:: wikimiki.org ::

Audit

Audit

An audit is an evaluation of an organization, system, process, or product. It is performed by a competent, objective, and unbiased person or persons, known as auditors. The purpose is to verify that the subject of the audit was completed or operates according to approved and accepted standards, statutes, regulations, or practices. It also evaluates controls to determine if conformance will continue. Audits evaluate conformance now and into the future. An inspection evaluates conformance in the past. Both are important parts of management. Some examples are:
- Academics audit
- Clinical audit
- Computer Security Audits
- Configuration Audit (as part of Configuration Management)
- Conformity assessment audit (ISO, HACCP, JCAHCO)
- Environmental Audit
- Financial audit (the oldest)
- Information technology audit
- Internal audit
- Management system audit (quality audit, safety audit, environmental audit)
- Performance audit
- Security Audit (not computer-related)
- Scientology counselling. See Scientology beliefs and practices.
- Telecommunication audit ja:監査

Evaluation

Evaluation is the systematic determination of merit, worth, and significance. Evaluation also means determining the value of an expression (mathematics) or expression (programming). Evaluation describes the process of examining information about an evaluand. Evaluation is often used in an educational context, but applies to many other areas, such as computer science, business, health interventions and engineering. Often evaluation is confused with assessment. However, evaluation is broader than assessment and involves making judgments about the merit or worth of an evaluand. Merit involves judgments about intrinsic value. Worth involves judgments about instrumental value. For example, a history and a mathematics teacher may have equal merit in terms of mastery of their respective disciplines, but the math teacher may have greater worth because of the higher demand and lower supply of qualified mathematics teachers. The American Evaluation Association (www.eval.org) has created a set of standards that are commonly accepted as guidelines for evaluations. They provide guidelines about basing value judgments on systematic inquiry, evaluator competence and integrity, respect for people, and regard for the general and public welfare. The Joint Committee on Standards for Educational Evaluation (www.wmich.edu/evalctr/jc/) has developed standards for program, personnel, and student evaluation. The Joint Committee standards are broken into four sections: Utility, Feasibility, Propriety, and Accuracy. A link to the full AEA Evaluation and Joint Committee Standards can be found under "external links". Dr. David Williams, from Brigham Young University, has established an framework consisting of 14 questions that should be considered when determininig the effectiveness of an evaluation: # What is the background/context/literature information for understanding an evaluation plan or report? # Who are the audiences/stake holders/information users who care about the evaluand and its evaluation? # What is the evaluand these people care about? # What issues, concerns or information needs do they have regarding the evaluand? # What criteria do they have for judging the evaluand? # What questions do they want to answer regarding how well the evaluand meets the criteria? # What processes and activities were used to collect data to answer the questions and compare the evaluand to the criteria? # What analysis procedures were used to interpret the data? # What reporting strategies were used to get information to information users (interim and final)? # What are the results or answers to the evaluation questions? # What recommendations does this study yield? # What resources were used to carry out the entire study, including team members? # What schedule and budget were followed and how did they compare to what was planned? # How did this study hold up against meta-evaluation standards?

Evaluation Techniques

There are many techniques and approaches for conducting evaluations. The following are some of the most common.
- The Delphi Technique
- Appreciative Inquiry

External links

- [http://www.eval.org/EvaluationDocuments/progeval.html Guiding Principles] -- American Evaluation Association Guiding Principles for Evaluators
- [http://www.wmich.edu/evalctr/jc/ Evaluation Standards] -- Standards for effective evaluations, as determined by the Joint Committee on Evaluation Standards
- [http://www.sil.org/lingualinks/literacy/ReferenceMaterials/GlossaryOfLiteracyTerms/WhatIsFormativeEvaluation.htm Formative vs. Summative Evaluation] -- these are the two general purposes for evaluation
- http://www.ibec-its.org - International, Benefits, Evaluation and Costs Working Group for the ITS community

Statute

] A statute is a formal, written law of a country or state, written and enacted by its legislative authority, perhaps to then be ratified by the highest executive in the government, and finally published. Typically, statutes command, prohibit, or declare something. Statutes are sometimes referred to as legislation or "black letter law." In many countries, published statutes are organized in topical arrangements called codes, such as the Civil Code of Quebec or the United States Code. The term statute is sometimes also used to refer to an international treaty that establishes an institution, such as the Statute of the European Central Bank (a protocol to the Treaty of Maastricht). This includes international courts as well, such as the Statute of the International Court of Justice and the Rome Statute of the International Criminal Court.
-

Regulation

A regulation is a legal restriction promulgated by government administrative agencies through rulemaking. This administrative law or regulatory law is in contrast to statutory or case law. The economics of imposing or removing regulations relating to markets is analysed in regulatory economics.

Regulation as a legal term

A regulation (as a legal term) is a rule created by an Administration or administrative agency or body that interprets the statute(s) setting out the agency's purpose and powers, or the circumstances of applying the statute. A regulation is a form of secondary legislation which is used to implement a primary piece of legislation appropriately, or to take account of particular circumstances or factors emerging during the gradual implementation of, or during the period of, a primary piece of legislation. Other forms of secondary legislation are statutory instruments, statutory orders, by-laws and rules. Some of these (but not all of them) need to be referred back before being implemented, to the primary legislative process.

United Kingdom

An example in Britain is that there is primary, Central Government legislation covering the operations of Local Authorities. These functions include Education, Social Services, Leisure provision, etc.. In that primary legislation there are provisions to allow Local Authorities to legislate for themselves, within reason and under proper process, on a range of matters in their areas of responsibility. This allows the law to be effectively applied with appropriate flexibility and taking account of local factors. These are often best known by the Local Authority concerned. Regulations also assist the primary legislative process, the national parliament, to avoid the potential bottleneck of the detailed implementatin of all the laws it produces in all the varying cirumstances throughout the land or throughout the process of their implementation.

France

In French law, the difference between statute law (adopted by the legislative branch) and regulation is of paramount importance when it comes to adoption, amendment or judicial review. The French constitution reserves a number of topics for statute law; in normal times, the executive branch may take decisions on such matters only if it has been specifically authorized by a statute to do so as secondary legislation through decrees, or if it has been specifically and rarely authorized by the legislative branch to do so as primary legislation through ordinances. On all other matters, the executive branch is solely responsible for issuing primary legislation through decrees. Secondary or tertiary legislation may come in the form of arrêtés. All legislation and regulation issued by the executive, including ordinances not ratified by the legislative branch, is subject to judicial review by the administrative courts (see Conseil d'État).

European Union

EU regulation has a general scope, and is obligatory in all its elements and directly applicable in all Member States of the European Union. Any local laws contrary to the regulation are overruled, as EU Law has supremacy over the laws of the Member States. New legislation enacted by Member states must be consistent with the requirements of EU regulations. For these reasons regulations constitute the most powerful or influential of the EU legislative acts. Other forms of legislative acts of the European Union (EU) are directives, decisions, recommendations and opinions.

Studies and analysis

[http://www.mercatus.org/regulatorystudies/article.php/1465.html Primer on Regulation] (Mercatus, 2005) by [http://www.mercatus.org/people.php/31.html Susan E. Dudley]

External links

- [http://www.globalizationandhealth.com/content/1/1/9 Article in 'Globalization and Health' on the regulation of food marketing to children]
- [http://www.parliament.uk/parliamentary_committees/regulatory_reform_committee/regulatory_reform_orders.cfm A glimpse into some United Kingdom deregulatory procedures]
- [http://www.businesslink.gov.uk/regulationupdates Regulation updates service on the UK government Business Link website]
- The [http://www.mercatus.org/index.php Mercatus Center] at George Mason University has a [http://www.mercatus.org/regulatorystudies/index.php Regulatory Studies Program] Category:Administrative law

Practice

A Practice refers to a way that something is done. Practice is also something that is done with the deliberate aim of learning. Most commonly, practice is the act of repeating something over and over for the purpose of learning and gaining experience, as in the phrase "practice makes perfect". Playing a musical instrument well takes great practice, for example. In British English, the verb form of this is "to practise". The noun form everywhere, and the verb form in American English is always spelled "practice".

Work practices

Work practices are ways of structuring that are things one must do, or ways in which something is done. They are not implemented by technologies, but are usually conceived by intelligent humans, though not necessarily. In contrast technologies are things that one can usually buy. Examples of work practices include
- processes
- patterns
- decision
- benchmarks In software engineering, work practices include
- software inspection
- pair programming
- software reuse

Social practices

Social practices are related to customs for how various people enact various works or events. Practices are also related to custom as used in the legal phrase "customs and practices" to refer to how people customarily conduct their business. The article "diffusion (anthropology)" discusses how social practices spread from culture to culture. Diffusion of innovations theory examines the factors that spur adoption or rejection of new social practices.

Inspection

An inspection is, most generally, a official examination or formal evaluation exercise. Moreover, it is the measurements, tests, and gauges applied to certian characteristics inreguards to an object or activity. The results are usually compared to specified requirements and standard for determining whether the item or activity is in line with the standards and achieves certian criteria and characteristics. Inspections are usually non-destructive.

