Vol. 10, August 10, 2007

Using XBRLAudit and Control Implications

Extensible business reporting language, commonly known as XBRL, standardizes the way organizations collect, prepare, and share business information. However, organizations and internal auditors need to become acquainted with the different control issues that might impact XBRL use and its effectiveness.


According to Charles Hoffman, the founding father of XBRL and the director of industry solutions and financial reporting for UBmatrix, the benefits of XBRL extend beyond the creation of end reports and touch all aspects of the information supply chain. XBRL standardizes data formats through the use of agreed-upon tags (a type of metadata involving the association of descriptors with objects), simplifying the way data is imported, converted, and presented in business and financial reports. "Using XBRL streamlines the work for internal auditors and enables organizations to reduce reporting errors and risks," explains Hoffman.

"XBRL is an application of extensible markup language (XML) to business data that uses standardized tags to describe this information, thus making business information immediately reusable and interactive," says Mike Willis, a partner with PricewaterhouseCoopers (PwC) and the founding chairman of XBRL International, a consortium of more than 500 companies and agencies worldwide that build XBRL and promote and support its adoption. "Because XBRL is an Internet-based information standard, it enables the seamless flow of information from one organization to another, as well as the customization of data for different reporting purposes," he adds.


A Brief History of XBRL

1998    While researching XML for financial information reports, Charles Hoffman begins to develop prototypes of financial statements and auditing programs using XML. Later that year, the American Institute of Certified Public Accountants (AICPA) is made aware of the work, and its “High Tech Task Force” proposes the creation of a prototype for financial statements using XML. The project is granted financial backing by the AICPA.

1999    The prototype is completed and presented, describing XML as important for the accounting profession. AICPA requests business plan to perform research into the commercial potential of XML and names the project XFRML. The first meeting is held at AICPA in New York in October 1999.

2000  The name of the organization is officially changed to XBRL. The XBRL committee announces the presentation of the first specification for financial statements for American businesses. The membership of the committee increases significantly.

2005  The Federal Reserve Board and the Office of the Comptroller of the Currency launch an XBRL campaign involving quarterly bank statements from 8300 U.S. Banks.

2006  A white paper is released describing the FDIC project as huge success.

Because XBRL uses common templates for the analysis of business reports, many internal auditors are taking the lead in converting the outputs of dissimilar systems into XBRL documents as a way to maximize audit review efforts. However, before embarking on an XBRL initiative, auditors need to be aware of the different audit and control issues associated with its use, especially for created end reports that require internal audit assurance. Armed with this knowledge, auditors will be able to maximize XBRL use and add more value to companywide information supply chain activities.


Although the application of XBRL has the potential to improve data analysis, accelerate the use of continuous auditing, reduce the proliferation of spreadsheets throughout the information supply chain, and enhance two-way audit trails, internal auditors interested in the use of XBRL need to be cognizant of the different challenges associated with its use. (For more information about the internal audit benefits of XBRL, read ITAudit's "Got XBRL?" article, published on June 10, 2007.)

"The good news about XBRL is that it allows organizations to create, publish, and consume detailed business information through the use of clear text and standardized tags," comments Eric E. Cohen, XBRL technical leader for PwC. "The bad news is the good news — that XBRL data is easy to create, publish, and consume, thanks to the use of clear text and standardized tags." According to Cohen, this is because XBRL could be used for industrial espionage or other nefarious purposes unless appropriate security measures are implemented such as XML signatures and encryption. “Although this is a temporary challenge, it is a challenge nonetheless,” Cohen adds.   

In 2002, the Canadian Institute of Chartered Accountants (CICA) published a report, Audit & Control: Implications of XBRL (PDF, 204 KB), that describes three kinds of risks organizations may face when using XBRL for financial reporting — risks of errors, control issues, and assurance issues. Although CICA describes these risks as part of the financial reporting process, these risks can impact other kinds of business reporting as well. Below is a description of each risk and recommendations internal auditors can provide to organizations interested in implementing XBRL.

Risks of Errors
Error risks center around the accurate mapping of business information to tags and the use of appropriate taxonomies (i.e., XBRL dictionaries that define the specific tags for individual items of data). Hence, mapping tags accurately ensures that the data retrieved is correct. Consequently, without an effective internal control structure to ensure accurate tagging, the data retrieved can represent invalid and inaccurate transactions.

The importance of accurate tagging and mapping of information is increased when data is streamed in real time and automated; the risk of error in the statement or report increases, depending on existing change management controls and the effectiveness of the controls that oversee changes in the mapping of data to tags. This also creates additional risks because the data mapped to a particular tag may change without the organization's knowledge due to a faulty control, which increases the likelihood of errors. As a result, when XBRL instance documents are generated in real time, tests of the mapping algorithms captured in the conversion software used to turn business data into tags must be comprehensive to ensure that the converted information retains its accuracy and integrity.

Control Issues
XBRL control risks pertain to the use of appropriate taxonomies, tagging of data, and the integrity of the tagged data. "Ensuring that the client has used the appropriate taxonomy in the creation of their filings or financial reports is a major audit and control issue," explains Diane Mueller, vice president of XBRL Development for JustSystems Inc. and a member at-large of the XBRL International Steering Committee. "Auditors, therefore, must be aware of the different taxonomies in existence and ensure that the appropriate one is being used." (To see the U.S. Financial Reporting Taxonomy Framework overview, click here.)

Once the appropriate taxonomy is chosen, the next area of risk is the actual tagging of data. "Taxonomies can be complex hierarchies and contain thousands of concepts," Mueller continues. "Correctly choosing what information to map to each tag can be difficult when learning how to navigate the tools and taxonomies in the tagging process." For example, organizations need to have a system in place that ensures the appropriate taxonomy was chosen when preparing a financial statement. Therefore, staff working on the business report need to be knowledgeable about the requirements of a particular report and the taxonomy used so they can pick the right taxonomy. Otherwise, the organization runs the risk that tags are implemented incorrectly, which affects the accuracy of the reported information throughout the entire information supply chain. 

