Six Steps to Improving IT Governance
advertisement
Issue 24 Quarter 1 2004 Hong Kong Chapter A Newsletter for Members About Chapter & International Events and Programmes F CUS Your award-winning Newsletter from your award-winning Chapter! Dear Members, Kung Hei Fat Choy! Wishing everyone a fantastic 2004 of good health, brilliant career and personal life! Time flies. We have approached another year of a new era. With the New Year ensuing, we shall put away the old hurts and look forward to the new year of hope. Dedication and hard work will bring miracles. Let us all work for these miracles to bring IS Audit, Controls and Assurance to a new height, and in turn bring prosperity to Hong Kong community and also rewards on the personal fronts. Susanna Chiu ISACA HK Chapter President Inside: President’s Update ....................... 1 President’s AGM message ........... 2 Conferences & Training Weeks .. 4 CISA & CISM exam information 4 Membership FAQs ....................... 5 Global membership statistics....... 5 CISA chapter members note ....... 5 Control objectives for Net Centric Technology .................................... 6 CISA earns largest bonus pay ..... 8 6 steps to improving IT governance .................................... 8 Article: Data mining and the auditor’s responsibility ................ 9 CobiT: Guidelines meld IT governance, Sarbanes-Oxley compliance .................................. 11 CobiT: Uruguay Central Bank adopts CobiT ............................... 11 Article: BCP testing considerations & best practices . 12 CISA review course .................... 15 IT agenda for 2004 and beyond As it is the start of the New Year of the Monkey, trend forecasting is the norm. I came across a magazine recently which published a forecast of the “Future Vision: IT’s Top Ten” which most likely will dominate the IT agenda in Asia in 2004 and beyond. Let’s take a look at the list for general reference purposes: 1. IT Spending 5. Enterprise suites 8. Storage systems 2. Internal Controls 6. Collaborative 9. Business 3. Outsourcing computing intelligence 4. Utility Computing 7. Security 10. Risk management It is encouraging to note that security, controls and assurance (which include audit and risk management) have been three standing trends for 2004. All these three are important elements towards IT Governance which itself has to be an important trend for not only Asia but also the world. In fact, controls, security and assurance have significant implications in all other trends for each trend to be effectively deployed. Therefore, IT Governance is no longer just a background shadow agenda, but an agenda to take the front stage. It has taken some years to come through but we have finally seen the light. Having said that, much work has to be done to bring IT Governance to its truly deserved status. ISACA will continue its pioneer role in bringing this agenda to the world stage. 2004 for the Chapter Last year ISACA (HK Chapter) has made achievements in building alliances with government bodies and the IT professional community, and to apply successfully for the IT Functional Constituency electoral status for our Chapter members. This year, whilst the Chapter will continue this liaison work to enhance the members’ network with other IT professional organisations, the Chapter will focus its liaison work with the members to build a closer community among the Chapter membership, and to develop a commune for members to exchange views and knowledge on the current and ensuing issues concerning IS audit, controls and security. Another focus will be HK Chapter’s role in establishing ISACA’s presence in China through promotion of the CISA/CISM examinations and educational seminars. All these development places tremendous demands on time and efforts of the Chapter’s leadership including both the Board of Directors and Committee Members, to organize various effective functions and activities for members. Who’s who................................... 18 1 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS However, this is not enough - more importantly we need participation from you as our members and to volunteer your time to assist in our event organization to put these goals into reality. We extend our open arms to you for your contribution in whatever capacity and magnitude. Let us all wish for a prosperous year of 2004, and a year of advancement in the development of IS audit, controls and security. Whilst staying in touch via emails and websites, our Board of Directors also look forward to the opportunity of meeting you in person during our monthly CPDs and various Chapter activities. Of course your advice and comments are always welcome! Best regards, Susanna Chiu President President’s AGM message An extract from Ms Susanna Chiu’s AGM message, detailing some of the Hong Kong Chapter’s achievements over the prior year. December 4, 2003 Membership Continuing the trend of the last few years, the Chapter’s membership continues to increase. As at the end of September 2003 the Chapter has 1,124 members, and has received the Growth Award in membership from ISACA International for 2002/03. Of the 150 chapters globally, this makes us the 2nd largest chapter globally in terms of membership after Korea, and we continue to grow especially with the accelerated interest expressed from our prospective members from Mainland China. Professional consulting The chapter is taking an increasing role in providing comments on legislation and standards. In 2002/03 the chapter was involved in the following activities: 1. Hong Kong IT Sector visit to the Party Leader in Beijing, October 2003 2. Represented on the Working Group of the IT Professionals Registration System in HK. 3. We are an active member of the IT Ethics working group run by the Hong Kong Independent Commission Against Corruption (ICAC) designing and promoting ethics standards for IT professionals, and sits on the Editorial Board of ICAC with other professional organizations to develop a management package for use by managers on integrity issues in an eworking environment. The title of the package is "Leveraging Information Technology - A Practical Guide on Ethical Management" which was published at the end of 2002. 4. We sit on the Advisory Committee of Sin Chung Kai in advising IT policies and regulations to the Government, and attend regular meetings of the Committee. Member and public communication Emails are a popular medium for informing members of chapter events as well as being a source of revenue for the chapter for advertising education events and job vacancies. We continue to maintain a web site, which is a useful source method for providing information to our members and the general public. It also provides some advertising income for us. We continue to establish alliances with professional organizations to co-organise workshops and support their activities. CISA This year was another successful year for our CISA Review Course. Due to an overwhelming demand, the course had to be split into two to accommodate over 90 participants. We received good feedback and it will continue to be held, providing the Chapter with an affordable CISA course but also as one of the chapter’s main source of revenue. There are participants from Mainland China in the Course. We had over 500 people sitting the CISA exam. The number is lower than last year due to SARS impact. Nevertheless, the rate is still high compared to other parts of the world. 