Specific instances

Software engineering

Software inspection, in software engineering, refers to peer review of any work product by trained individuals who look for defects using a well defined process.

Real estate

A property inspection is the examination for purposes of evaluating a property's condition. In purchasing property, a "whole house inspection" tries to detect defects in the property. The railroad's inspection locomotive were special types of steam locomotive designed to carry railroad officials on inspection tours of the railroad property.

Government

In government and politics, an inspection is the act of a regulatory authority administering an official review of various criteria (such as documents, facilities, records, and any other assests) that are deemed by the authority to be related to the inspection. Inspections are used for the purpose of determining if a body is complying with regulations. The inspector examines the criteria and talks with involved individuals. A report and evaluation follows such visits. The Food Safety Inspection Service is charged with ensuring that all meat and egg products in the United States are safe to consume and accurately labeled. The Meat Inspection Act of 1906 authorized the Secretary of Agriculture to order meat inspections and condemn any found unfit for human consumption. The United Nations Monitoring, Verification and Inspection Commission is a regulatory body that inspects for weapons of mass destruction. See also: weapons inspection

Mechanics

An "annual inspection" is a necessary inspection required on all general aviation aircraft to conform with Federal Aviation Administration safety regulations. An "automobile inspection" is an examination of a vehicle's components, usually done by a certified mechanic. Vehicles pass a pre-warranty inspection, if, and only if, a mechanic provide evidence for the proper working condition of all vehicle components.

Medical

An medical inspection is the thorough and unhurried visualization of a client, this requires the use of the naked eye.

Audit (academics)

An audit in academics is the completion of a course of study for which no assessment is completed or grade awarded; especially audit is awarded to those who have elected not to receive a letter grade for a course in which letter grades are typically awarded. This technique is often employed by individuals who wish to take a specific course without the risk of under-performance resulting in a poor or failing grade; this can be helpful when reviewing a long-unstudied subject, when first beginning the study of a discipline wherein one has little experience or confidence, when taking a course merely for enjoyment with no need or desire of academic credit, et cetera. Auditing is generally an option at institutions of higher learning (colleges, universities) rather than grammar school (K-12). Category:Education

Computer Security Audits

A computer security audit is a process that can verify that certain standards have been met, and identify areas in need of remediation or improvement. Decades ago, identifying the problem areas had to be done by a team of human auditors, but now software can analyse what's on a computer, and present a story that you do not need to be an expert to comprehend. It is important to use software that stays current with rapidly evolving security threats. Software cannot resolve the whole problem. Computer Users need to evaluate the reports, make changes to correct the problems, then rerun the reports. When success is achieved in resolving all the problems, we raise the bar on the standards we trying to achieve. Computer security audits go beyond information technology audits, which audit what is on the computer system and how it is being used, to verify programs are working as intended, and the data is reliable, to also verify that none of the data is being tampered with, or can be tampered with, to show incorrect results. For example, the risk of insider embezzlement can be detected by an information technology audit. Auditing information security can be part of an information technology audit conducted by a team of human auditors with expertise in the computer system being audited and the application software there. Computer security audits go beyond annual financial audits and physical inventory audits to the data content, which are standard processes in most businesses. They also look into how the data is stored, on a hard disk or other storage area and whether the data is secure. Home users of personal computers cannot afford the price tag of a standard audit so they have to make do with whatever diagnosis tools are readily available for their use. There are some activities in common between computer security audits and auditing information security. Auditing information security tends to be top down comprehensive analysis, typically only at major corporations, such as those traded on the stock market, followed by education in the areas that need fixing. Smaller companies and home users cannot justify this expense. a computer security audit is bottom up what can be resolved using automated software tools, combined with access to a panorama of education, from which the affected users can pick and choose which topics to learn at their own pace. This computer security audit article describes what any individual computer user, any business enterprise, government agency, non-profit organization, can do, relatively inexpensively, to find out what security remediation is needed, much of which they can do themselves, and get education to see how to improve their security into the future. Some of the discoveries will lead to calling on professional help associated with part of what is done by auditing information security and other consultants. Implementation of computer security audits often comes with access to continuing education, which is marketed different ways by the vendors of computer security audit tools. Some provide up-front consulting, others offer some amount of free tech support time. Computer technology evolution, in recent years, has become like personal automobiles, in that, except for the problems of computer insecurity and too easily break down, just about any human can buy a computer, install it, start using it, with almost no training. Many computer systems are delivered with defaults that are insecure if installed as the computers came from their manufacturers, while lots of standard software has been designed without concern for security, then sold to millions of computer users, who might not realize this. This failure, to include security in most software, is not because of any nefarious motives by the computer software publishers, but rather an outgrowth of computer security education being thought of as specialized training that is not deemed essential for computer programming. Also many programmers are self-taught, using text books that teach the mechanics of writing in some computer Language without a bigger picture of what it means to write quality software that has good Security, Performance, ease-of-use, Interoperability, good Data Base Design, and satisfies other Information Technology goals. Thus the vast majority of computer Programmers know absolutely nothing about how to design their work products for good Computer Security. This lack of security within many computer ingredients has led to a market for Computer security tools to test Computer systems to locate Computer insecurity problems that can be repaired, provide computer users and owners with explicit instructions how to fix the problems, and include resources to help computer users get educated on doing a better job of security, whether they using Personal Computers at home elsewhere, or organizational use of larger networks.

What these Audits Don't do

Many typical Security breaches would not occur, had the breached institution been doing regular computer security audits. But there are also types of Security breaches which are not prevented by most state-of-art computer security audits process. Data in transit, outside areas subjected to security audits, is also at risk. But this normally is not obvious to the people in charge of that data, until after their first breach. Also, there is a lot of older hardware formerly standalone, that gets connected to business networks that have high security needs, without applying security review to that connection.

Prevent Laptop Theft

Sometimes a portable PC or Lap top is stolen from an automobile, and there is critical data on it. This might not be preventable by audits at the company where the lap top owner or user works, and many lap top users are somewhat self-employed, but it can be preventable if the owner had been undergoing computer security auditing education which included seeing what is needed to protect the lap top from having a Wireless steal me sign, and verify that any such sign has been removed. Some companies, engaged in the computer security audit process, include standards of security education for all employees, but often there is personnel turn-over such that new staff are using computers in unsecure ways, long before the contrary education gets to them. There is often uncertainty how much of this applies to what consultants and business partners are doing with data shared across multiple companies. Security is everyone's responsibility, and we also need to do a better job of communicating to everyone how to find out what needs to be done. Many Lap tops come with Wireless turned on by default. Autos are often parked in places without good Security. Many criminals can check parking areas, looking for the Wireless signals that identify which locked autos contain lap tops out of physical sight. This also applies to other semi-public areas where a lap top owner or user might temporarily leave it unattended. Thus, the lap top Wireless defaults can be like a steal me sign for the lap tops of new owners who are unaware of the need to turn this off when they not need it.

Some Intruder Risks

Some types of security auditing do not yet have good automated comprehensive diagnostic tools, that can be applied at a network level, instead of tedious inspection at each individual PC at an enterprise that can have quite a few. One of the Security breaches at Microsoft involved a Telecommuting employee whose home computer did not have the latest patches. The computers at Microsoft HQ had state-of-art security, but not all employees and contractors were up-to-date. This is a type of exposure for many enterprises. The hand-shake process, by which a remote PC signs onto a larger network, can include script, on the host system, to check the Client for some security issues, but since the end user expects rapid sign-on, not everything is practical to check. A White hat communications check can find out if any employee in an institution's network has software on their PC that makes it easy for an intruder to get into the network through them. Current state-of-art is for a White Hat Auditor, who knows nothing about the business, to see how far he can get, armed only with a directory of the company's phone #s. Then do this process again, after being briefed about the business, and the industry it is in. Hacker techniques evolve so rapidly that it is prudent for any enterprise, desiring this kind of inspection, to have it done by an outside consultant who is up-to-date on those techniques.

Credit Card Commerce Theft

Many very small companies, such as restaurants and retailers, where credit cards get used, are staffed by people whose expertise is in the products and services provided there, not in the technology being used. As with the personal auto analogy, there are potential security risks for anyone who uses computer technology in business. There is a special kind of phone line that carries credit card information about customers of retailers through the process of verifying and approving that credit. This line can be hacked. Other enterprises in ordinary Commerce, and in e-commerce, also have common business needs to use specialized communication services, all of which have security implications. People at the retailers, and other enterprises, are typically unaware of the security settings on their communication lines, if those settings are up-to-date, and if the method of communication connection is appropriate to our evolving collection of security threats. It is like people using ordinary voice phone. We assume our line is not tapped, and cannot imagine why anyone, other than an error in a police investigation, would lead to us getting tapped. However, a lot of cellular and Wireless conversations are going over public airwaves, and there is a sub-group of society that loves to listen to Police scanners and other business, for pure pleasure. Some of this other business communication is carrying traffic of interest to criminals, such as credit card sales. Normally in business, a company gets something installed, sees that it appears to be working fine, and the contract is ended with the installment working as expected. But security for that installed service is a moving target. There are new threats needing new security measures. Over time, any installed technology, if it is not subjected to a relevant security audit process, becomes more and more vulnerable to security problems. Education, that such an audit process is needed, does not communicate itself to people who do not realize it is needed.