When reviewing the taxonomy for its appropriateness, auditors should review the details of the taxonomy to determine whether they are up-to-date with current business and reporting requirements and whether the taxonomy is applied correctly. In addition, auditors need to determine whether there are procedures in place to ensure that the tagging of data is complete and accurate. These procedures include review and approval activities by a knowledgeable person on:

  • The tagging that is applied.
  • The data elements to which tags are applied.
  • The consistency of tagged data elements with the requirements of the taxonomy being used.

Finally, auditors need to examine whether there is an approval process in place that describes how financial statements should be created from tagged data for inclusion on Web sites or for other purposes. These procedures should be applied to business reports generated at any point in time and should be required for any report updates. For reports generated on a real-time basis, the organization should implement a more complex set of procedures that ensure the integrity and accuracy of changes to tagged data on an ongoing basis.

Assurance Issues
Where assurance is concerned, auditors need to pay close attention to the different issues that might impact XBRL use and its effectiveness. "Auditors should use multiple validation tools, to ascertain the quality of the data in the XBRL report and not just rely on the preparer's tool for validation assurance," explains Mueller. "This is because different tools have slightly different approaches for tagging business reports with XBRL tags and preparers might have their own built-in validation processes, which may not be as rigorous as the tests conducted by other users." As a result, testing the validity of the tags with another validation tool is a good practice when auditing XBRL business report filings. "This second opinion can flush out any issues concerning the improper use of tags, conflicting contexts, improper extension of base taxonomies, or just missing information," adds Mueller.

Different assurance issues auditors need to pay close attention to include:

  • Reviewing policies and procedures that describe how XBRL statements are generated at a point in time. To make sure these policies and procedures are effective, auditors need to review the controls that oversee the use of an appropriate taxonomy, the tagging of data, and the integrity of tagged data. Auditors also need to document and test these controls for their effectiveness and determine if the appropriate taxonomy is used when generating the statement. Finally, auditors need to test the data tagging procedure to determine if it is appropriate and includes all the data required.
  • Reviewing procedures that describe how statements are generated on a real-time basis. When XBRL is used on a real-time basis, additional controls may be needed to ensure the integrity and accuracy of the tagged data. As a result, auditors need to identify and evaluate these controls. Furthermore, any online monitoring and exception reporting software used by the organization also can be used for assurance purposes. For instance, continuous audit procedures can be developed to flag conditions based on the most appropriate exception reports, such as unauthorized changes in selected data elements, while other audit software can be used to monitor selected conditions and generate periodic reports at random intervals for audit activities.

As stated earlier, picking the right taxonomy is one of the most important issues auditors need to pay close attention to — if the right taxonomy is not picked, the auditor may be unaware there is an error in the reported data. To verify whether XBRL documents conform to applicable XBRL taxonomies and specifications, the American Institute of Certified Public Accountants and Public Company Accounting Oversight Board  recommend that organizations render the report. (See Attest Engagements Regarding XBRL Financial Information Furnished Under the XBRL Voluntary Financial Reporting Program on the Edgar System [PDF, 59 KB]).

"Rendering means to convert the XBRL tags into human-readable form, such as PDFs or printable documents," explains Mueller. Therefore, if somebody gives the auditor a financial statement in an Excel spreadsheet, the auditor would convert the spreadsheet into XBRL and run the data through another program that takes the tags used as part of the chosen taxonomy and puts them back into human-readable form. The auditor would then print the original Excel spreadsheet and the final report from the second application and compare them side by side. If there is a problem with the taxonomy chosen, it will show in the form of missing data. "Another method of reviewing XBRL-tagged documents includes opening the XBRL report as a source-code document and testing the tags in the instance document," Mueller adds.


In addition to the issues associated with choosing the wrong taxonomy discussed above, the use of extension taxonomies may pose additional issues when creating XBRL tags. An extension taxonomy is created by an organization or XBRL user to cover information that is not included in an approved or acknowledged taxonomy. For example, an XBRL user may start applying a taxonomy to a specific financial statement and discover there's a line item that's not covered by the taxonomy. The organization will then create its own specialized dictionary or extension taxonomy for those line items that are not in the main dictionary.

XBRL International recognizes two types of externally developed taxonomies — approved or acknowledged. Approved taxonomies have to comply with the official XBRL guidelines for that type of taxonomy as well as with XBRL Specifications, a technical explanation of what XBRL is and how it works. The current specification for XBRL is version 2.1, which can be found on XBRL International's Recommendations Web page. On the other hand, acknowledged taxonomies only have to comply with the XBRL Specifications. Other taxonomies include those used for financial, statistical, tax, and sustainability reporting, as well as the Global Ledger taxonomy, a special taxonomy that supports collation of data and internal reporting within organizations.

When it comes to extension taxonomies, auditors need to review whether the taxonomy was created and implemented correctly. In addition, users may think they need an extension taxonomy, when in fact the tags are already covered in an approved or acknowledged taxonomy. Consequently, they spend additional time creating an extension taxonomy that is not really needed, which increases the changes of introducing errors into the XBRL information supply chain.


Additional issues auditors need to keep in mind include those pertaining to internal controls and risk assessments, as well as problems validating and checking taxonomies and instance documents. Following is a discussion of each.

Internal Controls
As XBRL becomes more integrated in the company's information supply chain, internal controls and their evaluation become more critical. Internal controls will need to be in place for:

  • Creating, using, testing, and maintaining extension taxonomies.
  • Mapping data to XBRL instance documents.
  • Automating subsequent mappings.
  • Performing change management activities related to all aspects of XBRL.

Consequently, internal auditors need to determine whether internal controls are documented properly and collect evidence to test those controls. Before this is done, the internal audit department should create an XBRL audit team to develop a technical understanding of XBRL and prepare an appropriate audit plan.

Auditors need to keep in mind that the XBRL instance document will influence the types of controls that need to be in place. For example, appropriate internal controls should be integrated as part of the XBRL instance document, when creating extension taxonomies, and when testing and maintaining a taxonomy's processes and procedures. If errors are accidentally injected into the XBRL instance document, or a perpetrator purposely makes changes to commit fraud, internal decisions based on those XBRL instance documents will be distorted.

