDC) and raises the market awareness of the need to back up. The findings reveal that the floppy disk is the most commonly used medium of backup but that more people in the UK discount this option than anywhere else. The chairman of the QIWDC European Subcommittee, Dave Ferraresi commented that users were certainly aware of the risks of losing data but that the extent of the problem is often underestimated. He added that equipment breakdown was just one of the causes of data loss and that there were many other causes including natural disasters, power surges, theft and sabotage. The most common error, human error, is estimated to account for 80% of all data loss. “Users need prompting to take backup more seriously and ensure rather than assume that someone in their company is taking responsibility to do this effectively”, he said. The committee additionally aims to highlight the wider benefits of data storage beyond backup, such as managing or archiving data and freeing up hard disk capacity, which it claims were little understood by the UK respondents to the survey.
01995 Elsevier Science Ltd