Your Internal Controls, LLC offers an array of services that could assist your organization with internal controls testing:
Sarbanes-Oxley
We have hands-on experience developing frameworks, leading teams, and executing plans, while complying with the AICPA, PCAOB, as well as incorporating best practices from CoBIT and COSO. Our experience has been working with the external audit team, as well as assisting management. We have worked with publicly traded companies and large accounting firms. Our primary experience in this area is dedicated to Information Technology (IT) internal controls.
Control Deficiency Assessment & Remediation
Many companies struggle with identifying deficiencies, as well as the classification of those deficiencies (e.g. Significant Deficiency, Material Weakness). It is also challenging to prioritize which deficiencies are remediated first. Our firm can assist your company with the identification and classification of deficiencies, as well as a remediation strategy for resolving the deficiencies. Our experience in formal course instruction and hands-on experience enables us to be both efficient and effective in remediation efforts.
Policies and Procedures Development
Your Internal Controls, LLC has had hands-on experience assisting corporations and federal agencies with their policies and procedures. We have developed policies and procedures as well as audited against them. Our primary experience has been with the following:
• Risk Assessment
• Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP)
• Systems Development Life Cycle (SDLC)
• Configuration Management (CM)
• IT Strategic Plans
• Security Awareness & Training
• System Security Plans
• Incident Response Policies
• Data Center, Backup & Recovery
• Audit & Monitoring
• Rules of Behavior / Acceptable Use Policy
• Service Level Agreements (SLA)
• Separation of Duties Matrices
• Anti-Virus
• Email
• Fraud
• Internal Controls
Compliance (CoBIT, COSO, PCAOB, SAS 65, 70, 94, 99, 103 – 112, etc.)
The CoBIT and COSO frameworks are used primarily in the corporate arena. Your Internal Controls, LLC has extensive experience designing programs that mirror and adhere to the principles of CoBIT and COSO. We have developed matrices detailing a universal population of controls.
The PCAOB has issued several standards (notably AS 2 and AS 5) regarding publicly traded company responsibilities. Our experience can assist your organization in developing a plan that not only follows CoBIT and/or COSO; but strictly adheres to the PCAOB.
Your Internal Controls, LLC also can assist your organization in direct cost savings by providing a SAS 65 analysis to your external auditors. There are 2 primary areas where the external auditors may not rely on the work of a 3rd party (walkthroughs and controls in the Control Environment). Our control structures have highlighted the areas where external auditors can and cannot rely on; thus saving them time in areas where they can narrow their points of concentration. We have also provided detailed analysis supporting SAS 65 requirements (e.g. understanding, competence, and objectivity) in order to save the external auditors time; thus resulting in costs savings to your organization.
If your organization is performing services for multiple entities and one of them has requested a SAS 70; you have come to the right place. Our firm personnel have not only performed numerous SAS 70 audits, but we have also developed and taught them in a formal classroom setting. We can assist your organization with either a Type I, Type II, or a Type II Readiness Review.
SAS 94 concerns IT in support of a financial statement audit. Your Internal Controls, LLC specializes in performing IT related controls work in support of financial statement audits. Our firm is the bridge that connects the CFO with the CIO. We have experience on the financial audit side, as well as on the IT side; however our specialty is performing internal controls related services for Information Technology.
Your Internal Controls, LLC has worked with corporations and federal agencies in complying with SAS 99. We have proprietary work programs that can assist your organization to meet the standards, as well as meet the standards of your external auditors. We have developed Fraud programs, controls, and policies for large publicly traded companies. Our experience can be leveraged to support compliance with SAS 99.
SAS 103 and 112 are effective now; whereas SAS 104 through 111 are effective for periods beginning on or after 12/15/06 (07' audits). SAS 103 is concerned with audit documentation and SAS 112 is concerned with communication of findings. SAS 104 through 111 are primarily concerned with evaluating internal controls in support of the financial statement audit.
Previously, the audit team could assess controls at maximum without having done any tests of internal controls. With the new SAS standards this is no longer allowed. These standards are applicable to all financial statement audits.
General & Application Controls (Windows, Unix, Oracle, Mainframe, etc.)