2 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS Awards/Achievements in the year HK Chapter was awarded the Best Chapter for large chapters (amongst all the large sized chapters internationally) HK Chapter was awarded the Fastest Growth in Membership Award Our website was honored the ‘Gold Award’ Our Chapter celebrated our 20th Anniversary in 2002, and, Our Chapter has successfully applied for the eligibility of our CISA members as voters in the 2004 IT Constituency Election. Seminars/Education Attendance at seminars continues to be satisfactory with members of the Chapters and other associations such as HKSA and HKCS present. At each of our seminars one attendee at random is presented with a $100 book voucher. Conference, programmes and monthly CPD seminars were organized as follows from Oct - Nov 2003: SUBJECT World Congress of Accountants 20th Birthday Cocktails and ISACA President Speech A voluntary recognition scheme for certification Business Continuous Planning ebXML IT Functional Constituency Election Briefing CISA/CISM Briefing SAP Audit Training Workshop Career Forum – “Creating a Niche in Your Career” CISA Review Courses (10 weeks) Wireless Lan Security eGovernment system: A practitioner’s perspective CISA, COBIT & Model Curriculum intro to Hong Kong Baptist University Telecom Fraud Cyber Ethics Day (Exhibition Booth) Participation as speaker in InfoSec Seminar Networking Hour with HKCS Electronics Eavesdropping A formalized approach to ISMS Update on Sarbanes-Oxley, XBRL Draft Code of Practice on Monitoring and Personal Data Privacy at Work Software Quality and Project Management Visit of HK IT Sector to Beijing IS-Summit SPEAKERS/ORGANISATIONS ISACA booth at the Exhibition Dr Robert Roussey, International President of ISACA DATE 18-21 Nov 2002 20 Nov 2002 Nov 2002 Mr Henry Ee Dr. David Cheung, HKU Hon. Sin Chung Kai, LegCo Barbara Tam/Michael Huen/ Susanna Chiu Mr Mike Ward, SAP Consultant Sponsored by Ambition. Speakers: Hon Sin Chung Kai, Michael Chan (DBS), John Barnes (KPMG), Paul Jackson (HK Police), Guy Days (Ambition), Susanna Chiu/Philip Ting (ISACA [HK Chapter]) ISACA Directors and invited speakers Mr John Lauderdale, PWC Mr Michael Yung, ESD Life Dec 2002 7 January 2003 16 January 2003 21-22 Feb 2003 25 March 2003 1 March – 31 May 2003 6 May 2003 3 June 2003 Raymond Chan 10 Jun 2003 Mr Robert Southworth, PCCW HK Police Mr Vincent Chan, ISACA ISACA & HKCS Mr Robert Southworth, PCCW Mr Dale Johnstone, PCCW Mr William Gee, ISACA Mr Tony Lam, PCO 24 Jun 2003 15 Jul 2003 17 Jul 2003 18 Jul 2003 22 Jul 2003 20 Aug 2003 23 Sep 2003 21 Oct 2003 Mr Raymond Tang, HKJC All IT Associations including ISACA (HK Chapter) ISACA co-organised with HKCS, HKPC, HKCERT, PISA & BSI 25 Nov 2003 28-30 Sep 2003 17-18 Nov 2003 Administration We have procured the services of Mega Business International Limited as our administrative support company and Grant Thornton as our auditors and secretarial support firm. Summary Overall the chapter is financially stable, has the support of a large membership, and is driven by a professional and now strengthened Board. With the Board’s leadership, the chapter will continue to promote and advance the profession in HK amongst professionals and the general public. 3 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS Conferences and Training Weeks An update on global ISACA conferences and training weeks 2004 GLOBAL EVENTS EDUCATIONAL EVENTS EuroCACS Zurich, Switzerland 21-24 March 2004 Web site: www.isaca.org/eurocacs2004 HK: Integrated Security Conference & Expo" on 17 &18 Feb on Level 6 HKCEC North America CACS Chicago, Illinois, USA 8-13 May 2004 Web site: www.isaca.org/nacacs2004 1-5 March 2004 Charlotte, North Carolina, USA International Conference Cambridge, Massachusetts, USA 27–30 June 2004 Web site: www.isaca.org/international2004 Network Security Conference Las Vegas, Nevada, USA 8-10 September 2004 Web site: www.isaca.org/nsc2004 Oceania CACS Melbourne, Victoria, Australia 6-8 October 2004 Latin America CACS Mérida, Yucatán, Mexico 24-27 October 2004 Web site: www.isaca.org/lacacs2004 IS Audit & Control Training Weeks 24-28 May 2004 Seattle,Washington, USA 28 June - 2 July 2004 Cambridge, Massachusetts, USA 20-24 September 2004 Amsterdam, Netherlands 27 September - 1 October 2004 Chicago, Illinois, USA 1-5 November 2004 Toronto, Ontario, Canada 6-10 December 2004 Atlanta, Georgia, USA Web site: www.isaca.org/trainwk Network Security Conference (Europe) November 2004 Budapest, Hungary Asia CACS Location and date TBD Check www.isaca.org/conferences for the most recent list of ISACA conferences and educational events. CISA and CISM Exam Information ** CISA and CISM certification exam early registration deadline fast approaching ** Register on or before 4 February and SAVE: Save US$80.00 by registering online (www.isaca.org/examreg) Save US$50.00 when you fax or mail your registration Key dates: Early registration deadline: 4 February 2004 Final registration deadline: 31 March 2004 Exams given worldwide on: 12 June 2004 Registration for the exam is extremely heavy near these dates. We strongly encourage you to register well in advance to avoid any delay. 4 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS Membership FAQs How do I renew my membership online? Logon to the web site using your personal access credentials, which were included with the 2004 invoice mailing. Upon login, you will be directed to MY ISACA, which includes a link to MY RENEWALS in the left margin. How do I notify ISACA of my new address, phone, etc.? Update your profile online by navigating to Members & Leaders, My ISACA, My Profile, Constituent Profile. You may also send changes via email to membership@isaca.org or by fax at +1.847.253.1443. Please also notify the Chapter Membership of the changes by emailing membership@isaca.org.hk, so that the affected changes are also updated in the chapter membership database immediately Are there any online discussion groups I can participate in? There are currently five listservs sponsored by ISACA, ITGI and ISACA chapters. There is a general topic listserv run by the Central Indiana chapter, a COBIT listserv, Information Security Manager Discussion Forum, and the IT Governance Discussion Forum. For information on subscribing to all listservs, refer to www.isaca.org. Global membership statistics MEMBERS FROM MORE THAN 100 COUNTRIES 45% US and Canada 25% Europe and Africa 23% Asia and Middle East 4% Australia and New Zealand 3% Central/South America ISACA MEMBERS BY TITLE 45% IS audit management and staff 15% CEO/CFO/CIO/Audit partner and director/security director 12% IS consultant 8% Information security management and staff 6% IS manager 14% Other ** CISA Chapter Members take note! ** As noted in the President’s AGM Message, your Hong Kong Chapter has successfully applied for the eligibility of our members as voters in the IT Constituency Election for 2004. At the request of the Electoral Office we will be contacting qualified CISA HK Chapter member candidates to obtain their Hong Kong ID numbers and to confirm their names. To assist the process, please ensure your contact details, including email address, are correct. Details of how you can update your profile are listed above under “Membership FAQs”. 5 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS Control Objectives for Net Centric Technology Introduction Since the introduction of window based net centric technology in 1985, there has been a paradigm shift. The significant difference in the net centric technology environment, compared with traditional computer processing, is that the traditional systems consider the location of hardware first, as well as the related software and data stored on the hardware. ISACF Development However, net centric technology considers the network as the primary concern. If hardware and facilities, which have capabilities of handling objects (software and data), are linked to this network, the actual location of the hardware is not considered a limitation. Rather the contents of information or objects are of significant importance. Today, many organisations are either planning initiatives, or have already migrated to a net centric technology environment for mission critical and mission sensitive systems. The implementation of net centric technology must be economical, effective and efficient with sufficient reliability and security, as well as meet the enterprises' managerial requirements. The success of Internet portal sales is generating another paradigm shift driving business to an Electronic Commerce (eCom) environment. eCom using Internet digital graphics capabilities and global network techniques is making significant inroads in businesses worldwide. According to a Cisco-Systems funded study from the University of Texas