Backup Media Theft

Data needs to be backed up, in case something goes wrong where the computer is located, such as fire, natural disaster, serious human error, hardware crash, some vehicle crashes into the building, sabotage. Some risks are very low probability, but over the life of a computer, there may be multiple incidents requiring access to what is on the backup. Suppose the building housing a computer burns down. Both the computer, and any backups stored there, are ruined. Those copies of backups need to be stored at another location, along with a list of what hardware needed to reconstitute the system, and phone numbers for tech support and other services. There have been several instances of backups stolen in transit, and the security of the transportation of those backups questioned. Even bank armored cars carrying money can be robbed. It is a matter of weighing risks, then deciding how much money should be spent on security for the backup media in transit. What is the value of the data on those backups to potential criminals? Backups can be encrypted, but if something is causing data to be corrupted, recovering data from a corrupted encrypted backup is beyond affordability for the average business. Thus, a backup strategy needs to include encryption on backup media leaving the place where the computer is, and unencrypted with the computer, but suitably secured, such as in a locked file cabinet. Many people, who use computer security audit tools, apply them only to what is on the computer, ignoring this bigger picture.

Supply Chain Risks

In modern e-business, many computer systems at many different enterprises, and in the hands of ordinary computer users, are communicating with each other over competitively cheapest means, through a variety of intermediate service providers. At each link, in a communication chain between multiple computer systems, there are security risks. All these different entities need to provide some assurance of good security, The whole process of security assurance must be sufficiently inexpensive that it does not drive competitors to places significantly less expensive because they are less secure. Many companies do not handle all parts of their busininess with internal employees. They may use other companies to handle: product delivery; payroll; other accounting; banking. Each of these other enterprises need to have access to some data from the company using the services. Some companies are in the business of communicating rather confidential information, about police investigations, personal finances, medical information. There are individuals authorized to access this data, which needs to be communicated somehow between the computer system of the company with the data to that of the people who are authorized to access it. The products and services, that any company is in business to provide, are often sold to other companies, and the raw materials to make those products and services possible, also come from other companies. Data must be transmitted between the companies identifying what is needed, when, at what price, with forecasting of future needs. For rhe whole interconnected system to work wihout any Security breaches there must be good security, which includes a continuing security audit process, with each and every organization, service provider, computer, communication system, transportation methods, storage, paperwork system, in the entire supply chain network, with intercommunication to everyone who might be affected in any security breakdown, to assure them about safety of their data here. The state-of-art has been doing an inadequate job of communicating such assurances to the little guy in the chain. Depending on the contractual business relationship, some companies can send audit teams to others that they are in business with, to verify security standards have been adhered to. This is potentially quite expensive. Alternatively there can be industry-wide standards organizations, such as ISO that issue certifications to companies that meet certain standards, then other companies endeavor to only do business with those that have achieved these standards.

Where such Audits can Serve Everyone

Some protection should be on most every computer, such as backups, power protection, and firewalls. Firewall logs of intruder attempts can be sent to a service such as [http://isc.sans.org/ Internet Storm Center] using software such as [http://www.dshield.org/ D shield]. Thus, those individuals who are in the business of looking for a computer system to break into, without permission, to perform various mischef, they will immediately become the target of e-cops seeking to put them out of business, and in time discourage such criminal enterprises.

What these Audits do for small and medium size enterprises

Computer security audit tools to test your computer security are used by enterprises and government facilities running one of the operating systems for personal computers or computer network systems to find any standard protections and settings that may have overlooked, in achieving various computer security standards. Business and government using very popular application software Packages can get computer security audit software that is tailored to the particular package, to identify settings not in the best interests of good computer security, and what needs fixing so as to achieve the best known standards of computer security for the industries where that kind of computer software is ordinarily deployed.

Examples of these Audit Tools

For each example given, there are competing products and services that do similar things. In time, this article will comprehensively include info on more of them.

Enterprise Computing

Auditor's Computer Audit

Software is available that can be loaded on an operating system, in association with the visit of auditors for financial or other audit, or as part of other oversight, to translate technical data settings into a form understandable to non-technical people, such as people on the audit staff who may be unfamiliar with the particular computer system or its software. The reports include both widespread reccommendations of various authorities that apply to most any computer system, and some that are specific to an industry or a software package. This is contrasted with how the system being audited has implemented its rules, or not complied with these national standards. The technical staff of the institution may add comments as to why this institution must not implement some national standards. For example, we are using a particular software package to run our business, that is considered to be mission critial, but to implement certain standards would crash this package. Another example is that a specific manager has made demads that certain things be done that are incompatible with some standards. There may also be an issue that to comply with some standards requires outside expertise for which we have no budget. One of many such auditor packages is PS Audit from [http://www.netiq.com/products/psa/default.asp Netiq], formerly PentaSafe, available for major operating systems such as Windows, Unix, Linux, OS/400. It is designed to be used by general auditors, who need not know anything about the specific computer system, operating system, or application software used by their client that is being audited. PS Audit analyses the settings of the Operating System, Computer security, Application software and generates a report identifying Computer insecurity that needs repairs. Can unauthorized people get onto this system? What are all the ways that people can get onto this system, and how is each one secured? Without giving out information that would be helpful to an Intruder, are there passwords here that are too easy to be guessed? The auditors, management, and computer staff can then discuss what this audit tool has revealed, and prioritize what actions are needed. It can also be left on the computer system for the client use after the auditors have left, performing such tasks as monitoring system logs, with notification of events needing immediate action.

OS/400 iSeries

Many Businesses run on the IBM AS/400 whose Operating System is one of the most secure available, but modern business needs to be connected to many resources whose Security is less developed than what IBM offers. At one time it was advertised as being so reliable that it did not need a computer staff. There are in fact several installations that run for weeks or months without needing a technical person other than general user help desk support. Problems of computer insecurity here are usually not due to malware, hackers, or any of the problems that personal computer users are familiar with, but avoidance of insider crime and certain patterns of systemic human error.

Report Card

When we are in school, the institution periodically issues a document that is a score card on how we are doing in our classes. When we are very young, this report goes to our parents or guardians. Computer security audit tools can do the same kind of thing with respect to elements of a computer system. The report goes to the owners or operators of the computer system. It is a summary statement of how we measure up to some standards, as of this time in our security education process, with links to more information on how come we got less than a perfect score in this or that subject.
- [http://www.unbeatenpathintl.com/BOH/source/2.html Bill of Health], from Unbeaten Path International, provides a Report Card on your overall Computer Security, with guidance on what needs to be upgraded to improve your Security.
- A company keeps several copies of this report over time to show to auditors. This is evidence of corporate governance progress towards having, and maintaining good Computer security.
- Any time new software gets installed, or upgraded, the Bill of Health is run again, to make sure that no Security standards got compromised.

Who Dun it

At the beginning of detective stories we are often faced with a dead body, wreckage of some place that got broke into and valuables stolen, or evidence that something got breached. We do not know who did it, how they did it, what they took. Figuring that out is the challenge that keeps the human detective earning a paycheck. Similarly when bad things are suspected of having happened with a computer system, we want to know exactly what got messed up, so that we can fix it, and we want to track down and apprehend the perpetrators, with smoking gun evidence that will stand up in a court of law. Statistics on computer crime can be very misleading for several reasons. While the news media gives great play to computer Security breaches due to outsiders breaking in, most computer crime, as reported in law enforcement statistics, is Insider. This may seem counter-intuitive to operators of personal computers who are perpetually bombarded with spam, viruses, spyware, hackers, etc. However, if none of the incidents, that we experience, are reported to law enforcement, then they do not make it into the crime statistics. Similarly, the police only get involved if the damage is significant sums of money, far in excess of the inconvenience to any one end usr. When the criminal is an insider, the crime is much easier to solve than when it is an outsider. Thus we might have millions of unsolved crimes of outsiders which do not make it into the statistics because they are unsolved.
- [http://www.unbeatenpathintl.com/stitch_in_time/source/1.html Stitch in Time], from Unbeaten Path International, tracks updates to your data base.
- It does not matter how the data got updated, by whom, using what kind of software, or system connection, because the files or tables contain internal rules about what contents are to be monitored. This builds a history of before / after changes, that can then be traced, using tools that are manager-friendly.
- When was this price changed, and by whom?
- Where did this inventory go, and who took it?
- Has anyone been changing the rules for vendor terms, in support of phony trading partners?
- The [http://www.unbeatenpathintl.com/award/source/1.html OS/400 community] recognizes this as a top notch service.

