|Auditing Risk - A Practical Method Using the InfoSec Triangle
Confidentiality, Integrity, Availability.
Three simple words with multiple meanings. Yet, one common thread unites them in the accounting environment to create a practical, organized approach to lowering the risks associated with managing data and systems.
For the last six years, “Information Security Management” was voted the AICPA’s Top Technology Initiative most likely to affect the accounting profession in the next 12-18 months – for good reason. This topic encompasses the expansive area of security, something all CPAs must deal with, first, in their firms and companies, and second, in counsel and engagements with clients, stakeholders and customers.
Yet, while most everyone recognizes the practical necessity to adhere to solid security processes and practices, many professionals do not approach it in a pragmatic manner, especially as security relates to risk.
A Risky Security Environment
To say we live in an always-on environment would be an understatement. Trying to survive in our personal and professional lives without technology and automation could be compared to living in a pre-Industrial Revolution society. More than 100 years later, the risks associated with the security surrounding our systems and processes, similarly, did not grow overnight or even in a year or decade.
“No wonder the accounting profession continues to recognize Information Security Management as the Top Technology Initiative,” says Tommie Singleton, CPA. CITP, Ph.D., CISA, CMA, an assistant professor of Information Systems at the University of Alabama at Birmingham, and a member of AICPA’s IT Executive Committee. “Through audit and assurance services, an accountant’s primary objective is to ensure proper controls are in place in order to reduce an organization’s liability. Today, as technologies are updated and new ones are introduced, the risks associated with financial reporting data continue to expand.”
Author of What Every IT Auditor Should Know About Auditing Information Security, published in 2007 by ISACA, Singleton believes three deficiencies explain the popularity associated with security awareness. First, most organizations lack a solid strategy.
“Like corporate governance and other critical success factors to financial reporting, there is a need for a strategic plan at the executive level, supported by management, which then leads to sound policies, procedures and programs that are monitored,” he says. “The foundation of an appropriate security strategy is an appropriate risk assessment.”
Second, “unauthorized access” controls are lacking in most organizations, a high-risk area because databases and systems [Enterprise Resource Planning (ERP) and others] are centralized. Since many organizations struggle with limited resources and limited knowledge in this area, he believes sufficient access control is still evolving in most organizations. In addition, financial auditors have a huge concern with unauthorized access because of the possibility of material misstatements being created by unauthorized access to financial data.
“A third deficiency from the entity’s perspective would be the use of ‘patches’ for system vulnerabilities; from the financial audit perspective, the focus would be on data classification,” says Singleton. “Management needs to have a comprehensive plan to identify, structure, secure and monitor sensitive data across technologies and platforms. Although anecdotal evidence exists in the implementation of ERP systems that are usually fraught with data classification problems, this deficiency is inexorably complemented by the other two.”
A Strategic Solution – the InfoSec Triangle
According to CIO Magazine, it can take up to 600 hours to restore an identity if a person’s data and information are breached. The public’s trust in how a business handles personal identifiable information (PII) is now more important than ever, no matter how large or small an organization might be. Although there are many factors contributing to public opinions, the concept of trust is usually associated with two factors: expectations and communication. Consequently, the issue gets back to the risk associated with an organization’s security practices. For smaller businesses, especially, the risk assessment is the best place to focus.
“Smaller organizations should start with the same game plan as the large organizations – an adequate risk assessment,” says Singleton. “The smaller entity needs to match the appropriate expectation of the public for what the organization can do to protect PII in specific ways. Communication of these facts and activities are not as easily done as one might think.”
Financial institutions, for example, are still being successfully attacked by phishers and identity theft activities, despite their efforts to communicate measures to the public on how to protect PII.
An organized approach to auditing risk is enabled through the InfoSec Triangle or “CAI,” with Confidentiality, Availability and Integrity as its three points. The key to understanding how to apply these three areas to risk assessment is to think of the triangle as a framework or model that offers a method of thinking about relevant issues. When used effectively at any level or at any time during the audit, the CAI model also helps structure discussions with management. Singleton believes Integrity is the most important of all three with respect to what financial auditors want to achieve in an audit, e.g., the “integrity of the data.”
“Confidentiality clearly is important for the healthcare and financial services industries, and other affected entities, and Availability is a risk for IT-dependent entities, such as eBay, Amazon and other online commercial ventures,” he says. “But for the most part, data integrity is the most common. For financial reporting and financial audits, much of the audit activities center on the integrity of the data. For example, the financial auditor will think through data integrity in input, process, storage, access and output functions. It may be possible that a risk assessment determines that confidentiality and availability are low risk areas, but normally, the financial auditor will always find something about integrity of data as a higher risk.”
Once an organization understands its risk tolerance with regard to security and PII, Singleton believes it can begin applying the three concepts to day-to-day activities and, without a doubt, unexpected events. Consider, for example, a catastrophe.
"One key aspect of Availability in CAI is the importance and implementation of a disaster recovery/business continuity plan. Some entities have suffered natural disasters, such as Katrina, and were not able to survive. In addition, there could be significant penalties from inadequate attention to CAI.”
Singleton cites ChoicePoint – a company the Federal Trade Commission fined millions of dollars and mandated to have audits performed every two years for the next 20 years due to the lack of its attention to security of personal information in its systems.
“To its credit, ChoicePoint now employs some of the best cutting-edge security measures, but you must also consider the loss of customers or volume of business. Financial institutions and online commercial entities are particularly susceptible to public trust and publicized breaches or compromises of PII.”
Education on CAI
As with any new method, CPA firms will need to get up to speed by educating themselves on auditing risk within organizations. Singleton says three areas need to be addressed to increase a firm’s knowledge:
- CPA firm management needs to have a working knowledge of the security triangle and how it applies to their clients.
- The CPA should consider whether some training of staff might be necessary, and if so, use some of the required CPE hours in this area.
- The CPA should consider providing quality control procedures to ensure the adaptation and integration of CAI concepts into existing audit processes.
“To a large degree, the education process is similar to that associated with the new risk assessment standards last year,” he says. “The simplest way to become more aware is to read articles on the topic.”