Risk Assessments
From a risk assessment perspective, XBRL risks can be divided in four categories:

  1. Technology risks.
  2. Mapping errors.
  3. Fraud risks.
  4. External risks.

When examining technology risks, auditors need to determine whether XBRL is being used correctly and whether extension taxonomies are created and implemented correctly. Auditors also need to determine if extension taxonomies and instance documents were reviewed for their quality. One way to do this is by performing a round trip, a process in which the resulting XBRL instance document is rendered into human-readable text. Round tripping enables the auditor to compare the original document to the rendered document line-by-line to determine if the rendered document is a faithful representation of the original document.

The second kind of risk is related to mapping errors. For example, was the financial statement account mapped to the correct XBRL tag? Answering this question can help internal auditors determine whether the XBRL user who created the instance document made a judgment error (i.e., selecting an inappropriate XBRL tag) or a mechanical error (i.e., inadvertently mapping a concept to the wrong tag). Furthermore, because mapping risks are increased when the XBRL data is created in real time, the auditor may not be able to review the XBRL output. Therefore, algorithms used to tag the XBRL data need to be evaluated during the risk assessment.

The use of real-time reporting also will enable auditors to use continuous auditing. As a result, real-time reporting of XBRL data will not only affect the organization, but the use of continuous audit techniques as well. "Auditors who wish to use XBRL as a way to facilitate continuous auditing should consider becoming acquainted with XBRL by experimenting with it," Hoffman comments. "Build a prototype and try XBRL out. Prototypes are a great way to learn."

Fraud represents a third area of risk. A major question auditors need to ask is whether the XBRL instance document was used to commit fraud. The relative level of fraud risks depends on where XBRL is being used in the information supply chain. For instance, at the end of the supply chain (e.g., when supplying an instance document to the U.S. Securities and Exchange Commission [SEC.]), XBRL fraud risk is probably low. This is because perpetrators know it is relatively easy for anybody to compare the official filling with the XBRL instance document and uncover any differences. On the other hand, the risks associated with XBRL instance documents increase when XBRL is used internally by the organization because there may be no paper trails to compare instance documents, which also may not be reviewed by an independent third party (e.g., an external auditor).

Finally, internal auditors need to be on the lookout for any external risks that might affect the accuracy of XBRL-generated reports. A major external risk includes hacking attempts or vulnerabilities. For instance, because XBRL documents may include internal and external links to the organization, hackers may try to change those links or the linked files. This would enable the hacker to view the source code of an XBRL instance document, identify the names and locations of extension taxonomies, and make changes to the instance document or extension taxonomy. To decrease hacking attempts, auditors need to recommend that organizations have the appropriate firewall encryptions in place and that all firewall security controls are tested for their effectiveness.

A second source of external risks is the inappropriate reliance on XBRL documents. When an XBRL document is created, users may download the document directly into an analysis tool, ignoring the paper-based or other official documents that accompany the XBRL report. As a result, the report's consumer may not fully understand or be aware of any limitations that are part of the XBRL instance document, which was made available to the public. For example, the SEC allows companies to submit XBRL documents without their accompanying notes. Therefore, if someone downloads the XBRL document from a company's Web site or the SEC's EDGAR filing system, they may not fully understand all the information included in the report.


"XBRL can be used to overcome existing weaknesses in controls by improving the integration of data within an organization and to its auditors," Cohen explains. Although XBRL use carries its own audit and control implications, it "overcomes many of the issues and problems associated with the filing of paper-based reports and manual audit activities, such as manual entry and re-entry of information, and permits auditors to use centralized and standardized rules and tests," he adds. As a result, becoming acquainted with XBRL — its many benefits and control issues —  is of special importance to internal auditors and organizations as countries worldwide start to mandate its use, including the SEC in the United States

For additional information on the different audit and controls issues discussed in this article, auditors can refer to XBRL: Potential Opportunities and Issues for Internal Auditors (2005), published by The Insitute of Internal Auditors' Research Foundation.Glen

Gray, Ph.D., CPA, is a professor in the Accounting and Information Systems Department at California State University at Northridge.


All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.


Internal Controls to Examine When Auditing Backend Operations of Messaging Systems

Establishing proper access controls, e-mail archiving, and antivirus safeguards can help organizations move closer toward a secure messaging system.


The ability to communicate effectively and efficiently is a critical component in running a successful organization. To meet this need, organizations rely on some form of an electronic messaging or e-mail. For such organizations, losing this resource for a few hours can impact productivity, while for others, minutes without this resource can result in significant financial losses. Businesses rely on e-mail for everything from discussions of important issues and scheduling meetings to corresponding with clients and distributing vital information. In addition, electronic evidence now plays a major role in regulatory investigations and court cases. These factors have elevated e-mail to the level of a critical corporate asset. A company's messaging system should be audited regularly to ensure that proper controls are in place.

There are different kinds of messaging systems, each with its own unique attributes; therefore, the information presented here is intentionally generic so that it is as universally applicable as possible. All messaging systems consists of the front end component, the e-mail client, and the backend component — the messaging server and other parts not visible to the e-mail users. To help mitigate risk in the organization's communication infrastructure, IT auditors should assess backend messaging operations and corresponding policies and procedures for compliance with best practices. This article discusses controls in accessing messaging systems, e-mail archiving, and spam filters.


Most chief information officers realize that even with Web filters and firewalls, monitoring an organization's corporate messaging system is necessary to control the risk of security breaches, litigation, and other electronic disasters. These controls not only keep attackers from stealing information from corporate systems, but also are required, in some instance, to monitor what employees are sending to other employees or outside of the company. For instance, a financial services organization may be required to monitor messages sent by employees to ensure that they do not violate insider trading laws or regulations, such as those set forth by the New York Stock Exchange Rule 342 and National Association of Securities Dealers Rule 3010, which specify that securities firm have a procedure for supervising electronic communication. Firms should also monitor the communication between their employees and customers so that proper language is used and there are no unrealistic promises.