What these Audits do for Home computer users

Personal Computer

- Go to [http://www.grc.com/default.htm Steve Gibson Research site], scroll down to Shields Up, run tests until you find things that need fixing, fix them, then return here and test again. Repeat until you have nothing left to fix.
- One of the biggest problems on Personal Computers = Spyware.
- Most Anti-Virus does not protect against this.
- Many products that claim to be Anti-Spyware are in fact Spyware.
- You need to have more than one Anti-Spyware product on your PC because none of them protect against all the threats.
- Fortunately, several sites have evaluated the different solutions that are out there.
- Unfortunately, several sites that claim to do this, in reality are promoting Spyware disguised as Anti-Spyware.
- Visit [http://www.spywarewarrior.com/ Spyware Warrior]
- For other guidance on protection, see the Spyware article.

References

External links

- http://auditnet.org/ Information Technology Audit Resources.

IBM Midrange Security

- http://www.woevans.com/ Wayne Evans is one of the fathers of IBM Computer security architecture. He has retired from IBM and now does consulting work, which includes education in computer security. Some of that education can be downloaded from his web site.
- One of the mothers of IBM Computer security architecture has retired from IBM and founded [http://www.skyviewpartners.com/java-skyviewp/index.jsp Skyview Partners] in concert with another former IBM professional. They provide security audit tools and security education.
- [http://www.unbeatenpathintl.com/ Unbeaten Path International] provides services including security audit tools for the IBM AS/400 market, and security education for the staff of such computer systems
- Government Compliance Standard [http://www.unbeatenpathintl.com/ITstandards/source/1.html overviews], by no means complete, but a good introduction. Other education can be downloaded from this web site. Category:Computer security Category:Security Category:Management Category:Accounting

Configuration management

In information technology and telecommunications, the term configuration management or configuration control has the following meanings: #The management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures and test documentation of an automated information system, throughout the development and operational life of a system. Source Code Management or revision control is part of this. #The control of changes--including the recording thereof--that are made to the hardware, software, firmware, and documentation throughout the system lifecycle. #The control and adaption of the evolution of complex systems. It is the discipline of keeping evolving software products under control, and thus contributes to satisfying quality and delay constraints. Software configuration management (or SCM) can be divided into two areas. The first (and older) area of SCM concerns the storage of the entities produced during the software development project, sometimes referred to as component repository management. The second area concerns the activities performed for the production and/or change of these entities; the term engineering support is often used to refer this second area. #After establishing a configuration, such as that of a telecommunications or computer system, the evaluating and approving changes to the configuration and to the interrelationships among system components. #In distributed-queue dual-bus (DQDB) networks, the function that ensures the resources of all nodes of a DQDB network are configured into a correct dual-bus topology. The functions that are managed include the head of bus, external timing source, and default slot generator functions. See also Information Technology Infrastructure Library, Capability Maturity Model

Products for software configuration management (SCM)

For a more complete list see List of revision control software.
- [http://www.accurev.com AccuRev], a commercial product designed to mirror your optimal development process with the leading stream-based architecture. Free software download and SCM white papers available.
- [http://www.aldon.com/ Aldon Lifecycle Manager] — A process-centric software configuration and change management system supporting multiple platforms. Eclipse and SCCI compliant.
- Evolution, ([http://www.ionforge.com available here]), simply better SCM and digital asset management. Enterprise strength source control with excellent features for decentralized development, but affordable for small development teams. Free for single user use. 30-day full featured multi-user evaluation version available for free.
- StarTeam, [http://www.borland.com/us/products/starteam/index.html Click here]Borland StarTeam 2005 is a comprehensive software change and configuration management solution that provides large, geographically distributed development teams with a robust platform for coordinating and managing the entire software delivery process
- Razor, [http://www.razor.visible.com Click here] An easy to use version control system that adapts to your process (.scc compliant)
- TRUEchange, www.mccabe.com/true.htm
- GNU Arch, a distributed revision control system
- Code Co-op, affordable peer-to-peer version control system for distributed development (can use e-mail for synchronization) (.scc compliant)
- CVS, a descendant of RCS (.scc compliant?)
- DCVS, a CVS based version control system for distributed software development
- Telelogic SYNERGY, a Task-Based CM system (.scc compliant)
- Serena Changeman (formerly known as PVCS), a competitor of SCCS (.scc compliant)
- Rational ClearCase, a proprietary program (.scc compliant)
- [http://www.perforce.com Perforce], a powerful and very fast proprietary version control system
- RCS, features separate backward deltas for faster access to the trunk tip compared to SCCS and an improved user interface; the former at the cost of slow branch tip access and missing support for included/excluded deltas (.scc compliant)
- Visual SourceSafe (.scc compliant)
- Subversion, a compelling replacement for CVS
- SCCS the original UNIX .scc program, based on interleaved deltas (and, contrary to common misbelief, not separate forward deltas/diffs); by included and excluded revisions, can construct versions as arbitrary sets of revisions (resp. the deltas associated with them)
- AllChange flexible configuration management solution
- Bitkeeper, a proprietary configuration management solution.
- Cfengine, administers and configures computers according to high-level language configuration files
- [http://reductivelabs.com/projects/puppet Puppet], administers and configures computers according to high-level configuration files
- LCFG, a large scale UNIX configuration system
- [http://www.vestasys.org/ Vesta], an advanced configuration management system. Free software. Used at [http://www.intel.com/ Intel] for microprocessor design.
- AllFusion Harvest Change Manager, commercial change and configuration management tool from Computer Associates
- [http://bazaar-ng.org/ Bazaar-NG], is an open source distributed version control system still in the early stages of development
- [http://www.kernel.org/pub/software/scm/cogito/ Cogito/git] is used to manage the source tree for the Linux kernel.
- [http://www.selenic.com/mercurial Mercurial] is a fast, free, distributed SCM system.
- KONFIG CM, [http://www.auto-trol.com]the total configuration management solution for software, hardware, data and all physical items.

Sites for configuration management

- [http://www.cmcommunity.com/ CM Community], Connecting Configuration Management Professionals around the World: An independent website which contains numerous resources on configuration management which includes CM Forum, CM Jobs Database, CM Salary Survey, CM processes and etc.
- [http://www.abs-consulting.com/ ABS Consulting], Professional SCM services company specializing in Rational ClearCase
- [http://www.cmcrossroads.com/ CM Crossroads], an online community for Configuration Management
- [http://www.snuffybear.com/ucmcentral.htm UCMcentral], Configuration Management Coffee Break Site
- Steve Easterbrook's CM Resource Guide [http://www.cmiiug.com/]
- Parallel Development Strategies for Software Configuration Management [http://www.methodsandtools.com/archive/archive.php?id=12]
- An article on Open source configuration management tools, including references to many of them, see [http://www.dwheeler.com/essays/scm.html Comments on OSS/FS Software Configuration Management (SCM) Systems]
- [http://www.cmmagazin.de/ CM Magazin], a german-language online magazine for Configuration Management

External links

- [http://cfengine.org Cfengine.org]
- [http://cfwiki.org cfwiki.org]
- [http://www.software-pointers.com/en-configuration-tools.html Software-Pointers - List of Configuration Management Tools]
- Article [http://www.methodsandtools.com/archive/archive.php?id=3 Software Configuration Management for the Web] from [http://www.methodsandtools.com/ Methods & Tools]

Source

- Federal Standard 1037C and from the National Information Systems Security Glossary Category:Version control systems Category:Technical communication Category:Method engineering Category:Configuration management

Environmental audit

Environmental Auditing is a systematic, documented, periodic and objective process in assessing an organization's activities and services in relation to: Assessing compliance with relevant statutory and internal requirements Facilitating management control of environmental practices Promoting good environmental management Maintaining credibility with the public Raising staff awareness and enforcing commitment to departmental environmental policy Exploring improvement opportunities Establishing the performance baseline for developing an Environmental Management System (EMS) Environmental Audit is an independent assessment (not conducted by EPA) of a facility's compliance policies, practices, and controls. Many pollution prevention initiatives require an audit to determine where wastes may be reduced or eliminated or energy conserved. Many supplemental environmental projects that offset a penalty use audits to identify ways to reduce the harmful effects of a violation. An analysis of the technical, procedural and decision making aspects of an EIA carried out sometime after a proposal has been implemented.

Financial audit

A financial audit is the examination of financial records and reports of a company or organisation, in order to verify that the figures in the financial reports are relevant, accurate, and complete. The general focus is to ensure the reported financial statements fairly represent a company's stated condition for the firm's stakeholders. These stakeholders will be interested parties, such as stockholders, employees, regulators, and the like. Doing a financial audit is called the "attest" function. The general purpose is for an independent party (the CPA firm) to provide written assurance (the audit report) that financial reports are "fairly presented in conformity with generally accepted accounting principles." Because of major accounting scandals (failure by CPA firms to detect widespread fraud), assessing internal control procedures has increased in magnitude as a part of financial audits. Financial audits are typically done by external auditors (accountancy firms). Many organizations, including most very large organizations, also employ or hire internal auditors, who do not attest to financial reports. Internal auditors often assist external auditors, and, in theory, since both do internal control work, their efforts should be coordinated.