Graduate School of Business, the Internet is now one of the most pervasive, profitable and fastest growing industries in the U.S., rivaling the auto-mobile and telecommunications industries. It was recognised as absolutely essential to react to these fundamental shifts taking place, with a desire to formulate a generally accepted and comprehensive set of control objectives to use within the net centric technology environment. It is to address major parts of these concerns that the ISACF developed an "IT Governance Model". Within this model, ISACF has prepared Control Objectives for Net Centric Technology which focuses strongly on the Information Technology enablers, which allow the enterprise to be governed. These Control Objectives advise management, user and control and assurance professionals as to what controls may be necessary within their enterprise, and within the wider global communications environment in which it operates. ISACF recognises that the work of the Committee of Sponsoring Organisations of the Treadway Commission Report Internal Control Framework (COSO), has provided the basis for business process model and the model now put forward by extending the scope of coverage to the net centric technology environment. WHAT CAN CONTROL OBJECTIVES FOR NET CENTRIC TECHNOLOGY OFFER? Control Objectives offers a broad range of building blocks against which the control practices within your enterprise can be matched to determine the effectiveness of the control environment. These control objectives have been developed by an international team from ISACF, using the latest thinking and best emerging practices from major information and knowledge businesses. As such, they represent a major new knowledge resource to enterprises, as well as new avenues of practice in enterprise management, control assessment, risk management, and auditing. For example, a typical IT Governance model within an enterprise is generally comprised of business control objectives, organisational communication control objectives and IT control objectives. The IT control objectives must support the organisational communication control objectives, and the organisational communication control objectives must then support the business control objectives. Therefore, the IT control objectives relating to information services must support the business control objectives. Business Control Objectives cover: o Core business events activities (products, services, etc.) o Enterprise resources activities (human, facilities, etc.) Organisational Communication Control Objectives cover: o Planning activities (goals sharing) o Monitoring activities (current status sharing) o Knowledge management activities (knowledge sharing) o IT Control Objectives serve as a link to COBIT (ISACF's comprehensive Control Objectives for Information and related Technology environments) and IT resource activities Control Objectives for Net Centric Technology (CONCT) focuses on the following activities: o Intranet/Extranet/Internet (I/E/I) o Data Warehouses and OLTP (Online Transaction Processing system) 6 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS WHY READ THIS DOCUMENT? Control Objectives for Net Centric Technology (CONCT) provides well-structured ways of under-standing and assessing the very complex centric technology environment that exists. This provides management and IT control professionals a quick guide when addressing controls within this environment. Concepts and language of the latest developments are also used to assist users, firstly to familiarise themselves with the control objectives, and secondly to differentiate what is presented from the practices of the past. The concepts and language used are explained in the glossary section. Among the concepts covered are: Object Oriented Governance, Information Objects, Net Centric Technology DO CONTROL OBJECTIVES FOR NET CENTRIC TECHNOLOGY RELATE TO OTHER CONTROL MODELS ? Yes, however they pull best practices from other models, and then take a fresh look at what control in the total enterprise means. The control objectives offer a holistic approach - a true enterprise approach of greater substance and depth - as well as linkage to the best of other models. Control Objectives for Net Centric Technology represents a specific application of ISACF's COBIT Control Objectives for Information and related Technology for general IT resource control. COBIT itself has been harmonised with over 30 global professional standards. COBIT is consistent with the COSO, an internal control framework, developed by the Committee of Sponsoring Organisations of the Treadway Commission. Consequently, these new control objectives, introduced in this research, provide the IT means to enable the business of the enterprise to operate effectively in the net centric technology environment. HOW SHOULD THE IT GOVERNANCE MODEL FOR NET CENTRIC TECHNOLOGY BE USED? The IT Governance Model may be used as a framework for effective governance of a complex enterprise in a fast changing information technology environment. Regular monitoring of activities against an established IT Control Model is essential to ensure an enterprise's governance is proceeding as planned. To set up an appropriate IT Governance Model, the enterprise must first scope its business by mapping blocks of business activities (business processes) and related business resources/objects. This mapping will be used as the guide for assessing the business control and net centric technology environment. Second, the enterprise needs to assess its ability to govern its activities by analysing its information sharing activities (Organisational Communication Control) and the extent to which it shares its goal, status of its current information and status of its current knowledge base resources. The sharing activities cover not only business activities but also net centric technology activities. These assessments form the basis for the management of an enterprise to take corrective actions or redirect resources, as needed. Unless an IT Governance Model is introduced, an enterprise runs the risk of its IT and business objectives not being in alignment with its activities and use of resources. WHO SHOULD USE CONTROL OBJECTIVES FOR NET CENTRIC TECHNOLOGY? Executive management and all people who have roles and responsibilities for managing an Enterprise should use this model. Management, owners of business objects and processes, IT design professionals, and assurance, security and control professionals, are all likely to have roles and responsibilities in ensuring effective utilisation of net centric technology control within the enterprise. Emerging professionals such as information object designers, net security professionals and knowledge engineers will be key players in planning and implementing an effective IT Governance Model for Net Centric Technology. Refer www.isaca.org for more details. 7 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS CISA Certification Earns Largest Bonus Pay Sept 2003 Despite downward pressure on pay for information technology skills and certification, a report by Foote Partners, LLC indicates that premium pay for professionals holding the Certified Information Systems Auditor (CISA) certification increased by 25 percent during the past 12 months. Offered by the Information Systems Audit and Control Association (ISACA) since 1978, the Certified Information Systems Auditor (CISA) designation is a globally accepted standard of achievement in the IS audit, control and security field. The Foote Partners report confirms the value of earning a CISA designation. The 25 percent increase was the largest reported among the 55 certifications surveyed. In fact, according to the survey, overall, premium bonus pay for the certifications surveyed fell by nearly 6% over the past twelve months. CISA is among the exceptions. "This survey shows that CISA continues to be a valued certification, even during economically difficult times," said Ria Lucas, chair of the CISA Certification Board. "Earning the CISA designation helps assure a positive reputation as a qualified IS audit, control and security professional-and that reputation pays off in tangible compensation. CISA designation holders are skilled in good practice for IT and related risks and are also well positioned to take up opportunities in today's market place in a broader range of IT Governance roles." In 2003, a record number of candidates (11,900) registered for the CISA exam. This marked the 10th consecutive year that registrations have set a new record. The exam was administered in June at approximately 200 locations around the world and in 11 different languages. Information about CISA and the CISA exam is available at the ISACA website: www.isaca.org. The Foote Partners, LLC findings are published in the "Quarterly Hot Technical Skills and Certifications Pay Index." Additional information can be found at www.footepartners.com. Six Steps to Improving IT Governance 1. Match IT governance with corporate culture. For example, in an enterprise that relies on consensus building, IT governance should take a democratic approach. 