Blog

Our Thoughts

The Audit that never started

The Audit that never started

A Chief Executive has continually accused his IT team of sending series of financial requests to resolve varying issues in the department. He described the frequency of request and the amount involved as “sickening”. The cumulative amount of money involved was a pain point for the CEO. In a bid to grasp the state of affairs of the IT department, the CEO hired an IT Auditor to meet with the Head, IT to assess the operations of the department.

Pre-audit meeting held with the IT department and Internal Audit revealed that the CEO singlehandedly hired the audit firm without recourse to the auditees and internal audit. Hence, the audit could not commence and the CEO was informed of the potential impact of his move.

The likely consequence of the CEO’s action is the difficulty in gaining the cooperation and support of auditees. The auditees need to admit that frequent requests emanating from the continuous breakdown of devices or any other tech-related issues call for a review of the organization's IT portfolio management. They must acknowledge there are problems and solutions are needed.

Internal audit, on the other hand, ought to be consulted since they are to complement the efforts of the external auditor and vice versa. The audit findings, recommendations, and follow-up audit would be monitored by them.

Stakeholders engagement is important in having a successful audit. Underestimating the power of an auditee in a potential audit leaves an auditor with the risk of having inaccuracies in his/her judgments.

Dying of Human Errors

Dying of Human Errors

A few months ago, the world mourned the loss of 157 global citizens to the ill-fated Ethiopian Airlines crash in Ethiopia. The plane lost contact with the control tower barely six minutes after take-off and all that was left of the aircraft were the pieces scattered at the scene of the crash.  A global response led to the grounding of the 737 Max aircraft. The black boxes of the aircraft were recovered and sent for analysis in Paris and not the United States. Ethiopian Airlines chose Paris due to reasons best known to them. However, a school of thought could be that Ethiopian Airlines is concerned that the analysis report could contain biased judgment because Boeing is an American Company. Hence, they believe they would get an independent unbiased report from Paris. Charlton (2019) cited suggestions made by Peter Goelz, a former M.D of the National Transport Safety Board. He suggested that sufficient evidence needed to be gathered against Federal Aviation Authority (FAA) and Boeing since the former certified the 737 Max jets to be airworthy. 

A preliminary report released by Ethiopia’s Minister of Transportation revealed that the pilots of the doomed Ethiopian Airlines Flight 302 followed all the procedures recommended by Boeing when the airplane nosedived but they could not prevent the plane from crashing. The minister affirmed that the preliminary report is based on findings from the black boxes of the aircraft.

A day after the release of the preliminary report, Drew Griffin, an investigative reporter at CNN revealed that current and former employees of Boeing blew the whistle on poor practices that exist within Boeing’s operations. The report showed that Boeing’s anti-stalling software could have caused the crash because the plane nosedived repeatedly despite the pilots’ effort in following Boeing’s specified procedures.

According to the U.S Federal Aviation Administration, the issues raised by the whistleblowers include the damage to the wiring of the angle of attack sensor by a foreign object and the anti-stall system called Maneuver Characteristics Augmentation System (MCAS).

It is clear that these employees could no longer stomach the persistent acts of wrongdoing they observed in the workplace. Though it was an anonymous tip-off, were they right to have reported to the regulatory body and did the report come too late after the Lion Air and Ethiopian Airline crashes? Their ethical stance, conscience and the values they believed in, might have motivated them towards violating their consent to the various agreement during and post-employment at Boeing.

The design of the 737 Max jets placed two sensors on each side of the fuselage but MCAS takes reading from just one. The attack sensor (Internet of Things) feeds data to the MCAS. The content of the data is what determines if the (software powered) MCAS will be engaged or not. Consistent feeding of incorrect data will cause MCAS to repeatedly push the plane into a nosedive, putting human lives at risk and casting a shadow of doubt over the expertise of pilots as they struggle to regain control.

