Audit report on City of Little Sioux, Iowa for the year ended June 30, 2013

Audit report on City of Little Sioux, Iowa for the year ended June 30, 2013

Audit report on City of Little Sioux, Iowa for the year ended June 30, 2014

Audit report on City of Little Sioux, Iowa for the year ended June 30, 2014

Audit report on the Hiawatha Water Department, Hiawatha, Iowa for the year ended June 30, 2016

Audit report on the Hiawatha Water Department, Hiawatha, Iowa for the year ended June 30, 2016

Audit report on the City of Hiawatha, Iowa for the year ended June 30, 2016

Audit report on the City of Hiawatha, Iowa for the year ended June 30, 2016

Experiences of women in secure care who have been prescribed clozapine for borderline personality disorder

Background: Clozapine is an atypical antipsychotic medicine which can cause significant side-effects. It is often prescribed off-license in severe cases of borderline personality disorder contrary to national treatment guidelines. Little is known about the experiences of those who take clozapine for borderline personality disorder. We explored the lived-experience of women in secure inpatient care who were prescribed clozapine for borderline personality disorder. Findings: Adult females (N=20) participated in audio-taped semi-structured interviews. Transcripts were subject to thematic analysis. The central themes related to evaluation, wellbeing, understanding and self-management; for many, their subjective wellbeing on clozapine was preferred to prior levels of functioning and symptomatology, sometimes profoundly so. The negative and potentially adverse effects of clozapine were explained as regrettable but relatively unimportant. Conclusions: When psychological interventions are, at least initially, ineffective then clozapine treatment is likely to be evaluated positively by a group of women with borderline personality disorder in secure care despite the potential disadvantages.

A new distributed MIKEY mode to secure e-health applications.

Securing e-health applications in the context of Internet of Things (IoT) is challenging. Indeed, resources scarcity in such environment hinders the implementation of existing standard based protocols. Among these protocols, MIKEY (Multimedia Internet KEYing) aims at establishing security credentials between two communicating entities. However, the existing MIKEY modes fail to meet IoT specificities. In particular, the pre-shared key mode is energy efficient, but suffers from severe scalability issues. On the other hand, asymmetric modes such as the public key mode are scalable, but are highly resource consuming. To address this issue, we combine two previously proposed approaches to introduce a new hybrid MIKEY mode. Indeed, relying on a cooperative approach, a set of third parties is used to discharge the constrained nodes from heavy computational operations. Doing so, the pre-shared mode is used in the constrained part of the network, while the public key mode is used in the unconstrained part of the network. Preliminary results show that our proposed mode is energy preserving whereas its security properties are kept safe.

Distributed and compressed MIKEY mode to secure end-to-end communications in the Internet of things.

Multimedia Internet KEYing protocol (MIKEY) aims at establishing secure credentials between two communicating entities. However, existing MIKEY modes fail to meet the requirements of low-power and low-processing devices. To address this issue, we combine two previously proposed approaches to introduce a new distributed and compressed MIKEY mode for the Internet of Things. Indeed, relying on a cooperative approach, a set of third parties is used to discharge the constrained nodes from heavy computational operations. Doing so, the preshared mode is used in the constrained part of network, while the public key mode is used in the unconstrained part of the network. Furthermore, to mitigate the communication cost we introduce a new header compression scheme that reduces the size of MIKEY’s header from 12 Bytes to 3 Bytes in the best compression case. Preliminary results show that our proposed mode is energy preserving whereas its security properties are preserved untouched.

Managing university records and documents in the world of governance, audit and risk: Case studies from South Africa and Malawi