2. Align authority with relevant functions. For example, marketing execs should be able to discuss the implications of sales-force automation on sales operations. The original article is available from www.isaca.org. 3. Clarify roles and responsibilities. For each IT decision, specify who provides input, who makes the decision, who communicates the decision, and so on. 4. Integrate and adapt governance mechanisms. Structures and processes such as committees and task forces should be monitored and then adjusted as necessary. 5. Measure IT governance effectiveness. Governance should start by setting controls but move increasingly toward delivering business value. 6. Facilitate IT governance evolution. IT governance must evolve with the changing vision and strategy of the enterprise. For example, as you increase your ability to use technology for competitive advantage, IT decisions might increasingly involve business leaders. 8 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS Data Mining and the Auditor's Responsibility The beauty of the new system, from Mr. Morse's perspective, was that it enabled him to scrutinize the debit and credit side of transactions. By clicking on a number for an expense on a spreadsheet, he could follow it back to the original journal entry—such as an invoice for a purchase or expense report submitted by an employee, to see how it had been justified.... By the first week in June, Mr. Morse had turned up a total of $2 billion in questionable accounting entries. By Bob Denker, CISA, CIA, CFE The original article is available from www.isaca.org. Having found the evidence, the audit team was suddenly faced with how serious the implications of their endeavor really were. Mr. Morse, 41, was known for his ability to use technology to ferret out information. Mr. Morse grew increasingly concerned that others in the company would discover what he had learned and try to destroy the evidence, he says. With his own money he went out and bought a CD burner and copied all the incriminating data onto a CD-ROM. He told no one outside of internal audit what he had found. 1 Every internal audit officer should read the article from which the above quotation was cited. While not every audit staff can consist of diligent auditors like Gene Morse or his boss, Cynthia Cooper, vice president of audit at WorldCom, the auditors the staff does contain can be trained and educated to perform their audits in a similar, meticulous manner. It is easy to become complacent when one can boast of an audit staff consisting of a handful of CPAs, CISAs, CIAs and possibly a CFE. In addition, there may be a technical guru who has written a series of ACL batch routines, which is far from being sufficient. Having the expertise and knowing how, when and where to apply that knowledge are not the same. This article hopes to educate the IA department decision-makers on how best to use their limited resources. The biggest mistake many companies make is to entrust the audit software to a technical support staff. Senior management sees this as a cost saver by virtue of not having to train and support internal auditors to perform audit analysis routines themselves. Audit analysis software, such as ACL or IDEA, is best used as a sensitive analysis tool, i.e., continually tweaking the variables (the author supports the concept of continuous auditing but it will not be discussed in this article). While running batch routines is sufficient to validate prior assumptions, it will not replace the iterative analytical process. In addition, the auditor best learns about business rules and processes by taking a hands-on approach. The truth of the matter is, and many technical auditors will agree, the majority of extraordinary audit findings are accidental. As an example, several years ago the author of this article was performing an audit of a suspense account system and found no —material— suspense items. However, digging deeper into the suspense files, several hundred small-dollar items (some less than a dollar) were uncovered that were two years old or more. This discovery was made shortly after the accounts receivable (A/R) staff indicated that they reconcile most suspense items every two to three months. Had the audit been conducted in the more traditional manner, i.e., looking only for large monetary items, the problems with the A/R department never would have been uncovered. The problem with most audit departments is that they are locked into the traditional ways of performing audits. Yes, many chief audit officers have embraced analytical software, but they are merely tools and not the true paradigm shift in audit methodology that is required today. Audit departments must learn to think outside the box. Auditors should perform all of the analytics themselves, and they must be educated in fraud detection and introduced to data mining techniques. When the concept of data mining is brought up, audit managers cringe and argue that they cannot afford to employ statisticians. However, while there is data mining software that requires a statistician's level of expertise (such as IBM's Intelligent Miner), there also are products, such as WizRule from WizSoft Inc., that can be employed by most auditors who are acquainted with the fundamentals of Microsoft Office and who are curious as to why they obtained their audit results. What Is Data Mining? Data mining is the process of extracting knowledge hidden in large volumes of data. The data mining tools look for trends or anomalies without knowledge of the meaning of the data. Data anomalies are not necessarily the result of fraud, but can be the result of a range of different factors. In many cases they are caused by faulty data entry, where the user has typed in one value instead of another. Also, errors sometimes are the result of software or hardware malfunctions, resulting in corrupted data. Obviously, such errors can cause considerable damage, which cannot be 9 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS easily measured but which could be of serious proportions, resulting in direct loss of both income and reputation. In other cases, errors are made intentionally. Data Mining Applications While many of the applications of data mining concern market analysis and customer retention, there are numerous applications specifically for fraud detection and prevention. It should be emphasized that the user does not normally specify the fields to look for in the relationships; rather, the data mining program reads all of the data and determines if relationships do exist among data fields. In the case of WizRule, relationships can include any of the following: Formula rules If-then rules Spelling rules An example of a formula rule is: A = B * C Where: A = Total B = Quantity C = Unit price An example of an if-then rule is: If Customer is Summit and Item is Computer type A, then the price = 765. An example of a spelling rule is: The value Summit appears 52 times in the Customer field. There are two case(s) containing similar value(s), such as Sumit and Sumitt. These rules mainly are presented to reveal cases of misspelled