Griffin reported that Boeing’s CEO acknowledged that the incorrect data that led to the MCAS malfunction is one link in the chain of events. This poses the question of why Boeing, with decades of experience in its portfolio, designed a plane with a single point of failure. Internet of Things is prone to generating bad data. Harel Kodesh, CTO of GE Digital stated that 40% of data generated from IoT networks is “spurious”. Environmental factors have an effect on the type of data sensors generate. The harsher the conditions, the more likely the amount of incorrect data the device would generate. Sometimes, these devices just begin to malfunction on their own and it could be as a result of poor configuration management. Lawson (2016) recommended that having a redundant IoT system would address Boeing’s single point of failure design. Moreover, a system with a single point of failure should have its risk profile updated and continuously evaluated.

A report published by Dominic Gates, Seattle Times Aerospace reporter shared details of how defective analysis by Boeing and failed oversight by the FAA affected the 737 Max flight control system. FAA delegated its responsibility of safety assessment to Boeing. Auditees do not take part in the assessment of their work. The probability that deficiencies in their work will be covered up is one (1).  A control lapse by a regulatory body led to significant losses.

"When regulations fail, standards diminish and a worst case scenario becomes acceptable."

Inadequacies in the report presented to FAA by Boeing team understated the potential functionality of 737 Max MCAS technology. Such an understatement would limit the ability to build accurate risk profiles for IoT and software development processes used in production. Hence, the inability to determine the catastrophic impact of these technologies and proffer adequate responses. Gates reported that Boeing’s system safety analysis was classified as “major failure”. This implies that system failure cannot lead to a loss of human life but distress and injuries whereas in flight operations, the action of the MCAS when activated was classified as “hazardous failure”. This means that the failure of the system could cause fatal injuries to a sizable no of passengers. Both classifications did not reflect the true state and potentials of the MCAS. Skybrary, an aviation safety data repository advocates for a structured approach to ensure that all potential hazards and likely case scenarios are identified and assessed to aid in the right classification of hazards. Table 1 is an operational safety assessment hazard classification matrix that is used to classify and evaluate the impact or severity of the occurrence of an aviation risk.

Table 1: Operational Safety Assessment Hazard Classification / Severity Matrix
Source: Skybrary Aviation Safety

 

Lion Air and Ethiopian Airlines crash recorded no survivors. The effect of the crashes on occupants of the aircraft led to multiple fatalities. Therefore, the potential impact of the MCAS ought to be classified as the most severe.  The likelihood or frequency of occurrence is another important factor to consider in assessing the risks posed by MCAS technology. The MCAS became activated during flight operations on the Lion Air aircraft in two separate incidents on two different days. Though, an off-duty pilot saved the day on the first day of occurrence before crashing off the coast of Java the next day. Ethiopian Airlines flight 302, on the other hand, did not overcome the technology and human-inflicted disaster the first time. In five (5) months, the events occurred thrice. The likelihood of occurrence is defined in table 2.

Table 2. Frequency/Likelihood Classification
Source: Civil Aviation Authority

Table 2. was developed by the Civil Aviation Authority, a safety regulation group that provides safety guidelines for aerodrome operators and air traffic service providers. Adopting table 2 as the classification model for this study, the frequency of MCAS activation can be classified as reasonably probable, considering that the gap between the last and most recent event is approximately between 130-150 days.

 Figure 3 is a risk tolerance matrix developed by the Civil Aviation Authority. Determining risk tolerance level involves measuring the probability of occurrence against severity and the appropriate measure of risk consequence is unacceptable.  

 Fig. 3. Risk Tolerability Matrix 
Source: Civil Aviation Authority

The crashes of new aircraft produced by a mature company like Boeing with CMMI level 5 certifications in different processes highlights the many overlooked inherent risks associated with new innovations and products or maybe poor practices and human errors which led to multiple fatalities and whistleblowing. 

Post Ethiopian Airlines crash, Boeing CEO at a news conference reiterated that the company followed all the steps in the processes in the design and certification of the aircraft. Development or adoption of new technology may be a good idea for a business. However, all the risks should be identified and accurately profiled. Boeing’s response to the MCAS activation malfunction is to provide a fix to the software which is in line with the recommendations proposed by Civil Aviation Authority. When the consequence of risk is unacceptable, a redesign of the system may be necessary to reduce the likelihood or severity of the consequences of the risk. Gates reported that the fix is expected to alter the MCAS functional design and allow MCAS to receive data from both attack sensors (Redundancy). While the risk remains part of the system, the fix is expected to give more control to pilots than the status quo.  

