Sponsored by International Quality and Productivity Center Conference on THE CHANGING ROLE OF THE INTERNAL AUDITOR March 31-April 2, 2003 * Georgian Terrace Hotel * Atlanta, GA
<See Details at the end of this email> Seats are limited so sign up now at www.iqpc.com! *************************************** Robert, You are absolutely correct that simply inserting a disclaimer in an email will not provide absolute protection from legal action. The scenario that was included in my response actually came from the Net and there is a Web site that discusses the legal issues associated with email. IMO auditors use common sense when auditing security measures and not only review policies and procedures but also test the controls in place. Much of what we do as auditors is identify risk and inform management of exposures. It is up to management to take corrective action to minimize those risks or accept them and the resulting consequences. The original question related to the legal protection afforded by disclaimers. I provided the group with information and a link to a site dealing with the issue. Adding a disclaimer to email may help minimize risk but it is not absolute assurance. Testing the system will also minimize risk but again not provide absolute assurance. As to suggesting that a firm like Protiviti would act in the manner that you suggest is highly unlikely. If they were testing security they would perform whatever tests necessary to provide reasonable assurance to management that risks are minimized. Most internal auditors look beyond policies and procedures. We audit not only to ensure that things are being done right but also that our organizations are doing the right things. As to "this kind of thinking", remember that it was external auditors that may have imposed "this kind of thinking" on their clients. Worldcom's internal auditors were the ones who exposed the fraud not the external auditors. I would be interested in hearing other opinions on the "changing role of the internal auditor" in this forum. Respectfully, Jim No disclaimers provided except that the above are my own opinions. --- Robert Allen <[EMAIL PROTECTED]> wrote: > Sponsored by International Quality and Productivity > Center Conference on > > THE CHANGING ROLE OF THE INTERNAL AUDITOR > March 31-April 2, 2003 * Georgian Terrace Hotel * > Atlanta, GA > > <See Details at the end of this email> > > Seats are limited so sign up now at www.iqpc.com! > *************************************** > > Jim, > > You raised an interesting thought/topic. But, I > suspect you haven't > gone far enough. > > Most auditors need to know that simply having a good > policy or a well > worded disclaimers isn't anymore sufficient to > protecting your company > from a lawsuit then, lets say having a well > documented policy on how to > capitalize and expense certain telecommunication > investments at a > company like ahh shall we say - WORLDCOM???? > > Unfortunately, most auditors think that it's a > matter of well documented > "policies and procedures". And, then they top that > off with something > like "we need effective controls" "controls, > controls, controls." Well, > the fact of the matter is that doesn't mean JACK. > > Consider this: Your Company sends out their > "disclaimer" which perhaps > they learned about from a subscription to audit_net > or which the their > consultant Protiviti recommended they adopt. Then, > their computers are > in fact used to perpetrate a DNS attack on several > other companies > through malicious code sent via email. > > Fast forward to a federal district court hearing > where the PA > (Plaintiffs Attorney) is cross examining your IT > Auditor: "So you hired > Protiviti to test your systems?".... "They > recommended that you put a > disclaimer on your emails?" ... "They didn't > recommend that you run > CSAHDAJHD scan to stop malicious outbound code?", > "Now, exactly what > skills did this 'Protiviti' have??? "Hmm, they had > a staff fill out a > form and send you a report?" "Did they run an > Attack and Penetration > against your systems" "Did your CIO get the > report?" > > You see the point - it's ludicrous to suggest that > policies and > procedures and disclaimers are what this is all > about. That kind of > shallow thinking (and a little group thinking like > this down in Houston > last year) is what has given this profession a bad > name. > > Now there's a topic for that conference down in > Atlanta next Month!!! > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf > Of Jim Kaplan > Sent: Monday, February 10, 2003 6:16 AM > To: [EMAIL PROTECTED] > Subject: Re: E-Mail Disclaimers > > Sponsored by International Quality and Productivity > Center Conference on > > > THE CHANGING ROLE OF THE INTERNAL AUDITOR > March 31-April 2, 2003 * Georgian Terrace Hotel * > Atlanta, GA > > <See Details at the end of this email> > > Seats are limited so sign up now at www.iqpc.com! > *************************************** > > It is important to add disclaimers to your internal > and external mails, > since this can help protect your company from > liability. Consider the > following scenario: an employee accidentally > forwards a virus to a > customer > by email. The customer decides to sue your company > for damages. If you > add > a disclaimer at the bottom of every external mail, > saying that the > recipient must check each email for viruses and that > it cannot be held > liable for any transmitted viruses, this will surely > be of help to you > in > court. Another example: an employee sues the company > for allowing a > racist > email to circulate the office. If your company has > an email policy in > place > and adds an email disclaimer to every mail that > states that employees > are > expressly required not to make defamatory > statements, you have a good > case > of proving that the company did everything it could > to prevent offensive > > emails. > > Check out the following: > > http://www.emaildisclaimers.com/ > > For email policy: > > http://www.emailreplies.com/Email_policy.html > > Hope this helps, > > Jim Kaplan > At 10:29 AM 2/10/2003 +0800, you wrote: > >-----Original Message----- > >From: Abdul Samad Jaafar > >Sent: Friday, January 17, 2003 11:39 AM > >To: [EMAIL PROTECTED] > >Subject: E-mail disclaimer > > > >Dear all, > > > >I have a question on the above matter, particularly > to those who work > with > >organisation that make it a policy for every > outgoing e-mail to be > >attached with disclaimer/caution, such as the two > e-mails below. > > > >My question is, does the disclaimer legally protect > the > >sender/organization from potential problems arising > from unauthorised > >dissemination, distribution or reproduction of the > e-mail contents? > > > >Thank you. > > > >Abdul Samad Jaafar > >Head of Internal Audit & Compliance > >Public Mutual Berhad > >Kuala Lumpur > > > This conference provides expert speakers addressing > the latest and most > topical issues regarding new processes & practices > helping internal > auditors successfully meet the expectations of BODs > & auditing > committees, senior executives, clients and external > consultants. > Includes case studies from Fidelity Investments, Bon > Secours Health > Systems, Staples, Schwan Food Company, FedEx, Anchor > Bancorp, and > others. > > AUDIT-L SUBSCRIBERS WILL SAVE $200 using discount > code: A434E. > > Register by calling 1-800-882-8684, email to: > [EMAIL PROTECTED] or > online at www.iqpc.com! Note: This discount cannot > be combined > with any other offer. Payment in full upon > registration. For > cancellation and conference policies, please visit > www.iqpc.com. > > If your organization would like to sponsor this > discussion list send an > === message truncated === __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com This conference provides expert speakers addressing the latest and most topical issues regarding new processes & practices helping internal auditors successfully meet the expectations of BODs & auditing committees, senior executives, clients and external consultants. Includes case studies from Fidelity Investments, Bon Secours Health Systems, Staples, Schwan Food Company, FedEx, Anchor Bancorp, and others. AUDIT-L SUBSCRIBERS WILL SAVE $200 using discount code: A434E. Register by calling 1-800-882-8684, email to: [EMAIL PROTECTED] or online at www.iqpc.com! Note: This discount cannot be combined with any other offer. Payment in full upon registration. For cancellation and conference policies, please visit www.iqpc.com. If your organization would like to sponsor this discussion list send an e-mail to [EMAIL PROTECTED] for information. To unsubscribe to the Audit-l list send an e-mail to [EMAIL PROTECTED] Leave the subject line blank and include the