names. A name is suspected as misspelled if (a) it is similar to another name in his field, or (b) if the frequency of the first name is very low, while the frequency of the second name is very high. These are extremely significant findings in that many audit programs are based upon specific searches such as "Show me all of the open accounts in Cleveland." Individuals wishing to perpetrate a fraud and who can override edit routines could easily hide their activity by changing "Cleveland" to "Clevelland" and thus escape detection. Here is a short list of data mining applications that should gather the attention of the audit selection maker: 1. Human resources: Employees earning salaries inconsistent with their title; employees not availing themselves of benefit programs (perhaps to maintain as much anonymity as possible); employees whose household address matches an address from the vendor file; employees appearing more than once on umbrella security files 2. Financial applications: Structured transactions (clients who make cash/travelers check/money order contributions to annuities, single premium life insurance, mutual funds, etc.) in aggregate amounts that exceed the US $10,000 reporting threshold; clients making contributions to investment vehicles that are disproportionate to their income 3. Medical/dental applications: Patient substitutions; over-utilization of specific diagnoses inconsistent with the patient population; excessive number of patients traveling great distances to a provider (could indicate provider utilizing a postal drop site); provider open seven days a week for disproportionate number of non-emergency procedures (could indicate provider is filing false claims and is spreading out the submissions to divert suspicion) 4. Assistance in due diligence testing: By revealing the business rules, data mining tools can be used to train new auditors and, for new areas or new systems that are being audited for the first time, they are the ideal application to be used for due diligence testing. 5. Construction and purchasing: Payments made earlier than the contract specification date; invoices for large purchases made at the end of fiscal accounting period; price of goods inconsistent with industry costs With the introduction in the US of the Sarbanes-Oxley Act of 2002 and the implementation of HIPAA (Health Insurance Portability and Accountability Act of 1996), audit committees will not accept excuses from the audit department that it was unaware of major fraud occurrences. It is time to have the chief audit officer address the issue of an enlightened audit staff. Endnotes 1 Pulliam, Susan; Deborah Solomon; "Uncooking the Books—How Three Unlikely Sleuths Discovered Fraud at WorldCom," Wall Street Journal, 30 October 2002 Bob Denker, CISA, CIA, CFE is an independent audit consultant who specializes in teaching audit software and fraud investigation applications. He has more than 32 years of information systems experience, with 13 years in auditing and special investigations. In addition, he has taught courses in data analytics, fraud detection and fraud investigation. He is currently an adjunct professor of information systems at Baruch College of the City University of New York, USA. Denker may be contacted at profdenker@aol.com. 10 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS Guidelines Meld IT Governance, Sarbanes-Oxley Compliance The original article is available from www.isaca.org. Among the tools available to companies grappling with the SarbanesOxley Act are standardized frameworks for IT governance and accounting controls that can be used to link Sarbanes-Oxley documentation activities with corporate IT management procedures. For instance, the IT Governance Institute and the Information Systems Audit and Control Association, both of which are based in Rolling Meadows, Ill., publish a set of guidelines called Control Objectives for Information and Related Technologies. The six-volume set, known informally as Cobit, contains an IT governance model as well as management guidelines for determining how effectively a company controls IT and improvements that could be made. The two organizations released a third edition of Cobit in 2000. A majority of the documents are available for free download as an open standard at www.isaca.org/cobit.htm. Cobit can serve as an effective bridge between IT governance and Sarbanes-Oxley compliance efforts, said Pamela Fredericks, a senior security consultant at Forsythe Solutions Group Inc. in Skokie, Ill. "If an IT organization follows Cobit, they'll have the documentation to help the CFO comply with [Sarbanes-Oxley]," she said. Another framework that can be used to improve the quality of financial reporting has been developed by COSO, which is officially known as the Committee of Sponsoring Organizations of the Treadway Commission. The commission is named for James C. Treadway Jr., a former member of the Securities and Exchange Commission and the initial chairman of COSO. All COSO publications are available through the American Institute of Certified Public Accountants, which is based in New York and can be reached online at www.aicpa.org. COSO's framework focuses on internal accounting controls and is one of the original sources used to create the Cobit guidelines. Companies can apply the accounting tenets set out by COSO to help them achieve Sarbanes-Oxley compliance, Fredericks said. Uruguay Central Bank adopts Cobit for entire Uruguayan Financial Market Financial Intermediary Institutions - Requirements for the Administration of Information Technology Areas. Juan Pedro Cantera, Area Manager Banco Central del Uruguay - Secretaría de Gerencia General, J.P.Fabini 777 esq. Florida - CP 11100 - Montevideo, Uruguay The Superintendency of Financial Intermediary Institutions (Superintendencia de Instituciones de Intermediación Financiera) will evaluate such management system, considering the four domains described in COBIT. which are detailed as follows: This is to communicate to the Financial Intermediary Institutions, that, for the administration of the Information Technology Areas, a Management System must be adopted, which includes the best practices on the subject. For this purpose, these areas should consider as a guideline, the principles established in the COBIT. (Control Objectives for Information and Related Technology) reference framework provided by the Information Systems Audit and Control Foundation (ISACF) in the USA. 1. Planning and Organization - Covers strategic and tactic aspects and analyzes the way Information Technology contributes to the accomplishment of the business objectives. It also refers to the planning, communication and administration for attaining strategic objectives, placing emphasis in the coordination between upper management, Information Technology services' users and the Information Technology area. 2. Acquisition and Implementation - Covers the identification, development or acquisition of technological solutions and their consequent implementation and integration in the business process. It also covers change and maintenance of the existing systems, to guarantee the continuity of their life cycle. 3. Delivery and Support - It refers to the effective delivery or provision of services that are required for the Information Technology area, covering traditional systems operation, security, operations continuity, recovery and training aspects, as well as all the procedures and processes that are needed. 4. Monitoring - The Information Technology processes must be evaluated in a regular manner, to ensure the compliance of quality, security and control requirements. This domain covers the participation of internal and external audit, to guarantee the independence of the judgements and conclusions prepared by the Information Technology management, that are related to the controls performed over the processes. 