History

The earliest surviving mention of a public official charged with auditing government expenditure is a reference to the Auditor of the Exchequer in 1314. The Auditors of the Imprest were established under Queen Elizabeth I in 1559 with formal responsibility for auditing Exchequer payments. This system gradually lapsed and in 1780, Commissioners for Auditing the Public Accounts were appointed by statute. From 1834, the Commissioners worked in tandem with the Comptroller of the Exchequer, who was charged with controlling the issue of funds to the government. As Chancellor, Gladstone initiated major reforms of public finance and Parliamentary accountability. His 1866 Exchequer and Audit Departments Act required all departments, for the first time, to produce annual accounts, known as appropriation accounts. The Act also established the position of Comptroller and Auditor General (C&AG) and an Exchequer and Audit Department (E&AD) to provide supporting staff from within the civil service. The C&AG was given two main functions – to authorise the issue of public money to government from the Bank of England, having satisfied himself that this was within the limits Parliament had voted – and to audit the accounts of all Government departments and report to Parliament accordingly. Prior to the 1930s, corporations were required neither to submit annual reports to government agencies or shareholders nor to have such reports audited. In the United States, the Securities Exchange Act of 1934 required all publicly traded companies to disclose certain financial information, and that financial information be audited. The establishment of the Securities and Exchange Commission (SEC) created a body to enforce the audit requirements. In the United States, the SEC has generally deferred to the accounting industry (acting through various organizations throughout the years) as to the accounting standards for finanical reporting, and the U.S. Congress has deferred to the SEC. Accordingly, financial auditing standards (and what financial audits accomplish) have tended to change (and increase) only after auditing failures. The most recent and familiar case is that of Enron. The company succeeded in hiding some important facts, such as off-book liabilities, from banks and shareholders. Eventually, Enron filed for bankruptcy, and (as of 2005) is in the process of being dissolved. One result of this scandal was that Arthur Andersen, then one of the five largest CPA firms, worldwide, lost their ability to audit public companies, essentially killing off the firm.

Process of audit

Arthur Andersen A financial audit is usually done annually through 3 main steps.

Interim review

This is the first approach to the company. It usually covers the first half of the financial year. For instance, if a company closes its accounts yearly on December 31, the interim review will cover January to June. The purpose is
- to understand the business of the company, the environment in which it operates (this includes aspects such as competition, legal requirements, economy, etc), what its main issues are
- to figure out what audit risks are from an audit point of view. This means, auditors will have to find what kind of mistake (on purpose or not) could be done in this company. For instance, if the income of sales representatives is directly linked to the sales they generate (it's of course never the case), they could try to overstate their figures, leading to an abnormally high income.
- to assess the internal control procedures (checks on the firms internal processes, such as inventory) actually in place. This is an important step as it will allow later to determine if one should carry out basic or advanced investigations. Indeed, if the internal control procedures seem to be reliable, this means there is no need to check accounts further.

Hard Close

This audit precedes the closing date. For a company closing on December 31, the Hard Close would typically occur using numbers as of November 30. Note: some hard closes are performed using the numbers as of the preceding quarter end (i.e. in the above example as of September 30). The purpose is to audit all movements year to date. This audit step is not on the audit during Final.

Final

This is the latest step of the audit, usually some weeks after the closing. Thanks to the work already done during the Hard Close, only the remaining range between the date of the Hard Close and the closing has to be audited.

Main tests for each process

- Cash
- Bank reconciliation : Analysis of the amounts that are written in the books but not in the bank statements and conversely. The purpose is to be able to explain each difference between books and bank statements. Usually, as the audit occurs some months or weeks after the closing date, auditors get the last bank statements to check that discrepancies have disappeared. Above all the purpose is to check that revenues written only in the books are now in bank statements (which could mean that receivables have been indeed collected).
- Circularization : To ensure that the amount for each bank account specified in the trial balance are right, auditors send a request to every bank of the company to get the current balance at the closing date. Banks usually mention the debts incurred by the company, current guarantees and people who have the power to transfer fund to and from the bank accounts.
- Financial interests : The purpose is to endorse the amount of financial interest charges and revenues. Usually, auditors perform a global test by calculating the average interest rate and the credit and debit balance throughout the year.
- Marketable securities : Auditors calculate that the gains and losses from purchase and sale of marketable securities are relevant.
- Petty cash inventory : Auditors just count the petty cash.
- Equity
- Table of the variation of equities : This means explaining the variation of the equity, reserve and retained earnings mainly.
- Legal documents : Check that the legal documentation reflects properly changes in equity.
- Receivables
- Debtors Circularisation : Auditors select a sample of the largest debtors and send letters to those debtors requesting that they agree or disagree the balance, with an explanation. Due to some customers being disinclined to respond to such letters, especially where elements of balances are in dispute, this testing is generally combined with a review of cash receipts after the balance sheet date - in order to provide more substantive evidence that the balance sheet debtors figure is accurate.
- Review of the Bad Debt Provision : Auditors review the provision made by the customer against debtors for amounts unlikely to be recoverable, and discuss any significant balances with accounting staff. This is combined with a review of an aged version of the accounts receivable ledger to identify accounts/invoices which are significantly overdue. Where overdue amounts are not included in the bad and doubtful debt provision, the auditors will seek evidence that those debts are recoverable.
- Payables
- Supplier Statement Reconciliation : Auditors select a sample of suppliers and request a statement of the outstanding invoices and credit notes from each. These statements are then reconciled to the accounts payable ledgers maintained by the firm being audited, and any reconciling items investigated.
- Debts
- Overheads
- Fixed assets
- Taxes
- Intercompany operations
- Payroll
- Provision for risks and charges
- Stock
- Financial results
- Exceptional items
- Other
- Margin
- Balance sheet review
- Consolidation

Rationale for auditing

Audit has different specific manifestations throughout the world, but each kind has some main components in common.

Commercial relationships versus objectivity

One of the main problems in audit is the conflict between the need to control a company and the business relationship between the company and its auditors. On one hand, the audit company has to thoroughly check the books, but on the other hand, it has to satisfy its customers, who are its source of revenue. In practical terms, this means that the audit company will try to protect itself by carrying out the minimum checks, but sometimes if there are doubts or grey areas, it won't push things further, particularly if the client is a bit reluctant to give out information. The power of the auditor is limited by its need to maintain revenues.

Significant audit companies

These firms are the larger multinational accountancy firms, and in addition to providing audits, they also provide other services like consultations.
- KPMG
- PricewaterhouseCoopers
- Ernst & Young
- Deloitte

Differences in terminology - US GAAP vs UK GAAP

Whilst the format of financial statements is roughly the same in the US and Europe, there are some differences in the accounting terms used. The table below highlights some of the common ones: Category:Accounting

Internal audit

An internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditing reviews the reliability and integrity of information, compliance with policies and regulations, the safeguarding of assets, the economical and efficient use of resources, and established operational goals and objectives. Internal audits encompass financial activities and operations including systems, production, engineering, marketing, and human resources. From 2003, internal audit departments play a crucial role in internal control assesments, required by section 404 of the Sarbanes-Oxley Act. The Institute of Internal Auditors (IIA), an independent trade organization, i.e. unlike commercial organizations such as COSO, believes that an organization is best served by an internal auditing staff. Professional auditors who take and pass a series of examinations given by the IIA can become Certified Internal Auditors (CIA).

References

Category:Accounting

Quality audit

Quality Audit means a systematic, independent examination of a quality system. Quality Audits are typically performed at defined intervals and are geared toward determining if the quality system complies with applicable regulations or standards. This involves assessing the standard operating procedures (SOP's) for compliance to the regulations, and also assessing the actual process and results against what is stated in the SOP. The U.S. Food and Drug Administration requires quality auditing to be done as part of its Quality System Regulation (QSR) for medical devices. Quality auditing is also an important element in ISO's quality system standard, ISO 9001.

Environmental audit

Performance audit

Performance Audit refers to an examination of a program, function, operation or the management systems and procedures of a governmental or non-profit entity to assess whether the entity is achieving economy, efficiency and effectiveness in the employment of available resources. The examination is objective and systematic, generally using structured and professionally adopted methodologies. Results and findings are stated in terms of yardsticks derived from the entity’s mission, vision, values or goals, or metrics based on these. Many national governments support professional or advisory bodies that publish standards and guides for conducting performance audits. Performance audits are often conducted by Internal Auditors who are employees of the entity being audited. However, some national governments require agencies, departments and branches to periodically retain outside auditors to conduct them. Although there are separate professional credentials and certifications for Financial Auditors, the persons that conduct Performance Audits in the USA are often Certified Public Accountants. Performance audits normally are neither intended nor able to detect fraud, waste or abuse. However, findings from a performance audit can sometimes indicate situations that should be examined by law enforcement investigators.

Scientology beliefs and practices

:This article examines the beliefs and practices of Scientology as taught by the Church of Scientology. For variants, see Free Zone.

