Dan Swanson has been working in internal audit for more than 24 years and provides an excellent free newsletter that some readers of this column will find valuable.

His brief newsletter concentrates on IT governance and often includes security-related topics. For example, his Oct. 17 issue pointed to a good book on project investment governance and reporting; concisely introduced a Web page with ISO 27001 security standards compliance information; alerted readers to a new series of podcasts from the Computer Emergency Response Team Coordination Center; and published abstracts of several interesting articles on corporate governance and risk management (for example, this article).

Readers may go here to join Dan’s mailing list. You must have or create a free Yahoo Groups ID for successful registration.

There’s a collection of Dan’s auditing-related papers in his columns from _Compliance Week_. Although a full subscription will appeal primarily to professional auditors (it costs $999 a year), there is a 30-day free subscription available that includes weekly e-mail newsletters, one issue of the print magazine and free access to the archives.

Dan will be giving a Webinar on Nov. 14 at 11 a.m. PST (2p.m. EST); the $249 registration free provides access to a live lecture and presentation on auditing compliance and ethics programs. Topics include:

* Audit scope
* What is the goal?
* Planning efforts
* The general audit steps
* Audit risk assessment
* Audit objectives
* Audit approach
* What auditors like to see
* Audit testing
* Issues to watch out for
* Other considerations
* The audit report

Full details of the Webinar are available online.

On the same topic, Dan has written an 88-page white paper that is available free and without registration. Entitled “Internal Audit Guide: Evaluating a Compliance and Ethics Program,” the draft report from the Open Compliance and Ethics Group (OCEG) includes an executive overview (PDF file pages 10-12) that summarizes key points:

“The purpose of the Guide is to support more effective implementation of existing compliance and ethics programs, the objectives of which are to:

* Provide assurance to the board and management that compliance and ethics programs are designed effectively and operating as designed.
* Identify opportunities for improvement.
* Reinforce and support self-assessment efforts that have been completed, and promote a continuous improvement philosophy within the organization.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.