11 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS Business Continuity Plan Testing: Considerations and Best Practices An ever-growing number of organizations have invested heavily in business continuity management since 11 September 2001. They now face the daunting task of validating the plans created by their organizations and training their recovery personnel to use the new documents. Having never organized or conducted a business continuity test (or exercise), new business continuity management (BCM) coordinators are looking for guidance regarding the best and most costeffective process to validate plan content. This article captures thoughts, observations and industry best practices regarding plan testing. By Brian Zawada, CISA, CBCP Why Test? The original article is available from www.isaca.org. Company X has a highly developed business continuity management process. Every six months, the organization exercises this capability in the form of a combination "table top exercise" and disaster simulation. The investment in time is fairly high—the disaster simulation involves a ruptured onsite chemical tank, caused by a vehicle accident. (Previously totaled vehicles from a local junkyard are brought onsite to add realism.) Select executive managers speak to the media (who are invited weeks in advance), local emergency management agencies participate, and key customer contact information is verified. Why such elaborate measures? Company X wants to showcase its investment and instill confidence in the public, employees and customers. After all, Company X is prepared to handle an emergency response and recover key production processes. Management views its business continuity capability as a market differentiator, and the goodwill generated by this very visible test is a form of ROI—the public is happy with its responsible neighbor, employees feel secure their company is protecting them, and key customers recognize their supplier will be around to serve their needs, despite a disaster. In addition to instilling confidence in all stakeholders, tests are valuable given that they are typically the most realistic training event possible. Also, as regulatory bodies in a growing number of industries levy business continuity requirements, tests become a requirement as well. Regulations in the financial services, insurance, energy and healthcare industries, to name a few, mandate business continuity testing. However, the most important and valuable aspect of business continuity testing is the validation of documentation and processes. Process recovery procedures, manual workarounds, server build procedures, resource listings and call trees cannot be counted on until tested and proven complete and accurate in a test environment. Different Types of Tests Conducting the same test twice a year will lead quickly to stagnant outcomes and bored participants. Therefore, it is important to mix it up. This section highlights the kinds of tests available for an organization, as the well as the implications associated with each. Regardless of the type of test employed, actual data should be incorporated and real-world conditions simulated whenever possible. Additionally, the test scenario should be developed based on the results from the risk assessment. A likely risk to which the organization may be vulnerable should be chosen. Start small if the organization is new to BCP testing. As the business continuity process matures, the size and complexity of the test should be increased. 12 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS Test Type Description and Implications Section 1.01 desk check (e.g., boardroom style or table-top testing) Assemble recovery team members and walk through the plan using test scenarios and a series of test scripts. Table-top testing is the safest to do, but the least useful because recovery strategies are not really tested or operationalized. Visualizing the business continuity plan (BCP) in action is part of the development process, but the value is limited. A more in-depth simulation will provide a stronger understanding of how the response teams work together, as well as a sense of the time needed for recovery and restoration activities. Simulation (e.g., full-scale Simulate a disaster and determine how well the plan responds to the specific event in the interdependency testing operational environment. This method may be the most costly testing method and also the and walk-throughs) most dangerous to the business, if not isolated properly. Procedure verification test Limited in scope to a specific process or business unit, procedure verification testing (e.g., business function evaluates the logic of a specific procedure to determine if a deficiency exists through a testing) combination of desk checks and simulations. This approach is useful following an isolated business continuity test failure. Communications Communication is a key component of a BCM process. Test the accuracy and completeness of the organization's employee call tree, customer contact information channels and critical supplier/vendor/business partner contact information as part of a table-top exercise or simulation, or potentially as a stand-alone activity. IT environment (systems and application) walkthroughs Conduct an announced or unannounced disaster simulation and execute documented system recovery procedures. The primary objective—verify critical systems and backup data can be evaluated based on a specific timeline and documented application interdependencies. This scenario exercises "active-active" and "active-backup" IT continuity models. Business continuity coordinators also have a responsibility to be original and capture the interest of test participants. For example, one coordinator operates his tests like a Monopoly game, using chance cards to insert anticipated variables into the test process. Others insert a bit of realism by randomly selecting personnel to sit out and observe tests to see how the rest of the team reacts. These are just a few ideas to add realism and keep exercises interesting. Before Testing As with any other business activity, the business continuity test will be successful only if planned appropriately. Test scenarios, objectives, assumptions and evaluation criteria should be formally developed and published prior to test execution. Test scenarios and scripts are most realistic if based on the results from the organization's risk assessment. Successful organizations have discovered that management sign-off on the test plan leads to increased business unit support and attention to detail. Artificialities should be minimized. Ensuring that the appropriate personnel participate in the test is critically important. Plan testing is a form of BCM training, and the development of recovery team members with deep skills and experiences is an essential outcome. The corollary also is true—organizations should identify not only primary recovery team members, but also alternates, second alternates, third alternates and so on. These backup personnel should be trained, and must be familiar with recovery procedures. Business continuity coordinators must strike a balance. Both breadth and depth of recovery skills are important to a successful recovery effort. The final pre-test consideration is the process to manage the test and collect data—team feedback, required amendments and planning gaps. A range of test management issues, including start times, stop times, coordination between business units, and observers, should be considered. Business continuity coordinators must identify the process and personnel to observe the test and capture the results in line with the metrics established prior to test execution. Frequency How often should organizations test their business continuity plans? BCM experts answer in one way—as often as possible. Management expectations, test objectives, the maturity of the planning process and system/process criticality are all factors when deciding how often to test. The majority of organizations test business continuity processes one or two times a year; however, this can be increased by such factors as: Changes in business processes 13 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS Changes in technology Change in BCM team membership Anticipated events which may result in a potential business interruption Organizations also may