To comply with these regulations, there should be a monitoring tool for e-mail and instant messaging of specific people to be supervised periodically or as needed. Auditors should review the configuration of any supervisory application. How are people to be supervised selected? Who conducts the supervision, and how are they monitored to ensure that they are actually supervising the e-mail? To verify that the message selection criterion is working, run some sample messages through the system to confirm that they are correctly detected.

An inherent risk of messaging systems is that messaging administrators have the potential to read the e-mails of users and learn about information from which they are restricted because they have access to acounts that have system administration level rights. It is important that all administrator access is closely monitored. Organizations should maintain a documented list of messaging administrators that delineates their roles, responsibilities, and access to the messaging system. The systems group should provide an entitlement report of current administrator rights and privileges. The auditor should take a sample of administrators and confirm that the correct access is in place and that the access specified in the access document is consistent with the segregation of duties as defined by the organization's IT policy. Standard industry best practices can be used to evaluate procedures, for example, there should maker/checker roles, messaging developers or architects should not have change access to production, etc.  In addition, system accounts should be created for specific tasks. The table below shows some examples:


System Task




Backup files and folders, administrative rights to all mailboxes.

Used by backup software only.


Add server to messaging system. Administrative rights to the messaging system.

Used by messaging administrators to install in server.


Administrative access to messaging system.

This will be used by the messaging support to make changes that require more rights than their accounts.


Access to all mailboxes in the system.

Used by anti-virus software.


Auditors should examine the log report of the messaging system; data mining scripts can be used to verify that the different operational accounts are not used for localized login without a specific trouble ticket to justify this. Use of the various system task accounts should be checked against change management for correlation. The auditor should scan the access logs for what date the support_account was used, and then compare it to the dates on the change request forms to see if it is close. Any exceptions should be explained. The system account, which has super user rights to the messaging system, should not be used by anyone, and the systems group should show evidence that there is a periodic review of the activity of this account.


E-mail archiving has become an important part of organizations' document retention policies because of recent court cases where companies have been ordered to produce e-mail messages. Capturing e-mail communications is also crucial for compliance with legislative requirements and industry regulations. Perhaps most important, the organization must ensure that it has sufficient data backups to recover from a catastrophe. Without strong data retention policies, organizations may not be able to resume operations after a serious disruption.

Even without regulatory retention periods, e-mail is such an integral part of business communications and operations that there must be adequate messaging system backup policies and procedures or service level agreements (SLA) in place. Auditors should first examine the SLA and find out if the organization's backup schedule is consistent with its requirements. If the SLA specifies recovery time, for example, that mail will be recovered in two hours, then current backups should be stored onsite. If the SLA states that mail can be recovered to the previous hour before failure, then the systems group should show evidence that the mail is being backed up every hour. If the backup system fails, then another backup must be done immediately. The auditor should examine what is done in case of backup failures. Is there an escalation tree? Are the data owners informed?

If the organization has no SLA (as with a small or midsized company), the auditor should interview the data owners and find out what their expectations are for data recovery. The auditor should examine critical business operations and check what role the e-mail system has in the process execution. If the e-mail system is down for two hours, is there a potential cost to the company? By examining the defined risk amount thresholds in the company operational risk report to determine if the cost falls in the high- or medium-risk category, the auditor will be able to determine whether the organization is at risk by not having an SLA. Also, if the expectation of the data owners is that e-mail will be restored in four to six hours, find out if that has been communicated to the e-mail administrators.

The entire messaging system should be restored periodically to test the reliability of the backup procedure. If the restore is taking longer than the SLA specifies, the business should be informed or changes should be made to the backup architecture. The systems group should provide a report to the auditor showing that the e-mail backup is periodically restored in the lab to prove the integrity of the backup process. The restore time should be consistent with that stated in the SLA.

For companies that don't have an SLA, it is important to have some kind of signed agreement between IT and the business regarding when data will be restored. The agreement should provide appropriate expectations from management and be included in the recovery plans of the business.


In the past, messaging system users could delete e-mail after reading or sending, or move e-mail to offline storage systems, and at the end of the day, the only data that was backed up was the e-mail left in the mailbox. Companies often used this as an excuse for not providing e-mails requested by the courts. Recent legal developments, however, have redefined the retention of electronic communication. U.S. Securities and Exchange Commission 17(a)-4, NASD Rule 3110, NYSE Rule 440, and Commodity Futures Trading Commission Rule 1.31 all talk about data retention periods for books and records. E-mail and instant messaging both fall under this category.

Auditors should find out if the systems group has a process in place for recording each e-mail that is sent or received, regardless of whether or not they are deleted. Companies should request this feature from their messaging vendor. There are also vendor tools for this specific task. If there is no process in place, the auditor should find out from the legal department what risks the company faces. Each business has its own data retention specifics from its regulators, but even for companies outside regulation, it is good practice to implement a policy on data retention. Auditors should review the data retention policy and make sure it is consistent with regulatory requirements.


Because key business operations may depend upon e-mail delivery to complete transactions, it is important to define mail delivery expectations and track results. Groups within the business may use e-mail to ensure timely and efficient communications with customers with the expectation that the customer receives the message within seconds. This is not always the case, however, because of the e-mail system's configuration or the vagaries of the Internet.

The SLA should specify the expected delivery time for e-mail. For instance, "Mail will be delivered in a maximum of fifteen minutes, if all things are equal." There should be a periodic report showing the average mail delivery (AMD) time; this report should be sent to the business for sign-off. If the AMD exceeds the time specified in the SLA, there should be an exception report. The e-mail administrator should supply the auditor with a report showing that the e-mail delivery was tested and that the SLA is still valid. There may also be a daily report produced by the e-mail administrators. Using statistics, the auditor can find the mean value over a period. If it is consistently above SLA time, an explanation should be obtained from the e-mail administrator.

For companies that do not have an SLA specifying delivery time, there should still be a periodic report from the e-mail administrator to the business showing AMD so that there are appropriate expectations. The auditor should check to see if there are any business processes that depend on prompt e-mail delivery. For instance, if customer orders are received via e-mail, what would be the cost to the company if it takes four hours to deliver e-mail? This kind of information will help the auditor determine if the lack of an SLA or of monitoring e-mail delivery times should be flagged as an audit issue.