Counting the cost of grounding 737 max aircraft globally, project cost of software redesign, reputation damage, death benefit payout and loss of human lives, a diligent oversight function, and sound risk management practices would have saved Boeing from these blushes and families from eternal pains.

 

REFERENCES 

 Charlton, A. (2019). Why France is analyzing Ethiopian jet’s black boxes. Retrieved from 

https://www.seattletimes.com/business/why-france-is-analyzing-ethiopian-jets-black-boxes/

 

Civil Aviation Authority. (2006). Guidance on the conduct of Hazard Identification, Risk Assessment and the Production of Safety Cases. Retrieved from https://www.icao.int/safety/pbn/Documentation/States/UK CAA CAP760 Guidance on Conduct of Hazard Identif. Risk Ass. Production of Safety Cases .pdf

 

Gates, D. (2019). Flawed analysis, failed oversight: How Boeing and FAA certified the suspect 737 MAX flight control system. Retrieved from https://www.seattletimes.com/business/boeing-aerospace/failed-certification-faa-missed-safety-issues-in-the-737-max-system-implicated-in-the-lion-air-crash/

 

Gates, D. (2019). Facing Sharp Questions, Boeing CEO Refuses to Admit Flaws in 737 MAX Design. Retrieved from https://www.seattletimes.com/business/boeing-aerospace/facing-sharp-questions-boeing-ceo-refuses-to-admit-flaws-in-737-max-design/

 

Griffin, D. (2019). Source: Boeing whistleblowers report 737 Max problems to FAA. Retrieved from https://edition.cnn.com/2019/04/26/politics/faa-hotline-reports/index.html

 Lawson, S. (2016). Worm on the Sensor: What Happens When IoT Data is Bad. Retrieved from

 

https://www.cio.com/article/3151081/worm-on-the-sensor-what-happens-when-iot-data-is-bad.html

 

 Skybrary. Risk Assessment. Retrieved from https://www.skybrary.aero/index.php/Risk_Assessment#Severity_of_Hazards

Website Baseline Controls Deficiency

Website Baseline Controls Deficiency

Few days ago, my team completed the audit of a third website in 2weeks. The websites belong to organizations in the financial, educational and public sector. Some baseline audit findings across board revealed that:

 

1. the websites did not have SSL certificates installed. 

While some say SSL certs are only needed when you have a form on your website or transmit sensitive information, Google Inc. made it a security baseline for websites. Sites without SSL certs are classified as unsecured on chrome browsers. The effect of such classification is directly proportional to the perception of the brand. 

However, security is not about achieving a 100% secure environment. The goal is just to make things difficult for the adversary and installing a SSL certificate is one sure way of achieving that.

 

2. There are no tools to monitor controls and intrusion attempts. 

If it cannot be measured, it cannot be managed. Just because a website or web application maintains a reasonable amount of uptime does not mean everything is alright. Defacement of websites is not the only attack that indicates if a website has been breached. There are advanced persistent attacks that could stay hidden for months or years. A motive could be to continually steal data as records are updated. Gone are the days when web designers and developers build websites, hand them over to the owners and everyone forgets about its day to day administration. 

A baseline control would be to implement a web application firewall. Exception logs would provide valuable insights into who, how and when intrusion attempts are made (honeypot). Additional features include the protection from DOS, SQL injection, roles & privileges, malware, etc. 

If your organization’s website is powered by content management systems (Wordpress, joomla, drupal, etc.), acquisition of a web application firewall over the counter will be cheaper than developing one.

If your website codes were written from scratch, a cost benefit analysis between acquisition and development is recommended. 

 

3. Website backups are not automated, periodically created and tested. 

Having a replica of your website Is important to attain resilient status. Security is not guaranteed. Hence, the need to have a test environment where backups can be tested and replicated. CMS users can use Xampp or Wamp to create the test environment locally.