There are enormous benefits for any organisation from practising sound records management. In the context of a public university, the importance of good records management includes: facilitating the achievement the university’s mandate; enhancing efficiency of the university; maintaining a reliable institutional memory; promoting trust; responding to an audit culture; enhancing university competitiveness; supporting the university’s fiduciary duty; demonstrating transparency and accountability; and fighting corruption. Records scholars and commentators posit that effective recordkeeping is an essential underpinning of good governance. Although there is a portrayal of positive correlation, recordkeeping struggles to get the same attention as that given to the governance. Evidence abounds of cases of neglect of recordkeeping in universities and other institutions in Sub-Saharan Africa. The apparent absence of sound recordkeeping provided a rationale for revisiting some universities in South Africa and Malawi in order to critically explore the place of recordkeeping in an organisation’s strategy in order to develop an alternative framework for managing records and documents in an era where good governance is a global agenda. The research is a collective case study in which multiple cases are used to critically explore the relationship between recordkeeping and governance. As qualitative research that belongs in the interpretive tradition of enquiry, it is not meant to suggest prescriptive solutions to general recordkeeping problems but rather to provide an understanding of the challenges and opportunities that arise in managing records and documents in the world of governance, audit and risk. That is: what goes on in the workplace; what are the problems; and what alternative approaches might address any existing problem situations. Research findings show that some institutions are making good use of their governance structures and other drivers for recordkeeping to put in place sound recordkeeping systems. Key governance structures and other drivers for recordkeeping identified include: laws and regulations; governing bodies; audit; risk; technology; reforms; and workplace culture. Other institutions are not managing their records and documents well despite efforts to improve their governance systems. They lack recordkeeping capacity. Areas that determine recordkeeping capacity include: availability of records management policy; capacity for digital records; availability of a records management unit; senior management support; level of education and training of records management staff; and systems and procedures for storage, retrieval and dispositions of records. Although this research reveals that the overall recordkeeping in the selected countries has slightly improved compared with the situation other researchers found a decade ago, it remains unsatisfactory and disjointed from governance. The study therefore proposes governance recordkeeping as an approach to managing records and documents in the world of governance, audit and risk. The governance recordkeeping viewpoint considers recordkeeping as a governance function that should be treated in the same manner as other governance functions such as audit and risk management. Additionally, recordkeeping and governance should be considered as symbiotic elements of a strategy. A strategy that neglects recordkeeping may not fulfil the organisation’s objectives effectively.

Secure, dynamic and distributed access control stack for database applications

In database applications, access control security layers are mostly developed from tools provided by vendors of database management systems and deployed in the same servers containing the data to be protected. This solution conveys several drawbacks. Among them we emphasize: 1) if policies are complex, their enforcement can lead to performance decay of database servers; 2) when modifications in the established policies implies modifications in the business logic (usually deployed at the client-side), there is no other possibility than modify the business logic in advance and, finally, 3) malicious users can issue CRUD expressions systematically against the DBMS expecting to identify any security gap. In order to overcome these drawbacks, in this paper we propose an access control stack characterized by: most of the mechanisms are deployed at the client-side; whenever security policies evolve, the security mechanisms are automatically updated at runtime and, finally, client-side applications do not handle CRUD expressions directly. We also present an implementation of the proposed stack to prove its feasibility. This paper presents a new approach to enforce access control in database applications, this way expecting to contribute positively to the state of the art in the field.

Secure, dynamic and distributed access control stack for database applications

In database applications, access control security layers are mostly developed from tools provided by vendors of database management systems and deployed in the same servers containing the data to be protected. This solution conveys several drawbacks. Among them we emphasize: (1) if policies are complex, their enforcement can lead to performance decay of database servers; (2) when modifications in the established policies implies modifications in the business logic (usually deployed at the client-side), there is no other possibility than modify the business logic in advance and, finally, 3) malicious users can issue CRUD expressions systematically against the DBMS expecting to identify any security gap. In order to overcome these drawbacks, in this paper we propose an access control stack characterized by: most of the mechanisms are deployed at the client-side; whenever security policies evolve, the security mechanisms are automatically updated at runtime and, finally, client-side applications do not handle CRUD expressions directly. We also present an implementation of the proposed stack to prove its feasibility. This paper presents a new approach to enforce access control in database applications, this way expecting to contribute positively to the state of the art in the field.

Are joint audits associated with higher audit fees?

In its October 2010 Green Paper on audit policy, the European Commission suggested that joint audits might be a way of improving the audit market in Europe. However, some parties consider that a joint audit system is not an efficient solution because the perceived improvements in audit quality, if any, are not commensurate with the significant increase in audit fees. We compare audit fees paid during the years 2007-2011 by listed companies in France, where joint audits are mandatory, with those paid by British and Italian companies. Theory suggests that audit fees in countries with high investor protection, such as the UK, are likely to be greater than those in countries with lower investor protection, such as France and Italy, ceteris paribus. However, we find significantly higher audit fees in France after controlling for well-documented auditor, client, and engagement attributes, which vary across countries. Furthermore, since we do not find statistically significant differences in the magnitude of abnormal accruals, the higher audit fees observed in France do not appear to be associated with higher audit quality.