E-mail spam, or unwanted and unsolicited messages, has increased exponentially so that is now makes up 80-90 percent of all e-mail received by companies. These messages may contain viruses, worms, spyware, or any number of more sophisticated hacking methods that have made the management of organizational e-mail such a risky business.

Auditors can help mitigate these risks by first making sure that there is a spam interface between the gateway to the internet and the messaging system. This serves as a filter to remove most of the “junk” mail sent to the business users. The auditor should test the effectiveness of the application by obtaining the detection logic from the e-mail administrator and sending several test messages to see if they are detected. Spam senders change their methods daily, so the spam logic should be updated frequently. There should be a monthly metrics report sent to the business showing the effectiveness of the spam filter. The auditor should verify this report with the help desk logs to see if there is a correlation with the number of calls regarding spam-related problems.

There should be an antivirus tool on every messaging server to check mail messages and attachments for virus-related issues. The auditor should test the detection logic by using sample virus messages. The configuration should be reviewed by the auditor — for example, he or she should check if the virus database is updated periodically, at least daily, due to the increasing number of virus-related problems. The auditor should also review the periodic metrics report demonstrating the effectiveness of the virus tool.


This article focuses on mitigating risk in backend operations of messaging systems by monitoring access, backing up data, and testing antivirus controls. A follow up article, which will be featured in the next issue of ITAudit, will discuss other key controls of backend security, including messaging system documentation, file storage, and disaster recovery.

Ike Ugochuku is president of TLK Enterprise, an IT consulting firm. He has over 15 years' experience in the technology industry, working in areas such as IT risk assessment, systems design, integration, and infrastructure management. He has spent a significant part of his career on messaging systems, designing for global corporations, and reviewing and defining process controls to mitigate risks associated with e-mail systems.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.


The Problem With Document Destruction

Organizations can overlook the importance of documents until things go wrong. Make sure document retention and destruction policies and procedures are being implemented before a disaster can occur.


Sound business practices dictate that document management be a priority for most organizations. However, the primary focus of managing information for many organizations centers around securing financial information against theft or unintentional release. While this is certainly a critical component of document management, organizations need to remember that the more routine, day-to-day documents created by employees at all levels can be just as critical to the success or failure of the business. What organizations keep and what they destroy should be a well thought-out process and managed appropriately.

The importance of such materials is evidenced by the growing number of regulatory requirements targeted at nonfinancial information such as the Anti-terrorism, Crime and Security Act 2001 introduced by the UK government following the terrorist attack in New York on September 11, 2001. This act encourages service providers to follow a voluntary code of practice, where e-mail is held under a six-month retention period. Other cases where internal documents and e-mails have played an important role are with Enron, WorldCom, Parmalat, and Royal Ahold. Such requirements and court cases also illustrate the changing complexities of document management, which must address both hardcopy materials as well as electronic data.

Organizations often realize the true value of proper document management when things go wrong, and previously overlooked items take on great significance. Within the internal audit department, one such example is source documents, which should be handled with special care in case they are needed to trace how audit findings, data collection, or transactions were conducted. Oral testimony, without evidentiary support, is not reliable and in a court of law, may be considered inadmissible. What documents organizations keep and what they destroy can send either positive or negative messages when faced with a challenging legal situation.



Putting the Pieces Together

Forensics accountants and other investigators use evidentiary fragments to reconstruct transactions. In the absence of supporting documentation, it is often necessary to reconstruct transactions and contracts. The parol evidence rule, however, precludes the introduction of ancillary evidence which contradicts a written contract. In the absence of the written contract, evidentiary fragments may be used. Because anything outside of a written contract is parol evidence (including testimony about what was said during the negotiations, proposals, or recordings of conversations), the failure to maintain the original records could result in a detrimental judgement. This judgement could be diametrically opposed to what was intended in the written contract.


Serious consideration should be given to the destruction of any document, and it should be noted that the destruction of documents in some cases is not just illegal but criminal. For instance, a company officer or director who destroys or falsifies a document affecting the company's property or affairs is liable to prosecution under the Australian Corporations Act 2001.
According to this law, if there is a suspicion of wrongdoing, individuals must prove that the destruction of documents was not done with the intention to deceive. In many cases, these are statutory strict liability offences. In other words, the prosecution only needs to prove the facts (i.e., that a defendant destroyed the documents). It is up to the defendant to disprove intent. This is not always easy to do in a court of law. In fact, according to section 1309 of the Australian Corporations Act 2001, it is an offence if an officer or employee fails to take reasonable steps to ensure the accuracy and protection of records.

In Victoria, Australia, recent changes to the Crimes Act 1958 have created "a new offense in relation to the destruction of a document or other thing that is, or is reasonably likely to be, required as evidence in a legal proceeding." This act, punishable by up to five years imprisonment, affects anyone who destroys or authorizes the destruction of any document that may be used in a legal proceeding (including potential future legal proceedings).

Under section 286(1) of the Corporations Act, a company must keep “written financial records that: correctly record and explain its transactions and financial position and performance; and would make true and fair financial statements able to be prepared and audited.”

If a dispute has previously arisen or is considered likely, it is hazardous to destroy any documents. Cases where provisions for litigation have been included in audit reports are a strong example. In instances where it is probable that a dispute may arise, or after a dispute has begun, a conscious choice to destroy documents could make one liable under the criminal offence of obstructing justice.


Leveraging Technology to Manage Document Retention

One way for organizations to manage their process is to leverage readily available advanced technologies, such as scanners to preserve files. Coupled with optical character recognition (OCR), scanned images can be stored both as an original copy for evidentiary purposes and as a tagged document with keywords for searching. Use of this technology minimizes the risk associated with paper records, especially when searching through paper documents within certain date ranges. Furthermore, scanned images can be dated and automatically marked for deletion at the end of their retention period.

Ask any forensic accountant; the existence of omitted documents is usually easy to trace because they are referred to in existing documents. If the case goes to court, it is necessary to list not only documents in one's possession, custody, or power but also those that once existed and have been destroyed.

