| EXECUTIVE
SUMMARY |
 CPAs
ACKNOWLEDGE THE IMPORTANCE of
being proactive on IT security issues but
often find it difficult getting corporate
boards and audit committees to realize IT
security protection requires ongoing,
consistent investment in talent and
technology. THOSE WHO
PERFORM IT AUDITING must report
their risk management concerns to boards
in a framework they can
understand—cost/benefit analyses,
for instance, or concrete comparisons of
IT risks with physical or market risks.
COMPANIES HAVE
CRITICAL INFORMATION assets
consisting of customer files and
transactions, strategic business plans
and marketing strategies, budgets and
other financial information. Internal
auditors can help management determine
how much information security is enough
and who should manage it.
INTERNAL AUDITORS CAN
DESIGNATE someone to be
responsible for managing information
security within an organization, with
audit committee oversight. For companies
that do not have a chief information
officer, avoid having IT security become
everyone’s concern, with no one in
charge.
AS WITH MANY AUDIT
ISSUES, preventing security
breaches is more important than fixing
the problem after it’s happened. One
way to make risks real to boards is to
conduct penetration tests of IT systems.
|
| LAWRENCE RICHTER QUINN is a
financial writer who lives in Chicago.
His e-mail address is larry_quinn1@hotmail.com. |
t’s no secret why audit committees are
examining their information technology systems
and security risks for their companies: They have
no choice. Amid more frequent virus and hacker
attacks and concerns about cyberterrorism, boards
are diligently gathering information on the
subject. “Audit
committees are beginning to see IT security as a
challenge they can’t ignore,” says
Stephen Head, CPA, senior security consultant in
the enterprise security practice group of Royal
& Sun Alliance Inc., Charlotte, North
Carolina. Now is a perfect time for internal
auditors to identify information risks and get
board approval to protect their company’s
financial viability by ensuring appropriate,
cost-effective IT security controls are in place
and working.
“Boards want CPAs to be
able to advise them on real and potential
cybersecurity risks and what the best practices
are for handling them,” says Head, who is
also vice-president of the Information Systems
Audit and Control Association (ISACA) in Rolling
Meadows, Illinois, and serves on the AICPA
information technology executive committee (see
“Get Your Internal Controls Up and
Running,” at the end of this article).
Internal auditors can learn from the following
“best practice” examples of how their
counterparts addressed IT risk management at
AT&T Corp., the Williams Cos., J.C. Penney
Co. and Comdisco Inc.
TIP
1: CONVINCE THE BOARD TO SPEND WHERE IT COUNTS
CPAs in internal audit
acknowledge the importance of “stepping up
to the plate” on IT security issues to
assure protection of information. But they often
find it difficult getting corporate boards to
realize IT security requires ongoing, consistent
investment in talent and technology. Mark Eckman,
CPA, financial director at AT&T in
Morristown, New Jersey, observes companies reap
many benefits from having e-commerce strategies
and a workforce using efficient technologies, but
their board members need to understand those
benefits come at a price. “One of the
unrecognized costs of technology is the one
associated with maintaining adequate controls for
IT systems. It’s crucial to allocate costs
to have employees with the necessary skill sets
in both IT and internal audit departments to
manage these controls effectively,” says
Eckman.
| To obtain adequate resources for
risk management, internal auditors must
report their concerns to boards in a
framework they can
understand—cost/benefit analyses,
for instance, or concrete comparisons of
IT risks with physical or market risks.
“Boards have got to understand that
technology is a strategic initiative. The
price includes controls and a commitment
to continual employee training to keep
the controls adequate and ahead of any
potential threat,” Eckman says. One
way to get the audit committee’s
attention, he says, is to examine the
significance of the issue and assign a
dollar value to it. The danger in
quantifying various risks, however, may
focus audit committees’ attention on
the obvious costs while missing the
bigger picture where risks are less
quantifiable. Eckman notes it is very
difficult to do a cost/benefit analysis
of unknown risks, even though it’s a
necessary component of efficient risk
mitigation. “But in the end
you’re asking what’s the
exposure, who’s affected by it, and
at what cost,” he says. |
| Internal
Audit and Organizational Risks
In
a survey of CFOs, chief audit
executives, corporate counsel and
chief risk officers from
different industries, 90% said
the internal audit department
conducted risk-based audits at
the business unit level, and more
than 30% said internal auditors
performed companywide risk
management assessments.
Source:
“Enterprise Risk Management:
Trends and Emerging
Practices,” 2001 study by
the Institute of Internal
Auditors Research Foundation and
Tillinghast-Towers Perrin, www.theiia.org.
|
|
Eckman believes IT risks
differ little from more conventional risks such
as shoplifting losses at a retail
store—although with IT the potential for
extraordinary damage to the bottom line, customer
loyalty and shareholder value are exponentially
greater. “Retailers want to minimize
shoplifting. They hire security guards and put
electronic tags on items,” he says.