Beliefs

Core beliefs and central tenets of Scientology

The core beliefs of Scientology are centered on: # The spiritual nature of men and mankind. # The rehabilitation of the human spirit. # The methodology for accomplishing such a rehabilitation. # The role of L. Ron Hubbard in developing such a methodology. # The inherent value such a methodology has for all mankind # The inherent ability of people to change and improve conditions using Scientology # The inherent responsibility each person has to make the world a better place The central tenets of Scientology are based on the belief that a person is an immortal spiritual being (referred to as a thetan) who has a mind and is motivating abody, but is neither of these. A thetan is basically good and trying to survive. An important theme running through Scientology writings is helping people. Scientology holds that not only can people change -- improving themselves and their conditions, but they can be helped.

The Dynamics

Scientology holds that man's survival depends upon himself, his fellows, and his attainment of brotherhood with the universe. L. Ron Hubbard defined the state of "survival" as a series of eight areas of survival urge, which he referred to as the eight dynamics: # The individual # The family, children, and sex # Groups # Mankind # The animal kingdom # The physical universe # The spiritual being and the spiritual world # Infinite reality These areas are used to understand one's life, and to improve one's solutions to life by bettering one's understanding of the different areas of life. As an illustrative example of an out of balance solution, a common dictator will solve the apparent problems of his own country (the 3rd dynamic) in an imbalanced fashion by committing crimes against humanity (the 4th dynamic). As seen in a variety of examples from history, this eventually backfires. Because Scientology teaches that furthering "existence" is the preferred spiritual path, a common phrase used within the organization is: "The greatest good for the greatest number of dynamics." The idea implies a balance among all areas. Critics state this goal is designed to ensure all actions made by Scientologists benefit the Church first, before any other accomplishments are taken into consideration. Scientology responds that any decent and honest organization has the right to work for its survival, and maintains true survival for the individual depends on a proper balance of all of the dynamics of Life, which each person must decide for themselves. The Dynamics do not only encompass 'survival', but also expand to include creativity when talking about activity in the realm of the spirit

Reactive mind and engrams

L. Ron Hubbard's book Dianetics teaches that a person's upsets, limitations and harmful acts can be attributed in part to a portion of his mind of which he is normally unaware, called the reactive mind or "reactive bank". This is claimed to be a portion of the mind which stores exact impressions, meanings and measurable electrical charge (engrams) of past events which occurred while the person was unconscious or otherwise not completely aware. The common element in these recordings are pain and unconsciousness, which then act to cross associate and cross wire the incidents involved in the mind. Linked by pain, these cross associations interfere with logical thinking and action. These engrams can be restimulated to a greater or lesser degree, when the current situation matches in some way the contents of the engram, especially when a person is tired, causing irrational emotional responses or psychosomatic illnesses. The aware reasonable portion of a person's mind is referred to as the analytical mind, later claimed by Hubbard to be the spirit itself. Scientologists believe that the reactive mind has a malignant effect, causing irrational behavior and creating individual weaknesses as well as undermining efforts to create lasting, prosperous, and sane societies. Past painful incidents are seen as acting as templates for future actions and events, which are often acted out with destructive results. Later writings by Hubbard broadened this view so that engrams (incidents involving physical trauma) are a general description of any entheta (enturbulated spirit) with pain and unconsciousness in the reactive mind. Hubbard proposed that this pain and unconsciousness, when perpetrated by others, has specific manifestations including the Goals Problem Masses (GPMs) (a complex of problems accumulated in the pursuit of various goals across lifetimes that result in a mass of confused goals and problems at odds with each other.) and implants (significances and pictures that have been forcibly planted in one's mind, as a means of mind control). Dianetics can be said to be Hubbard's effort to investigate and address the pathology of the stimulus response mechanism of the human mind. In contrast, psychiatric writings specifically describing and addressing the pathology of the stimulus response mechanism of the human mind have been incredibly difficult to find, and could in fact be said to be essentially non-existent.

The Tone Scale

The tone scale is a characterization of human mood and behaviour by various positions on a scale from +40 to -40. For example, 40 on the tone scale (often described as Tone 40) corresponds to "Serenity of Beingness" whilst -40 corresponds to "Total Failure". Negative tones are said by Scientology to be dangerous, as the emotions or moods in the negative range theoretically impair the person's interactions with the world around them. Scientologists claim that people get to a higher level on the tone scale through "auditing." For details, see Tone scale.

The Bridge

The original goal of Scientology teaching was to reach the highest level of "awareness," originally defined as the state of Clear. Hubbard originally claimed that a person who obtained the "state of Clear" would find himself able to use "100%" of his mind, and engage in superhuman feats of mental skill. Later Hubbard taught that there were confusions between what was possible with a Clear, and what was possible with more advanced states. Achieving Clear is still considered vitally important. Scientology still promotes the State of Clear as a goal to be reached, and Scientology courses are intended to provide a path to the state of Clear, and beyond. Scientology promotes this path as the Bridge to Total Freedom, and it encourages all Scientologists to "move up the Bridge" towards this level of awareness. Moving to higher levels on the Bridge towards total freedom takes precedence over all other duties in Scientology for the most dedicated, and all tasks performed by Scientologists are seen as a step towards "moving up the Bridge." Critics of Scientology note that the cost of "moving up the Bridge" becomes increasingly greater as one proceeds further into Scientology initiation. This cost, which amounts to tens or even hundreds of thousands of dollars by the time the upper levels are reached, is the source of enormous tension between Scientology, its critics, and Scientologists who eventually leave the organization before obtaining the state of Clear, or after it. (See Church of Scientology for additional details of its costs.) Upon reaching the state of Clear, a Scientologist's goals are then set to the next level. After becoming Clear, Scientology encourages its adherents to move towards the level of Operating Thetan (OT). It is at this point that the controversy over the "secret" teachings of Scientology becomes prominent to anyone attempting to study its beliefs, whether inside or outside the organization. A less well known aspect of the Bridge is that while the lower levels are delivered in auditing sessions with a professional auditor, in the upper levels much of the auditing is done is a specialised set of procedures called "Solo Auditing", where the person is his/her own auditor. Obviously, a person, once expertly trained in these procedures, does not pay fees for being his own auditor.

Past lives

Many Scientologists report recalling past lives through auditing. Scientology claims that through auditing, ultimately anything that has happened to one was something the person somehow himself created or allowed and that they need to take responsibility to be free of its burden. A person must be willing to confront and be responsible for the situation he finds himself in. Thus Scientologists tend to have strong feelings regarding personal responsibility for the world around them, especially since they believe they will come back to live in the world they helped create. Often, a newcomer will become fascinated with speculations about who or what he was in a past life. Scientology does not engage in spiritualist readings to tell or find out for someone who or what he was. The Scientology auditor's code prevents an auditor from telling or suggesting to a person any answers to these questions. Rather, auditing will bring these things to light as a positive if secondary benefit of the procedure. Much of the controversy surrounding Scientology is a consequence of the doctrine of the immortal spirit in combination with the acceptance of past lives. The logical extension is that if one is immortal, then one did not always have past lives in human form, only in historically documented cultures, or only on planet Earth. In fact, given a truly immortal being, and immense periods of time, unusual coincidences between events widely separated in time would easily attract more attention and notoriety than the commonplace and often boring lifetime of, for example, a serf or a peasant. A truly immortal being might not even be restricted to living his or her existence in a single universe. Another aspect of past lives is that, with "life times that number like grains of sand on the beach," almost any combination of circumstances may have occurred in the past, with any number or combination of people, and as such many things will repeat to one degree or another. You could have hundreds of lifetimes as a pirate, housewife, tribesman, or in a world on the brink of a major war. What this means is that while a person may be pleased or thrilled or displeased or horrified with a particular past life, ultimately the significance of past lives is not as important as you would think at first. What is more important is releasing the force of impact of events and amnesia about past events that continue to compel one into a specific aberrant behavior or attitude, even when that original incident is long forgotten. Critics call this belief a pseudoscience, stating the theory seems to be tailored so it is not falsifiable by any observations of the real world. They point out that whatever reaction a person has can be ascribed to some previously unknown incident in one of the many past lives. See also the general article on Reincarnation