The destruction of documents can adversely influence a case through inference, as demonstrated in the United Kingdom, Infabrics v. Jaytex. After the commencement of the case, it was discovered that most of the invoices, stock records, and similar documents had been destroyed. The judge stated that he was "not prepared to give the defendants the benefit of any doubt or to draw an inference in their favor where a document, if not destroyed, would have established the matter beyond doubt."


With the increasing requirements for electronic documents, companies should update their document retention policies. These policies should not be disorganized or ad hoc. In the past, there were definite limitations on how long files should be retained (with most professions keeping papers for at least seven years). However, recent decisions made by courts all over the world requiring organizations to keep records for a period after the final transaction, not from when the document was created, make establishing general guidelines more difficult.

Leading practices in the area of document management suggest that companies should adopt a document retention policy that ensures items are only discarded or destroyed in accordance with governing regulations and in a systematic manner. Developing a written policy on document destruction and retention, to be applied consistently, is a shrewd move on the part of any organization.


The minimum requirement for data retention varies widely across jurisdictions, countries, and oftentimes, business disciplines, as illustrated by some of the wide variations reflected in Figure 1 below.

Examples of Data Retention Requirements

  Web activity data

  4 days retention period

  Basic Commercial Contracts

  6 years after discharge or completion


  12 years after discharge

  Land contracts

  12 years after discharge

  Product liability

  A minimum of 10 years

  Patent deeds

  20 years


  Life of trademark plus 6 years


  50 years after author’s death

                                   Figure 1


Document management is not an issue confined to Australia and the UK. Rather, it is an ever-growing concern for organizations throughout the world. In particular, the increasing use and complexity of document management systems and databases is driving an invigorated need to implement effective controls. It is no longer enough for the internal IT auditor to rely on an isolated snapshot of the system. It is essential that an understanding of document retention requirements based on jurisdictional specifications be maintained.


International Organizations for Standards (ISO) Guidance on Document Retention 27001

ISO requirement 27001 states that records shall be established and maintained to provide evidence of conformity to requirements and the effective operation of the information security management system (ISMS). They shall be protected and controlled. The ISMS shall take account of any relevant legal or regulatory requirements and contractual obligations. Records shall remain legible, readily identifiable, and retrievable. The controls needed for the identification, storage, protection, retrieval, retention time, and disposition of records shall be documented and implemented."

There are a number of steps that internal auditors can use to aid in auditing electronic documents. By incorporating controls into databases and other systems, the audit staff are able to ensure that legislative requirements are being met. Some steps that may be undertaken include:
  • Classifying all documents that are scanned or electronically created using systems of automated controls and allocations. Electronic records management systems are becoming more commonly used for this task as they can automate the allocation of documents to a classification that best reflects the material they contain.
  • Using digital analysis techniques and data mining to search through system storage and data warehouses for keywords and classifications. The rise of data warehousing has led to the ability to configure automated searches for data that has been incorrectly classified or is past its retention period using text mining.
  • Configuring key fields in databases and making rules to create isolated copies of required documents. By configuring a centralized store of documents, key document recovery is a more efficient process. Many banks and credit unions have implemented processes that centralize and manage transaction confirmations, retirement information, loan applications, and even meeting notes or minutes.
  • Implementing formal policies and procedures. International Organization for Standards 27001, and 15489 (Information and Documentation — Records Management) and the Model Requirements for Management of Electronic Records provide guidelines for data retention.
  • Using network scanning for defined against classifications. An intrusion detection system may be configured to alert on key phrases and data sent on unauthorized streams (i.e., using unencrypted e-mails). Databases may be tested to ensure that sensitive data is only retained in secured tables.


Organizations and their internal audit departments need to stay vigilant in their oversight of the document management process, paying special attention to items that seem to get lower levels of attention than financial data. Also, it is wise for organizations to remember that e-mail has become a common means to distribute board minutes, reports, and other sensitive data. As such, the need to define data retention strategies has only increased. So don't wait until the next time your organization decides to purge files, e-mails, or other miscellaneous electronic documents — make sure document retention and destruction policies and procedures are being implemented before a disaster can occur. Remember, there is much more to document retention than managing disk space.

Craig Wright is a manager of information systems in Sydney, Australia. He is currently working on his tenth academic degree.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.


Public and Private Entities Face Significant Cybercrime Challenges

Cybercrime’s impact on the U.S. economy reflects billion-dollar losses and threatens national security, according to the recent Government Accountability Office study, Public and Private Entities Face Challenges in Addressing Cyber Threats. A 2005 Federal Bureau of Investigation (FBI) survey estimated the annual loss due to computer crime at US $67.2 billion. In addition, a coordinated cyber attack by U.S. adversaries, including terrorist organizations and nation-states, could result in a significant disruption in financial sectors, air traffic control, and electric power distribution. Terrorist organizations have raised money using cybercrime as well, according to FBI testimony.

To combat the growing threat of cybercrime, GAO says that the Department of Justice, Homeland Security, and Department of Defense, and the Federal Trade Commission, as well as state and local law enforcement entities, are responsible for protecting against and prosecuting those who commit cybercrime. Private businesses (e.g., software developers and Internet service providers) can assist by developing technology to detect and protect against cybercrime, and by aiding investigators in gathering evidence. Information-sharing partnerships between the public and private sector, both nationally and internationally, are also key in the efforts to fight cybercrime, according to the study.

The study acknowledged a number of challenges in addressing cyber threats, including those faced by law enforcement. One of the specific risks involves the FBI’s and Secret Service’s policies of rotating staff, which result in the agencies having a difficult time training and retaining personnel with the technological skills necessary to detect and prosecute cybercrime. GAO outlined these and other challenges in the following chart:



Reporting cybercrime.

Accurately reporting cybercrime to law   enforcement.

Ensuring adequate law enforcement analytical and technical capabilities.

Obtaining and retaining investigators, prosecutors, and cyberforensics examiners.
Keeping up-to-date with current technology and criminal techniques.

Working in a borderless environment with laws of multiple jurisdictions.