“But those same companies don’t think
about how to prevent someone from stealing their
products or trade secrets or other online
information.” Eckman points out a key
difference between these two types of
“stealing”: In the physical world,
“shoplifting is just shoplifting,” he
says, with potential exposures easily estimated,
understood and managed. “In the IT
environment, there’s a new security threat
every day. We don’t know what the next
threat is going to be.”
Bruce Adamec, CPA, president of
creativeAssurance, an internal audit consulting
firm in Chicago and former general auditor of
Ameritech, agrees with Eckman: “One of the
challenges of managing risks is convincing a
company’s decision makers to spend a lot of
resources to protect their assets. Management
doesn’t necessarily understand the
importance of this, but where there’s poor
IT security and no (or inadequate) auditing of
it, someone can bring a company or an entire
industry to its knees.” Ironically, the
demands of Y2K provided a wake-up call to
companies regarding the importance of IT
infrastructure. “Many people thought Y2K was
a sham because so much money was spent on it and
nothing happened,” says Larry Baye, a
principal for IT consulting at Grant Thornton in
New York. “Perhaps nothing happened because
businesses spent all that money.”
Many CPA firms provide tools to
help companies address their IT risk management
issues. For example, PricewaterhouseCoopers
(PWC), concerned that companies get preoccupied
by single IT catastrophes and events instead of
looking at a bigger picture, designed a program
called ORCA (objectives, risks, controls,
alignment) that examines technology and security
from the top down. “The model helps
companies determine what risks to focus on and
what risks will impede or support meeting
business objectives,” says Sean Ballington,
CA, of PWC in Washington, D.C.
TIP
2: PRACTICE PREVENTION
Security breaches to company
systems can come from sources both internal, such
as employees, and external, such as e-mail
viruses. After the terrorist attacks of September
11, companies started paying more attention to
all kinds of security issues, particularly the
reliability and integrity of their information
systems and internal controls.
Unfortunately, internal
auditors and IT security specialists say, some
senior executives and board members look at these
issues reactively rather than
proactively—which makes it harder for IT
risk management to be an ongoing and effective
corporate governance tool. Where audit committees
are responsible for information security
oversight, they assess the steps management and
auditors have taken to address risks. For
example, both internal auditors and the audit
committee at Williams in Tulsa, Oklahoma, a
large-volume transporter of natural gas, take a
proactive approach: “As recently as last
year we were providing risk management updates
(to the audit committee) on an annual basis,
whereas now they want it twice a year or
more,” says Kathryn Schooley, CPA, general
auditor. “That’s significant when you
consider audit committees meet only four times a
year.”
As with many audit issues,
preventing security breaches is more important
than fixing the problem after it’s happened.
“Yet, it’s much more difficult to value
prevention costs and get management to allocate
the expenditure for a potential problem,”
says Schooley. “The challenge is getting
management and the board to recognize IT risks on
a par with financial risks and business
opportunities.” Questions auditors should
pose to the board include: What events will
effective IT security prevent, and what would
those events cost the company if unmitigated? And
what is the likelihood of those events occurring?
| “One way to make the risks
more real is to conduct penetration tests
of the IT systems,” Schooley says.
“Sharing confirmed vulnerabilities
with the audit committee is the preferred
way of making IT security risk more
concrete.” Due diligence is a
concept that appeals to boards, of
course. “Members of audit committees
are very conscientious when it comes to
fulfilling their responsibilities,”
notes Schooley. “The expectations
and standards surrounding IT security are
becoming better known since September 11.
As they do, audit committees,
particularly those at companies in
critical infrastructure industries such
as energy, will look to those standards
to help them perform their fiduciary
responsibilities.” As with most important business
decisions, different people in a company
may have alternative solutions for
protecting the organization’s
information assets, making it more
complicated to get everyone on the same
security wavelength (see “CPAs and
Online Confidence,” at right).
“IT risk management is not a
one-recipe, one-time thing. And it’s
not really a technology issue; it’s
a senior management issue. It’s a
continual cycle of events,” says
Carol Langelier, CPA, assistant director,
information security issues, the General
Accounting Office, Washington, D.C.
TIP 3: MAKE SURE
ASSETS ARE SECURE
Companies’
critical information assets consist of
customer files and transactions,
strategic business plans and marketing
strategies, budgets and other financial
information. Internal auditors can help
management determine how to secure these
critical assets. Before implementing an
IT system, says Kenneth Askelson, CPA, IT
audit manager for J.C. Penney, based in
Plano, Texas, IT audit staff in
conjunction with other key departments
must perform the following tasks:
Evaluate business risks and exposure and
present them to management, ensure
available vendor solutions are compatible
with the company’s existing
software, determine costs involved to
buy, implement and upgrade the software,
identify training and staff commitments
and assess existing controls including
firewalls, routers, virus scanning,
network logs and incident response plans.
|
| CPAs and
Online Confidence
CPAs
offer IT security consulting to
companies—especially to
those that don’t have the
budgets to hire technology staff.
To attest to the validity of
financial data, CPAs must look at
everything that supports this
information, including the
existing systems and networks and
the design, construction and
implementation of new systems.