The Tech

Scientology bases its teachings on the writings of L. Ron Hubbard. The Church of Scientology claims to be one of the first religious organizations to have the vast majority of its founder's writings and thoughts available both in print, as approved by the author, and in over 6,000 taped lectures. Over a period of more than thirty years, Hubbard developed an enormous body of instructions, rules, and regulations for properly "applying" Scientology. A number of stories can be gleaned by reading in between the lines of these materials which reveal a common human inability in some students to grasp and apply materials, and Hubbard's effort to ensure total comprehension of his work and see that these writings and instructions were fully and correctly applied. As a result of this effort, Hubbard developed what became known as the system of Standard Tech. Standard Tech is the system developed and codified by Hubbard in the 1960s at his home at Saint Hill in England. These writings, which are looked upon as scripture in Scientology, are officially known as "Training and Auditing Technology," although among Scientologists, Hubbard's technical writings are referred to as Standard Tech or simply The Tech. Scientology teaches that there is a correct or best sequence of auditing to follow, called the Bridge. This course is claimed to mark out the only known way out of what Hubbard calls "the physical universe trap." It consists, in large part, of addressing those areas that trap people if left unhandled, in the correct sequence. The Bridge is held to be an unalterable sequence that all Scientologists must follow in precise order, exceptions being various optional procedures designed to address specific issues. One such is called Life Repair, where various elements of the Tech are used as needed to help address the ordinary travails of life. Another example is the Student Repair rundown, addressing the upsets and travails one has experienced as a student. There are a large number of such optional repair procedures for a wide number of circumstances. When these are done (as needed) and fully completed to the satisfaction of the person being audited, one then proceeds to the next step of the Bridge. The Tech is believed, by adherents to Scientology, to have a "100% success rate, when applied correctly" and it is often stated within Scientology that the Tech always works. If a Scientologist encounters problems, failures, or other obstacles when attempting to apply the Tech, then these problems are always the fault of the student or practitioner; the Tech is always correct. When one completes a major portion of the Bridge addressing a major specific area of life, the stated end must be genuine results "beyond their wildest dreams", according to Hubbard. Anything less, doctrine holds, must indicate an error in procedure in addressing that area with the person. Because the Tech never fails, according to Scientology, it must always be delivered to Scientologists in its purest form, as close to Hubbard's original intent and delivery as possible. To ensure that the Tech is delivered in this fashion, Hubbard incorporated a number of safeguards into the Tech that prevent the Tech from being "altered" or changed from its original form. Alteration of the tech is referred to as squirreling, and those who do it are contemptuously referred to as squirrels. Interestingly, accusations of squirreling go back and forth between those both inside and outside of orthodox Scientology groups. As the developer of the Tech, Hubbard himself is referred to as Source, and his writings are considered the only true source of the Tech.

Secret levels and writings

The church acknowledges that at the higher levels of initiation (OT levels), teachings are imparted which may be considered "mystical" and potentially harmful to unprepared readers. These teachings are kept secret from members who have not reached these levels. The secrets are about methods, techniques, skills, and the context which underlies them in order to accomplish a specific spiritual goal. They are not intended for those who would abuse them for purposes of personal entertainment or other non-spiritual reasons. Certain materials have been made confidential. Some are said to have been made confidential because it was found they were subject to abuse when made freely available, even when students should have known better. Other materials are said to require a certain amount of expertise, skill, and understanding before they can be used correctly and properly applied. Therefore certain prerequisites are in place before these particular materials are made available to the parishoner or student auditor. Some information has been claimed to be confidential, when in fact it is not, and so a large amount of information that was not previously available has been published and made broadly available in recent years. A large number of recorded lectures have been made available in multiple languages. One of the premises of the church is that the OT levels are meant to be an empirical subject, something one "discovers for oneself" through processing (auditing). The church claims that if a person reads "distorted" versions of the higher level teachings one is likely to question one's own experience when "in session" adding time to the process in order to sort matter out fully and thereby sabotaging the process. According to the church, it opposes the distribution of the "confidential" levels in order to protect them (and the Scientologists attaining them) from contamination by outside sources. The "Hidden Truth" about the nature of the universe is taught to the most advanced Scientologists in a series of courses known as the Advanced Levels. These are the levels above "Clear" and their contents are held in strict confidence within Scientology. The most advanced of all are the eight Operating Thetan levels, for which the initiate needs to be thoroughly prepared. The highest level, OT VIII, is only disclosed at sea, on the Scientology cruise ship Freewinds. Since being entered into evidence in several court cases beginning in the 1980s, synopses and excerpts of these secret teachings have appeared in numerous publications. Much of the controversy surrounding Scientology is a consequence of the doctrine of the immortal spirit in combination with the acceptance of past lives. The logical extension is that if one is immortal, then one did not always have past lives in human form -- only in primitive or semi-cultures, or on planet Earth. In fact, given a truly immortal being, and immense periods of time, unusual coincidences between events widely separated in time would easily attract more attention and notoriety than the commonplace and often boring lifetime of, for example, a serf or a peasant. A truly immortal being might not even be restricted to living his or her existence in a single universe. Scientologists argue that published accounts of the Xenu story and other colorful teachings are pulled out of context for the purpose of ridiculing their religion. Journalists and critics counter that Xenu is part of a much wider Scientology belief in past lives on other planets, some of which has been public knowledge for decades. For instance, Hubbard's 1958 book Have You Lived Before This Life? documents past lives described by individual Scientologists during auditing sessions. These included memories of being "deceived into a love affair with a robot decked out as a beautiful red-haired girl", being run over by a Martian bishop driving a steamroller, being transformed into an intergalactic walrus that perished after falling out of a flying saucer, and recalling life as "a very happy being who strayed to the planet Nostra 23,064,000,000 years ago." Although reliable statistics are not available, it is fair to say most Scientologists are not at a sufficiently high level on "the bridge" to learn about Xenu. Therefore, while knowledge of Xenu is claimed by critics to be crucial to the highest level church teachings, it cannot be regarded as a core belief of common Scientologists. On the other hand, Scientology literature does include many references to extraterrestrial past lives and internal publications are often illustrated with pictures of spaceships and oblique references to catastrophic events that happened "75 million years ago". see also Space opera in Scientology doctrine.

Scientology and God

Scientology acknowledges the existence of a Supreme Being (referred to as "the 8th Dynamic" or "the God Dynamic") and believes perception and worship of God is a personal matter. The Church of Scientology claims to be non-denominational and respect every Scientologist's right to worship God, but also acknowledges very few of the upper echelons believe in a Christian God, since Hubbard replaces Jesus as their moral guide.

Practices

Daily Practices

Scientologists do not have any dietary restrictions, aside from good sense and cultural preferences. They are not opposed to modern medicine (excluding psychiatry), can receive blood transfusions, and receive routine medical care. A person is encouraged to maintain health using good sense. Parishioners must seek treatment for any condition before being accepted for spiritual counseling. They are outspoken against the use of street drugs. There is no specific prohibition against social use of alcohol, as Hubbard himself mentions use as a young man. However, alcohol abuse is a concern. There are no specific daily rituals or prayers. There are no particular prohibitions against hair coloring, music styles , body piercings, etc. Maintaining good appearance is considered an exercise in good manners. In the Sea Org, perfume and even perfumed soaps or washing powders are frowned upon, especially in areas dealing with service to the public. Parishoners can attend Sunday Service, though this has no special merit in Scientology scriptures. They often study auditing part time or full time in the evenings, weekends, or during the day. Introductory courses usually run from a day or evening to a few weeks. Part-time students of professional level courses maintain a schedule of 12.5 hours per week. They will often take part in a variety of groups and church activities, including Artist Associations, Charity events and AntiDrug Crusades, among others.

Scientology Holidays

The three major holidays celebrated in the Church are L. Ron Hubbard's Birthday in March; the Anniversary of the first publication of Dianetics in May; and a holiday honoring all auditors, called Auditor's Day, in September. Most official celebrations are scheduled on weekends as a convenience to parishoners. Scientologists also celebrate secular holidays such as New Year's Eve, and other local celebrations. For example, many exchange gifts at Christmas where this holiday is popular.