A limitation reported by an auditee during an interview is the speed of internet bandwidth which hinders the creation of successful backups.  If you experience a related issue, you can consider integrating an automated backup plugin for Content Management System (CMS) users. Schedule your cron jobs and that’s it.

If the site was built with lines of codes, kindly draw the attention of the developer to the backup module. Review the backup process flow and function. Create backups and test to ensure its functionality and reliability, should a disruption occur. 

 

4. Files and folders permissions were not adequately set. 

Some files and folders were set to 777. This means that all group of users (administrators, public) can read, write and execute. This is a source of weakness in a system. 

By default, files and folders permissions should be set to 644 and 755 respectively. A file transfer protocol (FTP) client like FileZilla will do the work for you. You could also login to your hosting panel manager to set it. However, a web application firewall described in item 2 should have the capacity to set permissions as a group. 

 

5. Websites were not updated regularly. 

Open source CMS websites are prone to bugs. Best practice requires that regular updates are done once the update manager sends a prompt or notification. However, this should be after reading and understanding “what’s included in the update”

If a vendor or web developer sends an update notification, read and understand “what’s included in the update”, revert to your test environment, create a replica of the production website and update the website. On successful completion of the update, review the codes for backdoors and other malicious lines of codes. 

 

Auditors are required to understand and perform most of these tasks to have a first hand experience on the state of controls/security of the website and not relying on the judgement of the practitioners. These processes should be thoroughly reviewed by the auditor before digging deeper into other parts of the system. 

Ethical Sides of Decision Making

Ethical Sides of Decision Making

Time and again, I have listened to people say "if you want to enjoy your life, earn a good salary but if you love your children, start a business”. The decisions we make in life depends on the angle from which we view issues and perspectives. Earning a good salary is good, owning a business is also good. However, the risks associated with each needs to be assessed while a capability assessment is required to know which is right for one. Whatever the path we decide to take, our decision-making skills remain the deciding factor. This article focuses on the life of an entrepreneur who, despite the odds accomplished his goal.

 

Earlier in the day, I was working on a systems audit analysis and I needed to refill my cup of tea to get the mood going. I had Earl Klugh filling the room with jazz music track after track, giving me the inspiration, I needed to get my job done. I rarely shift my attention to something else when I am in such a work mode but the sight of my tv screen got my attention. I saw a movie which had just begun with the screening of the characters. The title of the movie was “A Most Violent Year” directed by JC. Chandon with Oscar Isaac taking the lead role. I saw the movie in 2016 but I didn’t pay attention at the time. This time, the juice is mine. 

 

I read the synopsis and It gave me an assurance that every minute spent on the movie would be worth it. Being a fan of Hollywood movies, I have learnt valuable lessons from movies that have inspired and guided me in my daily life and business. one of the movies is “The Last Knight” which featured Morgan Freeman, Clive Owen and Kazuaki Kiriya. The story beamed the light on the virtues a nation stands for and the collective teamwork of the people. 

 

I decided to take a break from the task and focus on the movie. The movie highlighted the life of an entrepreneur who built his heating oil business in New York City in 1981, a time of rampant corruption, violent competition and dishonesty. A strategic thinker who wants to take his business to the next level met the most restrictive force from government, competitors and local gangsters. Competitors conspired to phase him out of business, gangsters were always hijacking his trucks, stealing from him and selling the content to competitors at reduced rates and the government was always slamming his company with lawsuits. 

Despite the corrupt forces against him, he was determined to survive and grow his business. He never thought of joining them, or take reprisal actions, instead he looked for a way out. 

 

“If you can’t beat them, don’t join them. Find a way out”. 

 

Faced with series of ethical uncertainties, he became the rallying point for his employees who have been attacked and beaten by gangsters. When the employees needed a beacon of hope, he rose to the occasion. His decision-making skills influenced his employees to follow his lead and align with his code of conduct. 

An employee, a driver who had just recovered from injuries sustained after the last attack decided to resume and drive his truck with a gun as a defense tool. He shot at potential attackers and was subsequently arrested by the police. He was however relieved of his duties by the entrepreneur. 