choose to conduct more tests or exercises if operations are decentralized across multiple locations. Additionally, some business continuity coordinators choose to conduct testing in stages given the size of their IT infrastructure, the size of the business or their relative inexperience with BCM testing. Others want to rotate as many people as possible through the training experience, given the valuable benefits. Regulatory requirements also may influence the number of tests performed annually. Regardless of how many tests are conducted each year, they should be scheduled in advance to ensure maximum participation. A progressive, incremental schedule that includes a timetable of events should be developed. Common Pitfalls Common pitfalls experienced by organizations testing business continuity processes have been discussed throughout this article. To summarize, here are a few of the common issues: Testing an ad-hoc business continuity process—Many organizations attempt to test an undocumented business continuity process. Testing a professional's improvisation skill may lead to a false sense of security and ultimate failure during an actual business interruption. Time must be taken to document the business continuity process and then test it. Addressing only IT disaster recovery planning (DRP) or business recovery planning (BRP)—Fortunately, the number of organizations focusing solely on IT disaster recovery plan testing (i.e., recovering systems offsite) is shrinking as integrated business and IT testing becomes more common. Failure to establish test objectives—The scope of the test and areas where the organization may be uncomfortable with its present BCM capability should be charted. Failure to do so may lead to gaps in planning and a recovery strategy that fails to meet business objectives. Failure to follow documented procedures—The most common pitfall experienced by organizations is a failure to follow documented procedures for response, recovery and restoration. Testing is a time to validate these procedures. Even for the most experienced recovery team members, this process is critical given that the least experienced person may be the one who uses the BCP for recovery purposes. Static test types and scenarios—The quality and quantity of test participation will quickly diminish if the business continuity coordinator uses the same test type and same test scenario year after year. Not only that, management will lack the confidence that the BCM process can address multiple threat scenarios. This may be avoided by investing in the development of varied testing scenarios and the use of multiple test types to generate interest and build a sense of confidence in the planning process. Surprise tests should be conducted when possible, taking into account financial and safety implications. The wrong players—The BCM test should include personnel identified in the business continuity plans. Recovery teams with deep skill sets should be developed, but experienced backup personnel should be available. The use of backup recovery personnel as observers to improve their awareness and breadth of experience should be considered. Additionally, executive management should continue to run day-to-day business operations, but focus on their recovery procedures on a non-interference basis if identified in the plan. The missing pieces—Not only do the best, most successful business continuity tests eliminate artificialities, they also address as many critical business components as possible. As part of the test scope, the following should be considered: o Obtain and test data (and hard-copy records) stored offsite. o Evaluate vendor performance and service level agreements. o Involve governmental entities during the test, as appropriate. o Verify the accuracy and completeness of the organization's crisis communications process, to include call tree and customer contact lists. Publicize successes—As the continuity planning process matures, testing successes will multiply. In today's business environment, a proven, successful business continuity management process is a differentiator. Investors, customers and employees should be informed of successes, as well as media. Be proactive with offers to be a case study. Another option is to send the business continuity coordinator to a trade show as a featured speaker. Take advantage of the investment. 14 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS What Should Happen After the Test? Now that the test is over, what's next? Before everyone leaves, have a quick meeting and facilitate a brainstorming session. What went well? What could be done differently? Try to have as many people involved as possible—one person's idea will spur others. Document the results of the test. Did the organization meet objectives? What should be done differently during the next test? Capturing results will improve the plan and future testing. Test results should be formally critiqued at a later date will the existing business continuity process meet business objectives and customer expectations? And perhaps most important, communicate test results to management after all, management is ultimately responsible for the continuity of critical business processes. Plan inadequacies should be identified and action items and track remediation activities should be assigned. During the next test, the test scenario should touch on untested or previously "broken" components of the business continuity process. For plan components resulting in recovery failure (or potential recovery failure), immediate retesting should be considered. Finally, the organization's general counsel should be consulted to ensure test documentation is retained in the proper format and for the correct length of time to avoid potential litigation. Conclusion A business continuity plan is not complete until it is tested. Untested business continuity plans cannot be relied upon following a business interruption or disaster. A formal BCM testing process provides management, customers, suppliers and employees with the assurance that the plan will work as documented. An effective test can have many things go wrong. The organization should not be afraid to make these mistakes, identify them and then correct each in a logical manner reflecting business objectives. Keep in mind: it is best to make the mistakes before the actual business interruption takes place. Brian Zawada, CISA, CBCP is a senior manager at Protiviti (www.protiviti.com), which helps clients identify, measure and manage operational and technology-related risks they face within their industries and throughout their systems and processes. He specializes in the development and implementation of BCM solutions nationwide. Brian can be reached at brian.zawada@protiviti.com. 2004 Certified Information Systems Auditor (CISA) Hong Kong Review Course The CISA examination is an international accredited programme administered by ISACA, first in 1981. The accreditation is held by professional from many different disciplines including finance and accounts, computer auditing, financial auditing and IT. Each year the ISACA holds the CISA examination in more than 70 countries (over 180 locations worldwide and in eleven languages) for persons wishing to be professionally certified as information systems auditors. The 2004 CISA examination, which consists of 200 multiple-choice questions and is administered during a four-hour session, will be held on 12th June 2004. A 10-week CISA Review Course organized by the ISACA (Hong Kong Chapter) is scheduled to commence on 6 March 2004 for candidates who need assistance in preparing for the CISA examination. The CISA Review Course fee is HK$2,200 for ISACA members, HK$3,000 for Hong Kong Society of Accountants (HKSA) and Hong Kong Computer Society (HKCS) members, and HK$3,800 for non-members. Some study aid materials may be provided but will not include the CISA Review Manual. Course participants are advised to purchase the manual through the Hong Kong Chapter at discounted price – HK$ 820 for ISACA/ HKSA/ HKCS members and HK$ 980 for non-members. 