General controls are concerned with the systems and overarching policies; whereas Application controls surround the application specific controls (e.g. controls over an Accounting application – Solomon, Great Plains, etc.). Our testing experience has been extensive and has consisted of performing all areas of General and Application controls.
We have tested General controls in areas such as the following (just to name a few):
• Policies
• Systems
• Databases
• Perimeter Security
• Physical Security
• Access
We have also tested Application controls in areas such as the following (just to name a few):
• Interfaces between applications
• Completeness and Accuracy controls
• Edit checks
• Validation checks
• Access
Perimeter Reviews & Assessments (Firewalls, Routers, IDS, etc.)
In the course of IT audits (in support of a financial statement audit); it may become necessary to perform a deeper review over the perimeter. Your Internal Controls, LLC has experience in assessing firewall structures and designs (e.g. static vs. state inspection). We have reviewed firewall designs and tested against them using known exploits (e.g. restrictions on inbound traffic from an internal IP address). We have developed proprietary programs and can assist your organization in assessing if the perimeter has been secured via the firewall, intrusion detection and prevention systems, and more.
Forensics
In the unfortunate event that your organization suspects foul play; there may be a need for a forensics audit. This essentially means that data needs to be combed to identify the source of the foul play. Our knowledge of IT security, auditing, and forensics can assist your organization in identifying the source (e.g. person or organization), and how the infraction occurred. It will be necessary to review logs, and trace the data to the source of origination, as well as perform an array of other tasks.
Wireless Reviews
Networks have primarily consisted of wires in order for data to traverse, however with the advent of wireless networks; it is becoming easier for people to send data. Unfortunately, sending data wirelessly poses huge IT risks in terms of confidentiality and integrity. Furthermore, it is also essential that your organization remove the risk of being an access point for 3rd party attacks (e.g. launching point for another entity), as this may open up liability to your organization. Your Internal Controls, LLC can assist your organization in securing your wireless network.
Privacy Reviews (PCI, HIPPA, etc.)
Privacy is critical to every organization. There are numerous laws dictating the respective procedures to put in place, from Privacy policies to prevention and detection of violations, and more. It is critical that your organization first identify which data is to be considered private. The next step is to locate this data. The third step is to secure this data from prying eyes, which affects confidentiality. With a firm such as Your Internal Controls, LLC that has extensive experience in auditing systems, databases, and applications, as well as IT security; it would be advantageous to utilize our resources to ensure your data is kept private and in compliance with the laws and regulations (e.g. PCI, HIPPA, etc.).
Social Engineering
Social Engineering is a fascinating topic. An organization can have the best logical and physical controls; however if an employee submits his / her password over the phone to a suspected Help Desk employee (e.g. another person in disguise); then the entire security infrastructure has been compromised. It is absolutely essential to augment any IT control structure with Social Engineering. It is amazing how many organizations invest time and money in hardware and software, and yet a security compromise can occur with a simple lack of security awareness. Our firm has performed extensive Social Engineering and has been quite successful at retrieving data which should have been kept private.
Recovery Auditing
If your organization is concerned with making improper payments (e.g. duplicate payments, incorrect amounts, wrong payee, etc.); then you should consider seeking the services of Your Internal Controls, LLC. Our skills have enabled us to identify improper payments and aid in the recovery of real dollars. Recovery Auditing is usually a cost saving measure for organizations, as the recovery pays for the service as well as recovers additional dollars.
Fraud Prevention & Detection
Your Internal Controls, LLC has developed Fraud policies, procedures, as well as controls to assist organizations in their compliance efforts (e.g. SAS 99, Sarbanes-Oxley, etc.). Fraud controls span a host of areas from Segregation of Duties to Policies and more. Our experience can be leveraged to assist and aid your organization in the prevention and detection of Fraud.
Data Center Reviews (Physical & Environmental)
How secure is your data center? What is the current level of humidity? If you’re not sure of the answers; then you may wish to employ the resources of Your Internal Controls, LLC. We have extensive experience working for federal agencies (e.g. Department of Defense) and Fortune 500 companies. We can perform detailed procedures and tests to assess the level of both physical and environmental security surrounding the data center.