Language-based Techniques for Practical and Trustworthy Secure Multi-party Computations

Secure Multi-party Computation (MPC) enables a set of parties to collaboratively compute, using cryptographic protocols, a function over their private data in a way that the participants do not see each other's data, they only see the final output. Typical MPC examples include statistical computations over joint private data, private set intersection, and auctions. While these applications are examples of monolithic MPC, richer MPC applications move between "normal" (i.e., per-party local) and "secure" (i.e., joint, multi-party secure) modes repeatedly, resulting overall in mixed-mode computations. For example, we might use MPC to implement the role of the dealer in a game of mental poker -- the game will be divided into rounds of local decision-making (e.g. bidding) and joint interaction (e.g. dealing). Mixed-mode computations are also used to improve performance over monolithic secure computations. Starting with the Fairplay project, several MPC frameworks have been proposed in the last decade to help programmers write MPC applications in a high-level language, while the toolchain manages the low-level details. However, these frameworks are either not expressive enough to allow writing mixed-mode applications or lack formal specification, and reasoning capabilities, thereby diminishing the parties' trust in such tools, and the programs written using them. Furthermore, none of the frameworks provides a verified toolchain to run the MPC programs, leaving the potential of security holes that can compromise the privacy of parties' data. This dissertation presents language-based techniques to make MPC more practical and trustworthy. First, it presents the design and implementation of a new MPC Domain Specific Language, called Wysteria, for writing rich mixed-mode MPC applications. Wysteria provides several benefits over previous languages, including a conceptual single thread of control, generic support for more than two parties, high-level abstractions for secret shares, and a fully formalized type system and operational semantics. Using Wysteria, we have implemented several MPC applications, including, for the first time, a card dealing application. The dissertation next presents Wys*, an embedding of Wysteria in F*, a full-featured verification oriented programming language. Wys* improves on Wysteria along three lines: (a) It enables programmers to formally verify the correctness and security properties of their programs. As far as we know, Wys* is the first language to provide verification capabilities for MPC programs. (b) It provides a partially verified toolchain to run MPC programs, and finally (c) It enables the MPC programs to use, with no extra effort, standard language constructs from the host language F*, thereby making it more usable and scalable. Finally, the dissertation develops static analyses that help optimize monolithic MPC programs into mixed-mode MPC programs, while providing similar privacy guarantees as the monolithic versions.

Efficient Secure Computation for Real-world Settings and Security Models

Secure computation involves multiple parties computing a common function while keeping their inputs private, and is a growing field of cryptography due to its potential for maintaining privacy guarantees in real-world applications. However, current secure computation protocols are not yet efficient enough to be used in practice. We argue that this is due to much of the research effort being focused on generality rather than specificity. Namely, current research tends to focus on constructing and improving protocols for the strongest notions of security or for an arbitrary number of parties. However, in real-world deployments, these security notions are often too strong, or the number of parties running a protocol would be smaller. In this thesis we make several steps towards bridging the efficiency gap of secure computation by focusing on constructing efficient protocols for specific real-world settings and security models. In particular, we make the following four contributions: - We show an efficient (when amortized over multiple runs) maliciously secure two-party secure computation (2PC) protocol in the multiple-execution setting, where the same function is computed multiple times by the same pair of parties. - We improve the efficiency of 2PC protocols in the publicly verifiable covert security model, where a party can cheat with some probability but if it gets caught then the honest party obtains a certificate proving that the given party cheated. - We show how to optimize existing 2PC protocols when the function to be computed includes predicate checks on its inputs. - We demonstrate an efficient maliciously secure protocol in the three-party setting.

Industry Linkages and Audit Firms' Industry Portfolio Choice: Evidence from Product Language

Audit firms are organized along industry lines and industry specialization is a prominent feature of the audit market. Yet, we know little about how audit firms make their industry portfolio decisions, i.e., how audit firms decide which set of industries to specialize in. In this study, I examine how the linkages between industries in the product space affect audit firms’ industry portfolio choice. Using text-based product space measures to capture these industry linkages, I find that both Big 4 and small audit firms tend to specialize in industry-pairs that 1) are close to each other in the product space (i.e., have more similar product language) and 2) have a greater number of “between-industries” in the product space (i.e., have a greater number of industries with product language that is similar to both industries in the pair). Consistent with the basic tradeoff between specialization and coordination, these results suggest that specializing in industries that have more similar product language and more linkages to other industries in the product space allow audit firms greater flexibility to transfer industry-specific expertise across industries as well as greater mobility in the product space, hence enhancing its competitive advantage. Additional analysis using the collapse of Arthur Andersen as an exogenous supply shock in the audit market finds consistent results. Taken together, the findings suggest that industry linkages in the product space play an important role in shaping the audit market structure.