Albuquerque Chapter Audit Tales July 2005 BOARD OF GOVERNORS President: Michael A. Robertson, CIA 845-0900 marober@sandia.gov VP-Membership: John Trujillo, CPA 241-4622 jtrujil4@pnm.com VP-Programs: Alan Gutowski, CPA, CISA 768-3166 agutowski@cabq.gov Secretary: Sheila Hall, CPA, CIA 241-4612 shall@pnm.com Treasurer: Molly Martinez, CPA 880-3841 mhmartinez@kpmg.com Past President: Alan Gutowski Liz Armijo 241-4607 earmijo@pnm.com Paul Brown (incoming) 768-3155 ptbrown@cabq.gov Michael Boland 241-4620 mboland@pnm.com Lynette Fridley (incoming) 768-3138 lfridley@cabq.gov Chuck Grosso, CIA, CGAP 844-3950 cbgross@sandia.gov Jay Hoppe (incoming) 241-7645 ghoppe@fsbnm.com Laura Lang, CIA, CISA 284-2452 llang@sandia.gov Dwayne Neil, CPA, CFSA 342-8817 dneil@usnmfcu.org Carolyn Ortega 880-3847 cortega@kpmg.com Katharine Rebolledo 237-7338 krebolledo@slfcu.org Allen Wesson, CIA, CPA, CGAP 880-3724 wesson@aps.edu Kathy Wolf, CPA 284-2963 kawolf@sandia.gov Debra D. Yoshimura, CIA, CPA, CGAP 277-5016 dyoshi@unm.edu IIA International Internet Address: http://www.theiia.org IIA Albuquerque Chapter Internet Address: http://www.theiia.org/chapters/index.cfm?cid=135 NEWSLETTER FEATURES: THE PRESIDENT S MONTHLY MESSAGE THE EDITOR S CORNER ANNOUNCEMENTS JOB OPPORTUNITIES THE AUDITOR S TOOL KIT (NEW FEATURE THIS MONTH!!!) OTHER FEATURES MONTHLY IIA CHAPTER MEETING PAGE
The President s Monthly Message The Newsletter Editor, Chuck Grosso, is currently on vacation and may live to regret turning the newsletter over to me to wrap-up before distribution. Let s see what havoc can be wrought in a few days. A request: Many of you will not be receiving the newsletter via e-mail. The reason for that is relatively simple: I don t have good e-mail addresses for about 60 people on the distribution list. I will send this to the entire distribution list again this month, but will start eliminating bad addresses from my list next month. I get plenty of e-mail already without adding all of the undeliverable messages. Unfortunately, since you who don t know who you are will not see this message unless you happen to check the web site or have a compassionate friend who checks to see if you have received a copy. (Is that an oxymoron, a compassionate internal auditor?) I thought about publishing a listing of those with bad addresses in the newsletter, but decided that might be bad form, even for an auditor. So, if you see this and haven t been receiving you e- mailed copy, log onto The IIA website (www.theiia.org) and make sure your profile is up to date. If you know of someone who isn t receiving a copy and should be, pass this request on to them. I know I would appreciate it, and I am sure The IIA would also. What else is happening? Actually, quite a few things. Alan Wesson is busy pulling together our Fall Seminar and the November CIA/CGAP/ CCSA/CFSA exams. Alan Gutowski and Allen Wesson are working the August chapter meeting and have arranged for Anthony Armijo from the State Comptrollers Office to speak on Writing Craftsmanship. This will be a four CPE course offered in the Santa Fe area. Planning on taking the CIA (or CCSA, CFSA or CGAP) exam this November? Then you will want to block out November 16 th for parts I and II and/or November 17 th for parts III and IV or the other exams. We won t be offering a test 2 preparation seminar this year, but there are plenty of other aids available. Check them out and make this the year that you acquire your certification. Starting this month, the newsletter editor is beginning The Auditor s Tool Kit. This is more than just another column. We might actually reward you for reading and participating. Take a look and see if you are as sharp as you have been telling everyone you are. Good luck. Mike Robertson, President The Editor s Corner Audit-Related Articles Needed!!! Internal Auditing may play a central role in the risk identification and management strategy of any organization. Many of us regularly encounter complex situations with clients or customers that require a good deal of professionalism and problem solving skills. Share your experiences with your colleagues! If you have an audit story that you would like to share with the IIA local chapter, please consider submitting a brief article for publication (perhaps less than one thousand words) in the Audit Tales Newsletter. Articles for submission should be sent to Mike Robertson at marober@sandia.gov or Chuck Grosso at cbgross@sandia.gov by the 27 th of the month in order to be considered for inclusion in a future edition of Audit Tales. Submission of Newsletter Materials Should you want to submit an announcement or other feature for inclusion in a subsequent edition of Audit Tales, please submit your item to Chuck Grosso at cbgross@sandia.gov by the 27 th of each month for consideration.