Investigating and prosecuting cybercrime that transcends borders with laws and legal procedures of multiple jurisdictions.

Implementing information security practices and raising awareness.

Protecting information and information systems.
Raising awareness about criminal behavior.


In conclusion, GAO gave specific recommendations to the Attorney General and the Secretary of Homeland Security to help ensure adequate law enforcement analytical and technical capabilities. In addition, the study reported that despite efforts to raise awareness among users, additional support is needed by both the public and private sectors to educate consumers and end-users in recognizing cyber attacks.

To download GAO’s report, click on (PDF, 1.51 MB).

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.


Why IT Compliance Pays

Ninety percent of businesses fail in their efforts to comply with industry data-handling regulations that would decrease the risk of a serious data leak, according to a consortium of IT compliance and security experts in a new survey conducted by the IT Policy Compliance Group. The survey, Why Compliance Pays: Reputations and Revenues at Risk – July 2007, which included 475 companies — one third of whom reported revenues of more than one billion last year — concluded that the vast majority of companies do not have sufficient policies in place to meet governance regulations and adequately mitigate the risk of a data breach.

An overwhelming majority of the firms surveyed expect to experience a minimum of six business disruptions caused by major data incidents per year, and five or more occurrences of information loss or theft. James Hurley, managing director of IT Policy Compliance Group, says that while businesses invest in policy enforcement software and other tools that help with data-handling regulations, most still struggle to fill in the gaps that leave the organization vulnerable to data breaches.

Overall, government agencies are performing at a much higher level than private sector firms and nonprofits in the study's compliance results. Over half of government organizations, 56 percent, operate within the norm.

The study lists best practices that can dramatically improve IT results by reducing business downtime from IT security breaches and reducing incidents of data loss and theft. Such practices include:

  • Implementing more of the appropriate IT controls.
  • Reducing control objectives, making it easier to communicate, measure, and report.
  • Establishing higher standards for performance objectives.
  • Encouraging a culture of operational excellence in IT.
  • Monitoring, measuring, and reporting controls against objectives at least once every two weeks.
  • Allocating more funds to control automation.

According to the study, "The amount spent on compliance and data protection is a very small percentage of the financial value that is at risk. With returns on investment in compliance for larger enterprises starting at 1,000 percent and improving to 100,000 percent, good compliance pays for itself."

To download the study, go to (PDF, 486 KB).

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.


Going to the Source in the Fight Against Spam

The Internet scammers who sell diet pills and stolen software through spam have something in common — they all need to take credit card numbers, which requires having a data center. The data centers used by these scammers are the subject of a new study, Spamscatter: Characterizing Internet Scam Hosting Infrastructure, conducted by researchers at the University of California, San Diego. According to the study, targeting Web servers used to host these sites instead of trying to block the mail servers that send out the unsolicited e-mail spam will do much more toward fighting the ever-growing influx of spam.

The University of California's research team found that although a spam campaign may use thousands of mail relay agents to send millions of messages, it typically uses only a single server to handle requests from the recipients who respond. The study points out that "the availability of scam infrastructure is critical to spam profitability — a single takedown of a scam server or a spammer redirect can curtail the earning potential of an entire spam campaign."

To identify scam infrastructure, researchers used a technique they call spamscatter. "The underlying principle is that each scam is, by necessity, identified in the link structure of associated spams," states the report. The technique was used to build a system that mines e-mail, identified their associated URLs, and follows these links back to the destination server. Individual scams were further identified by "shingling," or clustering scam servers that had graphically similar rendered Web pages. Using these techniques, researchers bypassed the content and networking smokescreens used by spammers.

Over a week-long period, researchers were able to use the spamscatter technique on a large real-time spam feed (averaging 150,000 per day) to identify over 2,000 distinct scams hosted across more than 7,000 distinct servers. The study goes on to categorize different scams and describe their typical life cycle. In conclusion, researchers determined that individual machines are commonly used to host multiple scams, and may also serve as spam relays as well. According to the study, "this practice provides a potentially convenient single point for network-based interdiction either via IP blacklisting or network filtering."

To download the survey, go to (PDF, 843 KB).

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.


Avoiding Top Ten Spreadsheet Risks

The IT Compliance Institute recently published its list of spreadsheet compliance risks in an article aimed at reducing and avoiding such risks. “One of the biggest threats to compliance isn’t rogue insiders or hackers, but a trusted tool: the lowly spreadsheet,” writes author Matthew Schwartz. “Its life is unstructured, untracked, and unsecured — control challenges that can run afoul of everything from the U.S. Sarbanes-Oxley Act of 2002 to federal accounting rules.”

As a result of these challenges, spreadsheets pose one of the biggest compliance risks faced by organizations. Following is a synopsis of the tips and best practices recommended in the article to mitigate these risks:

  1. Acknowledge spreadsheets' programming power. Spreadsheets are powerful tools but are most often handled by non-IT users. Often, the same person is the programmer, tester, and user, which makes the detection of errors difficult.
  2. Expect errors. Research shows that most spreadsheets contain a substantial number of errors, and the average error rate for tasks, such as creating spreadsheet formulas, is about 2 to 5 percent, according to IT professor Ray Panko. Even so, most companies don’t test for spreadsheet errors, preferring to "eyeball" results instead.
  3. Manage spreadsheet changes. Identify those spreadsheets that handle critical functions, and then implement controls to mitigate risks and ensure financial integrity and accuracy. Apply change management controls, including those monitoring sign-off, records and rationales for changes, and rollback capabilities.
  4. Beware the orphans. Pay special attention to orphans, or spreadsheets of unknown provenance, that drive critical processes. Inherited spreadsheets can be baffling to unravel and rife with errors or missing data.
  5. Consider versioning software. Until recently, software to manage the regulation of Microsoft Excel was scarce. However, Microsoft now offers businesses ways to manage Excel 2007, including enforcing change management, audit controls, and versioning for Excel spreadsheets.
  6. Evaluate granular controls. Even with the new content management approaches, more companies are moving toward control of data, formulas, and macros at the cell level, wherein everything in spreadsheets can be managed by centralized policies.
  7. Enforce policies and procedures. Companies should have policies and procedures in place that minimize or eliminate spreadsheet use in business-critical operations, such as those that would cause the organization to be at odds with Financial Accounting Standard rules.
  8. Automate critical business processes. Those spreadsheets that handle critical business processes should be automated to provide more cost-efficient and effective compliance.
  9. Monitor centralized application adoption. The use of enterprise resource planning (ERP) systems does not guarantee that spreadsheets used in calculations are accurate or being used appropriately. ERP tools should be easy to use and full-featured so that accountants and managers bypass the use of spreadsheets altogether.
  10. Balance enterprise applications and spreadsheets. Employees often disregard company policies regulating spreadsheet use. As a result, organizations should manage any spreadsheet associated with critical business applications, even to the column level, in order to ensure the accuracy of financial information.