Sarbanes-Oxley
We have hands-on experience developing frameworks, leading teams, and executing plans, while complying with the AICPA, PCAOB, as well as incorporating best practices from CoBIT and COSO. Our experience has been working with the external audit team, as well as assisting management. We have worked with publicly traded companies and large accounting firms. Our primary experience in this area is dedicated to Information Technology (IT) internal controls.
Control Deficiency Assessment & Remediation
Many companies struggle with identifying deficiencies, as well as the classification of those deficiencies (e.g. Significant Deficiency, Material Weakness). It is also challenging to prioritize which deficiencies are remediated first. Our firm can assist your company with the identification and classification of deficiencies, as well as a remediation strategy for resolving the deficiencies. Our experience in formal course instruction and hands-on experience enables us to be both efficient and effective in remediation efforts.
Policies and Procedures Development
Your Internal Controls, LLC has had hands-on experience assisting corporations and federal agencies with their policies and procedures. We have developed policies and procedures as well as audited against them. Our primary experience has been with the following:
• Risk Assessment
• Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP)
• Systems Development Life Cycle (SDLC)
• Configuration Management (CM)
• IT Strategic Plans
• Security Awareness & Training
• System Security Plans
• Incident Response Policies
• Data Center, Backup & Recovery
• Audit & Monitoring
• Rules of Behavior / Acceptable Use Policy
• Service Level Agreements (SLA)
• Separation of Duties Matrices
• Anti-Virus
• Fraud
• Internal Controls
Compliance (CoBIT, COSO, PCAOB, SAS 65, 70, 94, 99, 103 – 112, etc.)
The CoBIT and COSO frameworks are used primarily in the corporate arena. Your Internal Controls, LLC has extensive experience designing programs that mirror and adhere to the principles of CoBIT and COSO. We have developed matrices detailing a universal population of controls.
The PCAOB has issued several standards (notably AS 2 and AS 5) regarding publicly traded company responsibilities. Our experience can assist your organization in developing a plan that not only follows CoBIT and/or COSO; but strictly adheres to the PCAOB.
Your Internal Controls, LLC also can assist your organization in direct cost savings by providing a SAS 65 analysis to your external auditors. There are 2 primary areas where the external auditors may not rely on the work of a 3rd party (walkthroughs and controls in the Control Environment). Our control structures have highlighted the areas where external auditors can and cannot rely on; thus saving them time in areas where they can narrow their points of concentration. We have also provided detailed analysis supporting SAS 65 requirements (e.g. understanding, competence, and objectivity) in order to save the external auditors time; thus resulting in costs savings to your organization.
If your organization is performing services for multiple entities and one of them has requested a SAS 70; you have come to the right place. Our firm personnel have not only performed numerous SAS 70 audits, but we have also developed and taught them in a formal classroom setting. We can assist your organization with either a Type I, Type II, or a Type II Readiness Review.
SAS 94 concerns IT in support of a financial statement audit. Your Internal Controls, LLC specializes in performing IT related controls work in support of financial statement audits. Our firm is the bridge that connects the CFO with the CIO. We have experience on the financial audit side, as well as on the IT side; however our specialty is performing internal controls related services for Information Technology.
Your Internal Controls, LLC has worked with corporations and federal agencies in complying with SAS 99. We have proprietary work programs that can assist your organization to meet the standards, as well as meet the standards of your external auditors. We have developed Fraud programs, controls, and policies for large publicly traded companies. Our experience can be leveraged to support compliance with SAS 99.
SAS 103 and 112 are effective now; whereas SAS 104 through 111 are effective for periods beginning on or after 12/15/06 (07' audits). SAS 103 is concerned with audit documentation and SAS 112 is concerned with communication of findings. SAS 104 through 111 are primarily concerned with evaluating internal controls in support of the financial statement audit.
Previously, the audit team could assess controls at maximum without having done any tests of internal controls. With the new SAS standards this is no longer allowed. These standards are applicable to all financial statement audits.
General & Application Controls (Windows, Unix, Oracle, Mainframe, etc.)