Announcements July Meeting This month s IIA Chapter meeting is set for Tuesday, July 19, 2005, from 11:30 a.m. to 1:00 p.m. (2 CPE credits). Gail Reese, CPA, will address the topic of The Internal Audit from the Auditee s Perspective. The meeting will convene at Sadies of New Mexico, 6230 Fourth Street, NW. More detailed meeting information is included below on the Monthly Meeting page. Driving A Great Audit! - The Fall Seminar Our fall seminar will be October 6 and 7 at Traditions. Leita Hart is presenting a combination of Essential Skills for the Beginning Auditor and Driving A Great Audit. This seminar will provide the new auditor with essential audit skills and review the basic procedures for experienced auditors. Leita is also focusing on managing the audit project and the factors required for success. Leita conducted a seminar last year and was outstanding. We had many requests for her return. Cost of the seminar is $325 for IIA members and $400 for non-members for 16 CPE. Nonmembers, who have never been members, will receive a one-year membership to the IIA. Breakfast, lunch and afternoon snacks will be provided along with an opportunity to win gift certificates. The registration form will be in next month's newsletter. This is another great CPE opportunity offered by your local chapter. Plan on attending. You will have a difficult time finding higher quality or cheaper CPE. Allen Wesson Certification Exams November 16 th (parts I and II) November 17 th (parts III and IV, CCSA, CFSA or CGAP) Application Deadline: September 30, 2005 Call for Member Certification Update It's important for your local chapter to know what certifications its members hold. The Chapter has goals for its membership to hold a certain percentage of various certifications and we would like to monitor our achievement of these goals. Please contact the IIA at 407-937-1100 to notify the Institute of your certification(s). In the near future you will be able to access and edit your personal profile at www.theiia.org. John Trujillo, Membership VP Job Opportunities If you have information of available jobs in the field of Internal Auditing and would like to share it with IIA Chapter members, please submit it to Chuck Grosso at cbgross@sandia.gov for inclusion in a later edition of Audit Tales. FIRST STATE BANK JOB POSTING DATE: July 6, 2005 TITLE: Information Security Officer FLSA: Exempt LOCATION: Pan Am Center Albuquerque REPORTS TO: George Walker, SVP/Chief Information Officer If interested in this position, submit resume and job application to George Walker, SVP/Chief Information Officer, First State Bank NM, P.O. Box 3686, Albuquerque, NM 87190 GENERAL SUMMARY: Under direction and guidance of the Chief Information Officer, this position is responsible for developing and disseminating information security policies, monitoring compliance with and reviewing the effectiveness of information security policies and procedures, evaluating and recommending changes in bank-wide information security practices, collaborating on security training, as well as developing strategies and plans to ensure the timely and accurate restoration of customer and bank information systems in the event a serious disruption. This position develops and monitors practices to ensure that the bank s systems are 3
secure from unauthorized access, protected from inappropriate alteration, physically secure, and available to authorized users in a timely fashion. ESSENTIAL FUNCTIONS: 1. Directs, manages, plans and administers the operational and administrative activities associated with the running of the IT security department. 2. Develops and implements security standards, policies, procedures and guidelines for the Bank s systems and platforms and ensures their compliance. 3. Reviews the development, testing and implementation of security plans, products and control techniques. 4. Identifies and accesses IT security risk/exposure on new and existing infrastructure. 5. Investigates and recommends appropriate corrective actions for IT security incidents. 6. Performs and documents annual security and privacy risk assessments on all technology systems and reports results to CIO, compliance officer and/or bank board. 7. Provides ongoing training within the IT department on security related policies to ensure all staff is knowledgeable on bank security related policies. 8. Performs regular audits on computer user setups, changes, account lockouts and account disables to ensure polices are being followed and changes are done accurately and correctly. 9. Leads the Computer Security incident response team; updates and maintains incident response policies and procedures; coordinates periodic incident response walk- throughs to test incidence response; 10. Maintains incidence response documentation (individual incidents) and reports periodically to the bank board for review. 11. Provides periodic training for incidence response to team members as well as to the training department for end user training. 12. Performs monthly review of firewall, intrusion detection and internet access system logs; reports any anomalies to the CIO and takes necessary action to correct anomalies. 13. Ensures adequate security systems are in place to control IT risk within the bank. 14. Update, maintain, enforce and monitor changes management policies and procedures; reviews change management logs to ensure compliance with policies. 