To read the article in its entirety, go to

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.


IT and Audit News

Lower-cost domestic IT sourcing in the public sector; U.S. cybercrime estimated to be at least $117 billion per year; employees pose biggest security risk; what demotivates your staff



Lower-Cost Domestic IT Sourcing in the Public Sector
"We are all competing in a global market — the fight for customers, capital, jobs and resources is now on a global scale," says a new study by the Information Technology Association of America.

Report: E-gov Pressures Security
The growth of interagency data sharing and public-facing services is placing demands on IT security officials, according to a report from Symantec.

FBI Installs Spyware
The Federal Bureau of Investigation used a Trojan horse to identify the computer of a Washington High School student who later pled guilty to charges stemming from a rash of bomb threats.



U.S. Cybercrime Estimated to Be at Least $117 Billion Per Year
"Whatever is reported by organizations, most of that will likely be underreported because of disincentives to report losses," David A. Powner, Government Accountability Office director of IT management issues, told TechNewsWorld.

iPhone Is Coming to Your Network
Apple's multimedia, Internet-enabled phone has received criticism regarding security resulting from attempts to unlock the iPhone and a well-publicized exploit by Independent Security Evaluators.,1895,2162910,00.asp

Firefox Hit With Another URL-Handling Bug
The Mozilla Foundation is dealing with another URL-handling issue. Researchers have posted a proof of concept showing how the flaw can be used for remote command execution on computers running Firefox browser.,1895,2163016,00.asp

Firm Finds New Problem in Dangling Pointers
Two researchers discovered a way to exploit the dangling point issue and have found a method of exploiting a broad class of dangling pointers.

P-to-P Application Causes Police Security Disaster in Japan
A policeman in Japan was fired after a P2P application, Winny, on his PC caused highly confidential information to reach the Internet.



Employees Pose Biggest Security Risk
Information Week research shows that the number one tactical security priority for U.S. companies is the end user.

Web-based Development Platform Goes Open Source
An Australian software company has released what it claims is the first browser-based Web 2.0 development platform as an open source project.

Running Windows on Macs Turns Into Race
VMware gave Parallels some competition by releasing the first version of its software that lets Windows applications run on Apple's Macs.;_ylt=AuieL3gDqe.FNuQSiG51k5_w7rEF



What Demotivates Your Staff
Many common organizational systems, policies, and management actions actually demotivate people.

NXP Continues Research Efforts for Wireless USB chips
Cables connecting USB devices to PCs may soon disappear because of Wireless USB, a short-range wireless communications technology developed by USB Implementers Forum Inc.

The Internet and the Law
Technological innovation and its accompanying legal challenges should provide enough to keep Congress, the executive branch, attorneys, and judges busy until at least the next generation.

Recharging IT Can Make Your Business Soar
According to research, nine out of 10 companies that successfully renewed themselves were able to find the solution in hidden assets — assets that were undervalued, underutilized, or unrecognized.,1540,2158427,00.asp

Financial Executives International Chief Law says that Sarbanes-Oxley Brought Positive Benefits
The controversial U.S. Sarbanes-Oxley Act of 2002 has brought "many positive benefits" according to a senior figure in the U.S. financial world.


All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.


Coming Soon! The IIA's IT Audit Research Symposium Results

The IIA Research Foundation and The IIA's Advanced Technology Committee hosted the second IT Audit Research Symposium on July 8 in Amsterdam, the Netherlands, in conjunction with The IIA's International conference. The purpose of the symposium is to discuss potential solutions for significant IT audit issues, which will help The IIA promote emerging IT audit research projects. The symposium served as a springboard for future IIA technology initiatives. Subject discussed included:

  • Why do IT projects fail? What controls and related metrics should be in place to monitor each of the failure reasons?
  • Why is IT so expensive?
  • IT security — ensuring computer security by examining how IT users can best be involved in and encouraged to follow good IT security procedures.
  • Continuous auditing.
  • Continuous privacy monitoring.
  • Using IT maturity concept for evaluating internal control effectiveness of outsourcing and co-sourcing business processes.

Check back soon to The IIA Web site for the results.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.


In This Issue

This month's feature articles include:

Using XBRL Audit and Control Implications
Glen Gray, Ph.D., CPA
Extensible business reporting language, commonly known as XBRL, standardizes the way organizations collect, prepare, and share business information. However, organizations and internal auditors need to become acquainted with the different control issues that might impact XBRL use and its effectiveness.

Internal Controls to Examine When Auditing Backend Operations of Messaging Systems
Ike Ugochuku, Senior IT Auditor
Establishing proper access controls, e-mail archiving, and antivirus safeguards can help organizations get on the road to a secure messaging system.

The Problem With Document Destruction
Organizations can overlook the importance of documents until things go wrong. Make sure document retention and destruction policies and procedures are being implemented before a disaster can occur.

Also, check out our regular departments for the latest IT and audit information:

New Developments
Public and private entities face significant cybercrime challenges; Why IT compliance pays; Going to the source in the fight against spam; Avoiding top ten spreadsheet risks.

IT and Audit News
Lower-cost domestic IT sourcing in the public-sector; U.S. cybercrime estimated to be at least $117B per year; Employees pose biggest security risk; What demotivates your staff.

Tech Practices Update
Coming soon! IIA's IT audit research symposium results.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.