 

“When it’s time to bite, pls do. Do not let emotions get in the way of your decisions”.

 

Lest I forget, the entrepreneur was married to a hot-headed woman fathered by a Don. She barely has any desire to do the right thing. She believed in getting things done quickly regardless of the method deployed. 

 

With significant forces from the competitors, government and his wife, one would have thought his ethical principles would be violated but he stood his ground. 

Sticking by the principles that define you require a lot of work. Workplace and social pressures are real and the daily struggles may sometimes want to tilt your allegiance away from your values and principles. 

 

After spending 130 minutes on entertainment or ethics and compliance case study, I realized that;

everyone has the tendency to push relentlessly to succeed in the face of growing challenges. 

- staying clean in business is a choice 

- for every adversarial move, truth is always the casualty

- integrity does not have a price tag. If you don’t have it, you can’t buy it. 

- you can insist on doing things the RIGHTEST way. However, count the cost. 

- let there be a virtue that defines you. 

- getting the result is important. if you think your adversaries have blocked you from getting the result, it means that you know only one way of getting the result. 

- periodically subjecting oneself to ethical self-assessment to determine your adherence.

- Compliance with industry regulations to save yourself from unnecessary government distractions 

 

The movie reflects the current issues people face in their various lines of business. The society is demanding for that little shift in value but you have got to put your ethics as the first point of call. Adherence to one’s or company’s ethics is extremely important to the goodwill and overall reputation of the individual or company. 

As a leader, everything you do each day is a major bulletin for the day. Lead well and act right.  

If you have 130minutes to learn something new, A MOST VIOLENT YEAR is worth every minute. 

Dear professionals, are we ready?

Dear professionals, are we ready?

Manchester United saw their stock rise at the early part of the year. Up till February 2019, the team was racking up victory after victory and in the process ended with 11 victories on the road, their best run in the history of the club. The club didn’t need a soothsayer to tell them to change the manager’s status from interim to full time. Fast forward to March 2019 and till this moment, they have lost 7 of their last 9 games and most likely a 10th tomorrow.

Something is definitely wrong somewhere and it could be that every of their opponents have discovered the weakness and inherent risks associated with Manchester United. From Governance to organization structure, to managers and employees. The club is in a deplorable state. It is no longer business as usual; competitors are changing business models to outperform each other.  The footballers currently pose the biggest threat. Their last outing against Everton was pathetic. They were defeated in every position. The response of the Management was to tell supporters to expect a massive exodus of players from the club. They believe the current skills of their players are not in tune with the current roles. At the moment, this is what their indicators are revealing.

 What is your indicator revealing? You have always conducted precise audits and generated excellent reports. But the issues persist. Management has a better idea and stakeholders just don’t buy your recommendations.

Wait! A wave is coming. This time, you will have to go the extra mile to get the job done.

Dear auditor, business models are changing, are you ready?

 Earlier in the year, my company was privileged to be invited to audit an information system used by a microfinance bank. As a team, we had assembled to dish out roles and examine various tasks as usual. On the team were financial auditors, information systems auditors, network administrators, database specialists, server administrators, security managers and a web developer. It seemed like we had the best team around. Off we proceeded to the client’s office. On arrival, we were handed the terms of reference and the usual functions appeared. Tasks range from duplicate check, edit check, reasonableness check, controls assessment, data validity, organizational structure audit, audit trail tamper proof, incident and review logs, bla bla bla.

What caught my attention was the application programming interface (API) audit and application source code audit. The task was to review the whole application for backdoors, code integrity, programming standard and API. Calculating the hash function would have showed if files have been tampered with but because there was no initial hash function of files stored somewhere, the comparison would be baseless. Secondly, verifying all the lines of codes to determine poorly written codes was the big deal and ensuring that the application was built according to best practices.

 I asked 3 different developers if there exists a global standard for auditing/developing application codes. Their responses were negative.

"You just have to be a developer to review the codes of another developer."