General controls are concerned with the systems and overarching policies; whereas Application controls surround the application specific controls (e.g. controls over an Accounting application – Solomon, Great Plains, etc.). Our testing experience has been extensive and has consisted of performing all areas of General and Application controls.
We have tested General controls in areas such as the following (just to name a few):
• Policies
• Systems
• Databases
• Perimeter Security
• Physical Security
• Access
We have also tested Application controls in areas such as the following (just to name a few):
• Interfaces between applications
• Completeness and Accuracy controls
• Edit checks
• Validation checks
• Access
Perimeter Reviews & Assessments (Firewalls, Routers, IDS, etc.)
In the course of IT audits (in support of a financial statement audit); it may become necessary to perform a deeper review over the perimeter. Your Internal Controls, LLC has experience in assessing firewall structures and designs (e.g. static vs. state inspection). We have reviewed firewall designs and tested against them using known exploits (e.g. restrictions on inbound traffic from an internal IP address). We have developed proprietary programs and can assist your organization in assessing if the perimeter has been secured via the firewall, intrusion detection and prevention systems, and more.
Forensics
In the unfortunate event that your organization suspects foul play; there may be a need for a forensics audit. This essentially means that data needs to be combed to identify the source of the foul play. Our knowledge of IT security, auditing, and forensics can assist your organization in identifying the source (e.g. person or organization), and how the infraction occurred. It will be necessary to review logs, and trace the data to the source of origination, as well as perform an array of other tasks.
Wireless Reviews
Networks have primarily consisted of wires in order for data to traverse, however with the advent of wireless networks; it is becoming easier for people to send data. Unfortunately, sending data wirelessly poses huge IT risks in terms of confidentiality and integrity. Furthermore, it is also essential that your organization remove the risk of being an access point for 3rd party attacks (e.g. launching point for another entity), as this may open up liability to your organization. Your Internal Controls, LLC can assist your organization in securing your wireless network.
Privacy Reviews (PCI, HIPPA, etc.)
Privacy is critical to every organization. There are numerous laws dictating the respective procedures to put in place, from Privacy policies to prevention and detection of violations, and more. It is critical that your organization first identify which data is to be considered private. The next step is to locate this data. The third step is to secure this data from prying eyes, which affects confidentiality. With a firm such as Your Internal Controls, LLC that has extensive experience in auditing systems, databases, and applications, as well as IT security; it would be advantageous to utilize our resources to ensure your data is kept private and in compliance with the laws and regulations (e.g. PCI, HIPPA, etc.).
Social Engineering
Social Engineering is a fascinating topic. An organization can have the best logical and physical controls; however if an employee submits his / her password over the phone to a suspected Help Desk employee (e.g. another person in disguise); then the entire security infrastructure has been compromised. It is absolutely essential to augment any IT control structure with Social Engineering. It is amazing how many organizations invest time and money in hardware and software, and yet a security compromise can occur with a simple lack of security awareness. Our firm has performed extensive Social Engineering and has been quite successful at retrieving data which should have been kept private.
Recovery Auditing
If your organization is concerned with making improper payments (e.g. duplicate payments, incorrect amounts, wrong payee, etc.); then you should consider seeking the services of Your Internal Controls, LLC. Our skills have enabled us to identify improper payments and aid in the recovery of real dollars. Recovery Auditing is usually a cost saving measure for organizations, as the recovery pays for the service as well as recovers additional dollars.
Fraud Prevention & Detection
Your Internal Controls, LLC has developed Fraud policies, procedures, as well as controls to assist organizations in their compliance efforts (e.g. SAS 99, Sarbanes-Oxley, etc.). Fraud controls span a host of areas from Segregation of Duties to Policies and more. Our experience can be leveraged to assist and aid your organization in the prevention and detection of Fraud.
Data Center Reviews (Physical & Environmental)
How secure is your data center? What is the current level of humidity? If you’re not sure of the answers; then you may wish to employ the resources of Your Internal Controls, LLC. We have extensive experience working for federal agencies (e.g. Department of Defense) and Fortune 500 companies. We can perform detailed procedures and tests to assess the level of both physical and environmental security surrounding the data center.