15. Completes other tasks as necessary. REQUIRED QUALIFICATIONS: Education: Bachelors degree in Business, Accounting, Computer Science or MIS required. Professional certification is not required for this position, however, industry recognized certifications such as CISSP, CNA or CISA, are desirable. Work Experience: At least 5 years of practical and progressive experience in banking or a related industry, bank information technology and/or financial institutions security industry and should possess a thorough knowledge of financial institution information technology and networking operations and related control and risk management systems. Skills: Knowledge and background in security concepts including experience in information and physical security or a related field; experienced in the management of both physical and logical information security systems; ability to weight business risk and enforce appropriate information security measures; In depth knowledge of GLBA, Sarbanes Oxley and other technology regulations; Must possess a high degree of integrity and trust along with the ability to work independently. Must possess strong problem solving skills. Excellent team building and mentoring skills. Must be able to effectively communicate with team members, internal customers and bank management. Ability to create clear, accurate and easily understandable technical documents, policies, proposals and project plans. Must be able to analyze technology and product changes and apply them to changing customer needs and bank business goals. Excellent customer service and interpersonal skills. Must be able to effectively delegate responsibility. Must be able to supervise staff in accordance with federal, state and internal bank regulations and policies. Other Job Related Criteria: Must be able to adapt to rapidly changing technology and user requirements. Must be able to work flexible 4
hours when necessary to complete projects during non-banking hours. Projects a positive professional image and promotes a team environment. This position requires strong written and oral communications skills as this position will be required to summarize the results of their work, comments and recommendations in written reports, and also in presentations to senior management and the Board of Directors. Must define and support the goals and objectives of the Information Systems department and the support the values and business goals of the bank. The above information is intended to describe the general content of and requirements for the performance of this job. It is not to be construed as an exhaustive statement of duties, responsibilities or requirements. The principal duties and responsibilities are all essential functions of the job. FIRST STATE BANK An Equal Opportunity Employer AA/M/F/V/D The Auditor s Tool Kit The Auditor s Took Kit is a new feature in Audit Tales this month. It s purpose is to provide some basic instruction on auditing tools, practices and terminology, as well as to stimulate interest in the newsletter. This is how it works! Each month, The Auditor s Took Kit will feature a brief description of or question about an auditing practice, principle, term or other auditrelated theme or item. Chapter members are invited to correctly identify or name the practice, principle, term or answer the question. The first person to e-mail the correct answer to Chuck Grosso at cbgross@sandia.gov will win the contest and be awarded the prize (to be announced later). Second and third place respondents, if any, will receive honorable mention in the newsletter. This month s question is: What term does the following language describe? This term describes a fundamental deficiency that results in a nonconformance that must be corrected to prevent recurrence. Chuck Grosso, Editor Other Features Don t Forget to Visit Our Chapter's Website Don t forget to visit the local IIA chapter s website. Contact Kathy Wolf for more information (284-2963). The website may be accessed at the following URL: http://www.theiia.org/chapters/index.cfm?cid=135 5
Monthly IIA Chapter Meeting Page Also, please let Alan know: (1) what your choice of entrée is, (2) if you and/or your guest(s) are IIA members, and (3) if you will need a receipt. Speaker Name: Topic: Gail Reese, CPA Internal Audit from the perspective of the Auditee Speaker Bio: Watch your e-mail for the speakers biography coming soon to an e-mailbox near you. Date: Tuesday, July 19, 2005 Alan Gutowski, Programs VP Time: Networking Speaker Place: Price: Menu: 11:30 a.m. to 12:00 noon 12:00 noon to 1:00 p.m. Sadies of New Mexico 6230 Fourth St. N.W. Albuquerque, New Mexico, (505) 345-5339 $12.00 for IIA Members; $15.00 for Non-IIA Members for 1 CPE Choice of one entrée from the list below (includes chips, salsa, and sopapillas); plus a beverage: Combination Chile Relleno, Taco, Rolled Enchilada (Chicken or Beef) Chile Relleno Dinner Burrito Dinner Chicken, Beef, or Bean Taco Dinner Chicken, Beef, or Bean Stacked Enchiladas Chicken or Beef Reservations: Contact Alan Gutowski at 768-3166, or email at: agutowski@cabq.gov by July 14, 2005, by 5:00 pm. If you RSVP for the meeting and are unable to attend, please contact Alan by 5:00 p.m. on Monday, July 18 by 10:00 am to cancel the reservation. If you do not cancel your reservation, you will be charged for the meeting. 6