In
some cases auditors decide to
pursue another professional
designation—certified
information technology
professional (CITP). There are
several ways to earn the CITP
designation, involving a
100-point system (see “IT
Credential to Help CPAs Make
Business Sense Out of Technology,” JofA,
July00, page 95). Another
way CPAs can offer independent
verification of system integrity
is through these AICPA services:
a WebTrust review (see www.cpawebtrust.org), which
identifies and helps reduce
e-commerce business risks, and
the SysTrust engagement, an
evaluation of system reliability
against specific criteria and
principles (see www.aicpa.org/assurance/systrust/index.htm).
In
2001 the AICPA updated Statement
on Auditing Standards no. 94, The
Effect of Information Technology
on the Auditor’s
Consideration of Internal
Controls in a Financial Statement
Audit, strengthening
procedures for auditing internal
controls.
Professional
associations have jumped into the
IT security auditing arena in a
variety of ways. For more
information see the Institute of
Internal Auditors at www.theiia.org and the
Information Systems Audit and
Control Association at www.isaca.org.
|
|
While there is no magic
solution for handling IT risks, Askelson
recommends internal audit take these steps:
 Identify critical
information assets of the business. In order to
get the right input, create a cross-functional
team including employees from areas such as risk
management, systems, legal, finance, security and
internal audit.
Have insurance providers
and external CPA valuators perform risk
assessments to determine costs to protect those
assets.
Designate someone to be
responsible and accountable for managing
information security within the organization,
with audit committee oversight. For companies
that do not have a chief information officer,
avoid a situation where IT security becomes the
concern of everyone, with no one in charge.
Assign IT audit staff to
review the policies and procedures for
information security that systems professionals
develop prior to their implementation.
Provide training and
awareness programs for employees. This can be
done through ongoing Web-based training and
internal and external programs.
Update the audit committee
on initiatives dealing with security and privacy
of critical business information. The heads of
internal audit and of systems security must get
the topic on the audit committee meeting agenda
with time allotted for presentation and
discussion.
Provide for independent
reviews and assessments by internal or external
auditors. Internally, the audit department,
particularly in larger companies, will do
continuous security checks. Outside consultants
can perform certain other tests, such as a
network penetration study, to see how well the
controls work.
TIP
4: EDUCATE EVERYONE
Audit committees need
assurances that auditors have the resources to
evaluate IT security and management’s
responses to risks. A board member and internal
audit and IT staffs cooperated to address IT
risks at Comdisco, an equipment-leasing company
in Rosemont, Illinois.
The chairperson of
Comdisco’s audit committee, Carolyn Murphy,
attended a seminar on information security held
by the Critical Infrastructure Assurance Office
(CIAO), a committee—established by former
president Bill Clinton—whose co-sponsors
included the AICPA, the Institute of Internal
Auditors (IIA) and the National Association of
Corporate Directors. After Murphy attended the
seminar, and with the support of the
company’s audit committee, its internal
audit and IT departments and the IIA, Comdisco
held a corporate forum on IT security which
featured a discussion of best practices. Here are
some examples:
Security awareness. Make
sure IT security is on the radar screen for
management and audit committees. Evaluate
employee knowledge of policies and standards.
Determine whether IT risks are assessed regularly
and adequately.
Security procedures.
Implement a process to control and document who
requests access to information technology, who
can approve, revoke and change access and how any
“incident” is handled.
Security
authentication. Tie rules to specific
individuals and ensure privileges are not
excessive. Control the number of people who can
access systems.
Security IDs. Assign
them to individuals rather than to groups or
departments. Have the ability to revoke IDs
instantly. Install systems that allow encryption
and transmission of files.
Security passwords. Consider
their length and complexity and the number of
passwords needed to gain access. Evaluate how
frequently passwords should be changed.
Executives from all of
Comdisco’s businesses (leasing, availability
services, other technology services) served on
the best practices panel and responded to a
questionnaire on the adequacy of the
company’s information security, who
specifically was responsible for it, and what
concerns they might have. The upshot of that
meeting was that Comdisco created an information
protection group consisting of internal audit, IT
and other executives which now issues a biweekly
bulletin on IT security sent electronically to
all employees. “The bulletin has been well
received,” says Myles Crane, Comdisco’s
director of internal audit and a certified
internal auditor. “We have addressed
securing laptops after business hours, password
construction and usage, junk e-mail and virus
hoaxes,” says Crane, who also heads IT
security audit, makes a presentation to the audit
committee on the subject at every audit committee
meeting and has a CPA on his staff specializing
in this area. “I believe internal audit
should be a catalyst in educating management
about IT security risks.”
Managing IT risks requires
companies to conduct continuous reevaluation and
review. The internal auditor’s role is to
help the company design a cost-effective solution
for ensuring the security and privacy of critical
assets. By using the CPA’s usual control and
auditing skills, organizations can strengthen
their information security, reduce technology
risks and set up an ongoing, companywide dialogue
to build and operate systems with effective
controls.
|
| HOME | ARCHIVE | CONTACT | ADVERTISE | SUBSCRIBE | AICPA