 Well, the web developer on the team did his job and presented the report. I guessed  I was not satisfied with his job because no one on the team had knowledge of application development. Verifying the correctness of the report proved to be a problem. In resolving this, I hired another developer to audit the section again and then compared the report with the existing one.

"A valuable lesson I learnt is to ensure that there is always someone on the team who understands and can review what another team member has done."

Then I remembered thousands of active information systems auditors with no knowledge of application development. How do they cross the hurdle of source code audit? Hiring an application developer is good but how do you verify the correctness of the report?

 Inability to evolve and align with new business innovations will make one’s skills to be redundant. After the audit, I did a reality check and the result was my enrollment in a full stack Development course the following month. Of course, I’m still under training and the {}<></> are not friendly at all. I don’t intend to be a developer but I want to know and understand what the developer is doing or maybe enjoy my time sipping coffee and reviewing those lines of code myself. At the moment, I can successfully review UI/UX frontend codes. Quite boring but extremely important. I can’t wait to pick up the momentum for my backend classes.

The future is looking to unfold more work for the auditors and security professionals.

The challenges from the cyberspace coupled with the business applications audit, workplace robotics artificial intelligence, Internet of things, Internet of people, Internet of everything, blockchain, data science, cloud computing and others will scale the height for professionals. 

 

I see the role of CISAs evolving as these emerging technologies take over our business landscape. No one is a repository of knowledge. Therefore, the IS Auditor should not be seen as a magician who is supposed to know the job functions of a data scientist, financial auditor, database administrator, network administrator, server administrator, cloud specialist, and every other emerging role involved in these technologies. Professionals in those areas will be hired for the purposes of IT Audit and not as practitioners and then report to the CISA who will serve as the Audit Manager.

 

Dear professionals, are we ready?

PECB signs a partnership agreement with Darence Consulting Limited

PECB, the leading education and training service provider on ISO standards,, has recently announced a strategic partnership with Darence Consulting to offer its customers the best practices of ISO standards in Nigeria. 
 
"Darence Consulting has a sophisticated, well-built enterprise platform that aligns with our innovative ISO standards," said Eric Lachapelle, CEO of PECB.  "We anticipate both systems to benefit from our aligned strategies to solve important issues for our customers, and within the industry. Following the availability of Darence Consulting’s system, we will be able to leverage the same cost advantages for developing turnkey business solutions that integrate into backend systems using ISO standards,” concluded Lachapelle. 
 
Temitayo Oladiran, Enterprise Lead, Darence Consulting
When we needed to decide on who our partner would be, everyone chose PECB. PECB has consistently maintained its leadership role in the certification industry and we are proud to be associated with a global brand.
 
It suffices to say that we have unwavering reliance on PECB’s global reputation to deliver their products and services to our clients and ensure best practices in business operations. We look forward to optimized business operations as we forge an alliance with PECB.
 
About PECB 
PECB is a certification body for persons, management systems, and products on a wide range of international standards. As a global provider of training, examination, audit, and certification services, PECB offers its expertise on multiple fields, including but not limited to Information Security, IT, Business Continuity, Service Management, Quality Management Systems, Risk & Management, Health, Safety, and Environment. 
 
We help professionals and organizations show commitment and competence with internationally recognized standards through education and certification against rigorous, internationally recognized requirements. Our mission is to provide our clients with comprehensive services that inspire trust, continual improvement, recognition, and benefit the society as a whole. For more detailed information regarding PECB principal objectives and activities, visit www.pecb.com.
 
About Darence Consulting
Darence Consulting provides expert services on technology, leadership and management to organizations. We empower entities through the provision of advisory services, practitioners’ solutions, assessment & performance measurement and standardization of processes to ensure operational best practices. 
 
Across organizations, we develop programs that move them towards objectives realization. Our programs include governance, risk management, cybersecurity, IT audit, leadership, performance evaluation, skill acquisition and competence development. 
To know more about our services, visit www.darenceconsulting.com
Image

Address

Plot AT 118, Apo New Site, Apo
Abuja, Nigeria.

Talk to us

+234 (0)818-819-6444
+234 (0)810-439-6811