15 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS Provisional timetable Introduction, distribution of course details Process and Content areas review Saturday See below Saturdays 12:00-3:00p.m. or 3:30 –6:30p.m. Wrap-up session and mock test Saturday See above 06 – Mar – 2004 13 – Mar – 2004 20 – Mar – 2004 27 – Mar – 2004 03 – Apr – 2004 24 – Apr – 2004 08 – May – 2004 15 – May – 2004 22 – May – 2004 29 – May – 2004 It is important for you to attend the first day of the course on 6 March in order to obtain the final timetable of the review course and study materials. The course on Saturday 6 March 2004 will be held at: Ernst & Young Training Centre 4/F, Hutchison House 10 Harcourt Road Central, Hong Kong The date, time, venue and instructors of the above sessions would be subject to change at the discretion of the Board of ISACA (Hong Kong Chapter). Enrolment The enrolment form is printed on the next page. For further details, please contact our CISA Coordinators, Michael Huen at 2238-7270 (email: cisa@isaca.org.hk) Barbara Tam at 2848 6603 (email: cisa@isaca.org.hk) or visit our website at www.isaca.org.hk The deadline for enrollment is Friday 27 February 2004. Since seats are limited, enrollment is on first-come-firstserved basis. For information on how to become a member of the Association, please contact our Membership Director, Jean Wang (email: membership@isaca.org.hk). Course Payment Method All cheques should be crossed and payable to “The Information Systems Audit & Control Association (HK Chapter) Limited” and send it together with the enrollment form to the following address no later than Friday 27 February 2004 GPO Box 3247 Hong Kong Payment Policy: 1. 2. 3. 4. 5. 16 Acceptance of the enrollment is subject to clearance of the cheque. The receipt would be provided on the first day of the course. The payment is not refundable after the commencement of the course. All registrants who fail to attend some or all classes after the commencement of the course are liable for the entire payment. The ISACA (Hong Kong Chapter) reserves the right to reject the enrollment or amend any details of the course. Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS 2004 CISA Review Course Enrollment Form Date : 6 March 2004 – 29 May 2004 Time : 12:00 noon – 3:00 p.m. or 3:30 p.m. – 6:30 p.m. (Tentative) Venue : Ernst & Young Training Centre, 4/F, Hutchison House, Central Course Fee : ISACA Members: HKSA/HKCS Members: Non Members: Study Material : (Optional) 2004 CISA Review Manual: ISACA or HKSA/HKCS Members: HK$ Non Members: HK$ HK$ 2,200 HK$ 3,000 HK$ 3,800 820 980 Yes, I will enroll in the CISA Review Course Name : ISACA/HKCS/HKSA Member No. : Phone Number : Company: Fax Number : Email Address : Address : Accounting/Finance Auditing IT Auditing IT/IS Gen. Management Others Preferred Session: 12:00 – 3:00 3:30– 6:30 ISACA Member Review Manual HKSA/HKCS Member Review Manual Non Member Review Manual Fee HK$ 2,200 HK$ 820 HK$ 3,000 HK$ 820 HK$ 3,800 HK$ 980 Current Profession: Total (HK$) - QTY X X X X X X Cheque Number - I agree with the terms and conditions as stated on this enrollment form. Signature: 17 Date: Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS ISACA Hong Kong Chapter Committee Composition 2004 – Directors & Committee Members Board of Directors Position President Name Organisation Address Telephone Fax Susanna Chiu DVN (Holdings) Ltd DVN (Holdings) Ltd Room 1304-05, China Resources Building 26 Harbour Road Wanchai, HK 2585 7310 2151 9771 Global Risk Management Solutions PricewaterhouseCoopers Guangzhou c/- 81012801 c/- 81012802 Technology & Security Risk Services Ernst & Young 10/F Tower 2, The Gateway 25-27 Canton Road Kowloon, Hong Kong 2629 3751 2118 4142 Global Risk Management Solutions Pricewaterhouse Coopers 33/F Cheung Kong Centre 2 Queen’s Road, Central, Hong Kong 2289 2719 2297 0101 Internal Audit Morgan Stanley Asia Ltd 30/F, Three Exchange Square Central, Hong Kong 2848 6647 3407 5288 Hong Kong Housing Society Dragon Centre 23 Wun Sha Street Tai Hang, Hong Kong 2894-3383 2882-2033 Group Internal Audit Hospital Authority 147B Argyle Street Kowloon 2300 6750 2199 9691 LG Philip c/- 81012801 c/- 81012802 Internal Audit Morgan Stanley Asia Ltd 30/F, Three Exchange Square Central, Hong Kong 2848 6603 3407-5145 Deloitte & Touche Enterprise Risk Services Ltd 26/F Wing On Centre, 111 Connaught Road Central Hong Kong 2238 7270 2541 7101 Internal Audit Morgan Stanley Asia Ltd 30/F, Three Exchange Square Central, Hong Kong 2848 6720 3407-5287 ESD Services Limited General Manager - Technology & Operations 19/F, One HarbourFront, 18 Tak Fung Street, Hung Hom, Kowloon 2128 9801 2189 7448 Email: president@isaca.org.hk Vice President William Gee PricewaterhouseCoopers Email: vice-president@isaca.org.hk Secretary Vincent Chan Ernst & Young Email: secretary@isaca.org.hk Treasurer Kenneth Wong PricewaterhouseCoopers Email: treasurer@isaca.org.hk Immediate PastPresident Pierre Herbst Morgan Stanley Email: ipp@isaca.org.hk Chapter Coordination and Membership Director Jean Wang Relationship Director Raymond Chan Hong Kong Housing Society Email: membership@isaca.org.hk Hospital Authority Email: relationship@isaca.org.hk Education & Programme Director Daniel Ng CISA Coordinator Barbara Tam LG Philip Email: education@isaca.org.hk Morgan Stanley Email: cisa@isaca.org.hk CISA Coordinator Michael Huen Deloitte & Touche Enterprise Risk Services Ltd Email:cisa@isaca.org.hk Publicity Director Philip Ting Morgan Stanley Email: publicity@isaca.org.hk Director webmaster Michael Yung ESD Services Limited Email : webmaster@isaca.org.hk 18 Issue 24, Quarter 1 2004 ISACA Hong Kong – FOCUS ISACA Hong Kong Chapter Committee Composition 2004 – Directors & Committee Members Board of Directors Position China Affairs Director Name Organisation Address Telephone Fax Samuel Sinn Ernst & Young Ernst & Young Level 16, Tower E3 The Towers, Oriental Plaza No. 1 East Chang An Ave. Dong Cheng District Beijing, China 100738 +86-106524-6688 ext 3310 +86-108518-8298 Management Solutions & Enterprise Risk Services Deloitte Touche Tohmatsu 26/F, Wing On Centre 111 Connaught Road Central, Hong Kong 2852 6507 2541 7101 Hong Kong Productivity Council 2788 5865 2190 9765 Global Risk Management Solutions 33rd Floor Cheung Kong Center 2 Queen's Road Central Hong Kong 2289-2921 2297-0101 IT audit Division Bank of China (Hong Kong) Limited Unit A, 43/F Bank of China Tower, 1 Garden Road, Hong Kong 2826 6888 2545 6621 C/- ISACA Hong Kong Chapter GPO Box 3247 Central, Hong Kong c/- 81012801 c/- 81012802 Global Risk Management Solutions 33rd Floor Cheung Kong Center 2 Queen's Road Central Hong Kong 2289 2926 2297 0101 Email: china-liaison@isaca.org.hk China Affairs Director Peter Koo Deloitte Touche Tohmatsu Email: publicity@isaca.org.hk Director Patrick Li Hong Kong Productivity Council Email: PLi@hkpc.org Hospitality Director Paul Tsoi PricewaterhouseCoopers E-mail: hospitality@isaca.org.hk Committee Members Committee Simon Chan Bank of China Email: smchan@bochk.com Committee Epsilon Ip Committee John Lauderdale Pricewaterhouse Coopers Email: john.Lauderdale@hk.pwc.com Office Address Details Hong Kong Chapter GPO Box 3247, Hong Kong Telephone : (852) 8101-2801 Facsimile : (852) 8101-2802 Internet homepage: http://www.isaca.org.hk F CUS Publishing Details Focus is published periodically and distributed to all Hong Kong Chapter members. A copy is also available for viewing at www.isaca.org.hk. International Office 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008-3105 USA Advertising rates for full page, half page, and per-word (classified) are available. Rates for advertising on our web site are also available. To advertise or write an article for the newsletter, please contact the editor, Pierre Herbst, or any of the Committee. Telephone : 1-847-253-1545 Facsimile : 1-847-253-1443 Email : membership@isaca.org Internet homepage: http://www.isaca.org Focus is provided for informational purposes only. The views and opinions contained in this newsletter are solely those of its authors, and do not necessarily represent or reflect the views or opinions of the ISACA HK Chapter. 19 Issue 24, Quarter 1 2004