Auditing

The central practice of Scientology, and Dianetics before it, is an activity known as auditing (listening) which, Scientologists claim, seeks to elevate an adherent to a State of Clear, one of freedom from the influences of the reactive mind. The practice is one wherein a counselor called an auditor addresses a series of questions to a preclear, observes and records the preclear's responses, and acknowledges them. An important element in all forms of auditing is to not to suggest answers to the preclear, and invalidate or degrade what the preclear says in response. It is of utmost importance the auditor create a truly safe and distraction free environment for the session. This practice is one of the controversial aspects of Scientology as auditing sessions are permanently recorded in a central database in Preclear Folders. Critics claim auditing exists for the purpose of collecting information to blackmail former members or hinder them leaving the church at all. Auditing is believed by Scientologists to be a procedure where a person is establishing the truth about something in their own universe and the world at large on a "gradient" scale. In Dianetics, Hubbard laid out the process of Dianetic reverie as a way of "clearing" the mind of harmful engrams. The earliest forms of Dianetics processing, still practiced today, involved a process reminiscent of Freudian psychoanalysis, with the preclear reclining on a couch in a reflective state called Dianetic reverie while the auditor guided the focus of the reverie from a chair nearby and took notes, predicating his questions and responses on utterances by the preclear and a number of physiological indications. This process was meant to find engrams, and once found, to repeat them over and over in the preclear's mind, thus getting it out of his system. Original Dianetics auditing techniques dealt exclusively with the preclear's current life and focused mainly on physical injuries sustained by him. However, it was reported that some people were reporting incidents from past lives. This was extremely controversial. Hubbard decided to investigate further, and concluded people running such incidents had positive results, and not running such incidents when they came up in auditing led to negative results. This controversy opened the door to a new topic, and resulted in the birth of Scientology. While any person can pick up the book or video, and start auditing with these materials, the Church has an extensive standardized system for the training, certification, internship, and administration of professional auditors and the practice of auditing. This system is called Standard Tech, and includes more than the actual procedures of auditing. The intent of Standard Tech is to ensure preclears get the results they are looking for. Scientology takes the auditing process further, focusing on mental trauma and routinely dealing with the preclear's past lives, some "hundreds of millions of years" in the past. (In such Scientology publications as Have You Lived Before This Life, Hubbard himself wrote about past life experiences dating back billions and even trillions of years—even though the estimated age of the universe is believed to be about 13.5 billion years. This apparent contradiction is not a contradiction within Scientology, as Scientology teaches most Thetans have existed in previous universes.) A person coming in for religious counseling is required to be well fed and rested, alert, and not under the influence of drugs. This means no alcohol for 24 hours or medication, including aspirine, for a week. There have been cases of health problems when people who had regular medications prescribed by a doctor (e.g. for high blood pressure or epilepsy) stopped taking them to receive Scientology counseling. Therefore, the Church has long had a requirement all medical conditions be properly addressed before spiritual counseling. In a manner similar to the therapeutic sessions of a psychologist, a psychiatrist, or ministers of other religions delivering pastoral counseling, during the auditing process the auditor may collect personal or confidential material from the person being audited. The Church maintains, like other religions, confessional records have the confidentiality. In some instances, former members have complained the Church has used information obtained in auditing sessions against them in various ways, however their complaints are legally unenforceable. In response to such complaints, the Church invariably notes the confidentiality associated with auditing sessions is not by any means the same as psychology or psychiatry. This marked difference being the case, few legal bounds exist upon how the Church may choose to exercise confidentiality with any information it may have obtained via an auditing. The aim of auditing, according to Hubbard, is to enable the preclear to recover awareness and volitional control of the material and charge previously stored in his reactive mind. Critics have claimed auditing is a gathering of material for blackmail in case one should leave the religion. The Church publicly denies this. A number of articles explaining Auditing procedures by non-Scientologists have been written. While interesting, these often include material not part of the Scientology canon. For more information see the article Scientology Auditing - Outsider Explanations.

Restrictions on Auditing

Before a person can receive auditing, a checklist exists which is gone over to make sure a person is qualified to receive auditing. Typically, this includes items such as # A person can not be suffering from a major untreated medical condition. # A person can not be wanted by the police or authorities, or be liable for arrest for a crime committed in this lifetime. # A person must be there of his own volition, not under duress. # A person must honestly want to be audited, and is not acting according to some other agenda. # A person must not be constantly attacking Scientology. In such cases, the person would have to be treated for the medical condition, turn himself in to the police, or take whatever other steps necessary to address his issue.

The E-meter

Most later forms of auditing employ a device called the Hubbard Electropsychometer (or E-Meter). This device measures changes in the electrical resistance of the preclear's skin by passing approximately 1/2 volt through a pair of tin-plated tubes much like empty soup cans, attached to the meter by wires and held by the preclear during auditing. These low-potential changes in electrical resistance, known as the galvanic skin response, are believed by Scientologists to be a reliable and precise indication of mental tension in the preclear. For details, see E-Meter

Case Supervision

Senior expert auditors trained to oversee the auditing of auditors are called Case Supervisors. The Case Supervisor inspects the folders of all preclears who received auditing that day, and issue instructions for what is to be audited the next day. They look for auditor errors and omissions, and ensure that the auditing follows the correct program and correct best procedures for the preclear.

Standardized Procedures and Lists of Questions

One feature of the modern system of Scientology auditing is the use of collections of questions into standardized lists to address specific areas of interest. Lists exist to handle almost any topic or situation under the sun and also are used to determine which areas that might be of interest. Specific collections of such lists along with other procedures addressing a specific area are often called a 'rundown'.

Preclear Folders

The Church keeps extensive archives of auditing records for every auditing session managed by the Church as part of the Standard Tech System. These personal records of all Scientologists are called PC folders ("Preclear folders"), and the Church of Scientology states that these records are kept absolutely confidential. Critics and former members contest this claim, giving accounts by former members who claim that information from their PC folders are routinely used for purposes of blackmail and personal ruin.

The Purification Rundown

The 'Purification Rundown, known as "The Purif" within Scientology, is a program of "detoxification" developed by L. Ron Hubbard, involving the use of saunas, vitamins, and the drinking of oils. While it is heavily promoted as a health regimen within Scientology, and in Scientology's rehabilitation program Narconon, the procedure is viewed as dangerous by most medical professionals, as it calls for saunas and vitamins far in excess of what mainstream medicine considers safe levels. The Purification Rundown is usually the first step for a Scientologist towards going "Clear". The program usually takes about two weeks. As well as spending time in saunas, Scientologists are required to do light calisthenics. For a detailed description, see Purification Rundown

Auditor Training

Auditors are required to become routinely expert in the use of their E-meters. A typical exercise in auditor training (from the Book of E-Meter Drills) is to be able to determine the number a silent person is thinking of. A sophisticated training simulator, able to recreate all manner of E-meter reactions, is now used in Scientology churches to assist in Auditor training. E-meters now include circuitry for feeding the various signals to special course training supervisors who can monitor the session of a student auditor, and via microphone can coach a student auditor to delivering a better auditing session without disturbing the person receiving auditing. Auditors are also required to become routinely expert in the use of the procedures that they will be using, so much so that they know the correct action to take under any circumstance that may occur in session. Auditors do not receive final certification until they have successfully completed an internship, and have demonstrated and proven ability in the skills they have been trained in. In this system, auditors do not deliver procedures in which they have not been certified. Auditors often practice their auditing with each other, as well as friends, or family. Church members pair up often to get their training, doing the same course at the same time, so that they can audit each other up through the various Scientology levels.

Verbal Tech

One of the more controversial aspects of Scientology is the tendency of its members to avoid answering direct questions about their faith with anything but a quote from L. Ron Hubbard. Observers have noted an ongoing policy in Scientology that forbids actual discussion of the processes of Scientology and how they work. Some observers requesting verbal explanations have become very annoyed with being asked to read original source materials. In Scientology teachings, the best course is to get explanations of concepts and ideas directly from Hubbard, be it through books, or audio recordings, or movies. For beginning students, this is also the simplest way of giving an explanation of a particular concept. The act of discussing Scientology processes in a spoken manner is called "verbal tech," and this is believed to ultimately interfere with the direct understanding, and thus the working of the Tech. The Tech can only be delivered to Scientologists in its original form, as written or spoken on tapes and seen in films. When the actual discussion of the Tech is not coming from Hubbard himself, it is seen as being diluted or distorted, and thus is no longer 100% pure. As a result, engaging in "verbal tech" is forbidden within Scientology. This disallowing of "verbal tech" directs Scientologists to the original source materials[http://www.aip.org/history/source.htm] (Hubbard's original writings) to clarify a concept, such as the actual workings of what Scientology is and how it works. Scientology holds that the best course is to get explanations of concepts and ideas directly from Hubbard, be it through books, or audio recordings, or movies. Scientology contends that this policy of forbidding "verbal tech" exists in order to keep the Tech pure and unadulterated, and to prevent students from passing on their misunderstandings of Hubbard's instructions to others. Secondary materials produced by students are considered inferior to Hubbard's original works, due to their creators' misinterpretation of Scientologist doctrine; Hubbard's efforts to rectify this problem and prevent any future misunderstandings led to the development of the system known as "Standard Tech".

"Truth itself must be approached on a gradient"

A key component of Scientology training and auditing is that one is learning about oneself and the universe and one's place in it on a gradient. While one can purchase thousands of pages of material and literally thousands of hours of taped lectures, some material is introductory material, and some is intended for the professional auditor. The church has published a best sequence of study, so that auditors develop their skills in a way meant to quickly ensure maximum skill and expertise. Critics cite this as the idea that a Scientologist must receive the "truth" (i.e. newer and higher levels of Scientology teaching) only when he or she has completed one level and is ready for the next step. Scientology's beliefs on learning include the concept of a "gradient": breaking down a complicated idea into smaller pieces so that someone who could not grasp the whole idea at once can learn it piece by piece. This is not unique to Scientology; what is unique is the assertion that any piece out of order can actually be harmful to the would-be learner. The degree of harm can range from the "nonoptimum physical reactions" of "feel[ing] squashed [...] feel[ing] bent, sort of spinny, sort of dead" (Basic Study Manual) that come from proceeding past a "misunderstood", to the pneumonia by which (in Hubbard's words) "The [R6] implant is calculated to kill [...] anyone who attempts to solve it." Under this doctrine, Scientologists must therefore suppress information that is "too advanced" for the information-seeker (for the latter's own good). This explains some notable contradictions in what Scientology professes as its beliefs and practices, such as stating to the public that Scientology is compatible with all other religions when OT III (see "Secret Writings" below) teaches that God and the Devil are merely implants. The Scientologist would say that approaching information