“The staff who design, implement monitor and support your controls have an inherent conflict of interest when evaluating the effectiveness of these controls”.
“Whenever security duties are combined with other operational duties, individuals can use their security privileges to cover up activities related to their operational duties”.
“If misused, the elevated rights and permissions can result in significant harm to the Confidentiality, Integrity of an organizations assets. Because of this it is important to monitor privileged entries and their assets”.
“We often don’t pay enough (or much) attention to protecting our organizations against the malicious insider, even though they can often pose the greatest risk to our computing assets”.
“IT staff, sub-contractors and third-party organizations providing professional IT services control some of your most significant assets. Are they accountable to themselves? Who checks what they are doing? An audit is a key element of due care. I would be concerned if they objected to a third-party auditing their work!”.
“When duties are properly segregated, no single person will have the ability to commit fraud or make a mistake and have the ability to cover it up”.
“Your Security is only as good as your weakest link”.
“Many organizations have effective policies. However, just because policies are in place does not mean they know about them or follow them”.
“External auditors have a high degree of external validity because the auditors providing the assessment should have no conflict of interest with the organization itself”
“External audits provide a level of objectivity that internal staff cannot provide. They bring a fresh outside perspective to internal policies, practices and procedures”.