Thursday, June 14, 2007

New Self Regulatory Body for IT Companies in India.

NASSCOM, which is India's trade body and chamber of Commerce for the IT industry, announced plans to form an independent self regulatory body to monitor information security among member IT companies in India. Called the Data Security Council of India (DSCI), it is formed especially to combat security lapses within companies offering outsourcing services.This body aims to offer security policies, bring about increased governance to the hiring process and offer accreditation/certification services.

According to Shymal Ghosh, chairman of DSCI, 'it will be an independent organization, at arms length from NASSCOM.'

What is important in order to combat inadequate controls surrounding information security, is to ensure that there is a body of information security standards that companies are expected to follow. This ensures process standardization, industry comparisons as well as enables accreditations/certifications. These standards would encompass

  1. encryption standards,
  2. physical controls,
  3. logical controls (especially user access controls, interface controls, restriction over the use of Instant Messaging etc.)
  4. other infrastructure related standards.

Best practices dictate establishing an information security policy and a data classification policy. Data that has been classified as critical, sensitive or public data, automatically becomes much more organized and it is easy to see which data should be given priority for security.

Although we have seen incidents of internal control violations (data theft, cheating, passing on confidential information) in recent years, the core of the outsourcing business in India stays strong. Today’s Wall Street Journal reports another U.S. investment bank outsourcing work to an Indian research firm.

Maybe, an initiative like DSCI will be the first successful step towards achieving formal governance in corporate India.

Monday, June 4, 2007

New PCAOB standard aimed to increase efficiency in Internal Control audits.

The board adopted AS 5 to supersede AS 2. This will apply to all companies required to conduct internal control audits as required by the SEC.

Key reasons for the change:

1. The Board’s inspection of the internal control audits conducted as well as public roundtable discussions revealed that the audits took greater than necessary effort.
2. The Board also felt that adoption of AS 5 would make it easier for smaller companies to comply with the Act’s internal control requirements.

Key Features of the new Standard:

1. Emphasizes fraud-risk and fraud related controls in the process of risk assessment.
2. The effectiveness of the company’s entity level controls may reduce the amount of testing in the underlying process controls.
3. The new standard permits the auditors to restrict their own testing by letting them use the control testing of others.
4. The Audit committee should pre-approve any internal controls related non-audit services provided by the company’s auditor. In fact, Rule 3525 requires a registered public accounting firm that seeks to provide such service to provide details such as scope of the internal control related non-audit service, the potential effects of the proposed service on the firm’s independence and also document the discussions that are held with the audit committee.

This may reduce some of the economic and operational burden currently being experienced by many companies. This is true because increased auditor reliance on the work of others and stronger entity level controls may translate into a reduction in the auditor’s testing time and effort.

Saturday, June 2, 2007

PCAOB Approves New Audit Standard for Internal Control over Financial Reporting.

On May 24th, the Public Company Accounting Oversight Board approved a new audit standard for Internal Control over Financial Reporting.

Details:As per the PCAOB, 'the auditing standard adopted by the Board today is principles-based. It is designed to increase the likelihood that material weaknesses in internal control will be found before they result in material misstatement of a company's financial statements, and, at the same time, eliminate procedures that are unnecessary.' The final standard also focuses on the procedures necessary to perform a high quality audit that is tailored to the company’s facts and circumstances. The Board worked closely with the Securities and Exchange Commission to coordinate Auditing Standard No. 5 .

Applicability: 'The final standard may be used by auditors immediately following SEC approval, and it, along with Rule 3525, and the conforming amendments, would be required for all audits of internal control for fiscal years ending on or after November 15, 2007.

Coming soon~ Auditopia's analysis on the new audit standard.