|EXECUTIVE SUMMARY |
| CPAs ACKNOWLEDGE THE IMPORTANCE of being proactive on IT security issues but often find it difficult getting corporate boards and audit committees to realize IT security protection requires ongoing, consistent investment in talent and technology.
THOSE WHO PERFORM IT AUDITING must report their risk management concerns to boards in a framework they can understand—cost/benefit analyses, for instance, or concrete comparisons of IT risks with physical or market risks.
COMPANIES HAVE CRITICAL INFORMATION assets consisting of customer files and transactions, strategic business plans and marketing strategies, budgets and other financial information. Internal auditors can help management determine how much information security is enough and who should manage it.
INTERNAL AUDITORS CAN DESIGNATE someone to be responsible for managing information security within an organization, with audit committee oversight. For companies that do not have a chief information officer, avoid having IT security become everyone’s concern, with no one in charge.
AS WITH MANY AUDIT ISSUES, preventing security breaches is more important than fixing the problem after it’s happened. One way to make risks real to boards is to conduct penetration tests of IT systems.
|LAWRENCE RICHTER QUINN is a financial writer who lives in Chicago. His e-mail address is firstname.lastname@example.org . |
t’s no secret why audit committees are examining their information technology systems and security risks for their companies: They have no choice. Amid more frequent virus and hacker attacks and concerns about cyberterrorism, boards are diligently gathering information on the subject. “Audit committees are beginning to see IT security as a challenge they can’t ignore,” says Stephen Head, CPA, senior security consultant in the enterprise security practice group of Royal & Sun Alliance Inc., Charlotte, North Carolina. Now is a perfect time for internal auditors to identify information risks and get board approval to protect their company’s financial viability by ensuring appropriate, cost-effective IT security controls are in place and working.
“Boards want CPAs to be able to advise them on real and potential cybersecurity risks and what the best practices are for handling them,” says Head, who is also vice-president of the Information Systems Audit and Control Association (ISACA) in Rolling Meadows, Illinois, and serves on the AICPA information technology executive committee (see “Get Your Internal Controls Up and Running,” at the end of this article). Internal auditors can learn from the following “best practice” examples of how their counterparts addressed IT risk management at AT&T Corp., the Williams Cos., J.C. Penney Co. and Comdisco Inc.
CPAs in internal audit acknowledge the importance of “stepping up to the plate” on IT security issues to assure protection of information. But they often find it difficult getting corporate boards to realize IT security requires ongoing, consistent investment in talent and technology. Mark Eckman, CPA, financial director at AT&T in Morristown, New Jersey, observes companies reap many benefits from having e-commerce strategies and a workforce using efficient technologies, but their board members need to understand those benefits come at a price. “One of the unrecognized costs of technology is the one associated with maintaining adequate controls for IT systems. It’s crucial to allocate costs to have employees with the necessary skill sets in both IT and internal audit departments to manage these controls effectively,” says Eckman.
|To obtain adequate resources for risk management, internal auditors must report their concerns to boards in a framework they can understand—cost/benefit analyses, for instance, or concrete comparisons of IT risks with physical or market risks. “Boards have got to understand that technology is a strategic initiative. The price includes controls and a commitment to continual employee training to keep the controls adequate and ahead of any potential threat,” Eckman says. One way to get the audit committee’s attention, he says, is to examine the significance of the issue and assign a dollar value to it. The danger in quantifying various risks, however, may focus audit committees’ attention on the obvious costs while missing the bigger picture where risks are less quantifiable. Eckman notes it is very difficult to do a cost/benefit analysis of unknown risks, even though it’s a necessary component of efficient risk mitigation. “But in the end you’re asking what’s the exposure, who’s affected by it, and at what cost,” he says.
|Internal Audit and Organizational Risks
In a survey of CFOs, chief audit executives, corporate counsel and chief risk officers from different industries, 90% said the internal audit department conducted risk-based audits at the business unit level, and more than 30% said internal auditors performed companywide risk management assessments.
Source: “Enterprise Risk Management: Trends and Emerging Practices,” 2001 study by the Institute of Internal Auditors Research Foundation and Tillinghast-Towers Perrin, www.theiia.org .
Eckman believes IT risks differ little from more conventional risks such as shoplifting losses at a retail store—although with IT the potential for extraordinary damage to the bottom line, customer loyalty and shareholder value are exponentially greater. “Retailers want to minimize shoplifting. They hire security guards and put electronic tags on items,” he says. “But those same companies don’t think about how to prevent someone from stealing their products or trade secrets or other online information.” Eckman points out a key difference between these two types of “stealing”: In the physical world, “shoplifting is just shoplifting,” he says, with potential exposures easily estimated, understood and managed. “In the IT environment, there’s a new security threat every day. We don’t know what the next threat is going to be.”
Bruce Adamec, CPA, president of creativeAssurance, an internal audit consulting firm in Chicago and former general auditor of Ameritech, agrees with Eckman: “One of the challenges of managing risks is convincing a company’s decision makers to spend a lot of resources to protect their assets. Management doesn’t necessarily understand the importance of this, but where there’s poor IT security and no (or inadequate) auditing of it, someone can bring a company or an entire industry to its knees.” Ironically, the demands of Y2K provided a wake-up call to companies regarding the importance of IT infrastructure. “Many people thought Y2K was a sham because so much money was spent on it and nothing happened,” says Larry Baye, a principal for IT consulting at Grant Thornton in New York. “Perhaps nothing happened because businesses spent all that money.”
Many CPA firms provide tools to help companies address their IT risk management issues. For example, PricewaterhouseCoopers (PWC), concerned that companies get preoccupied by single IT catastrophes and events instead of looking at a bigger picture, designed a program called ORCA (objectives, risks, controls, alignment) that examines technology and security from the top down. “The model helps companies determine what risks to focus on and what risks will impede or support meeting business objectives,” says Sean Ballington, CA, of PWC in Washington, D.C.
Security breaches to company systems can come from sources both internal, such as employees, and external, such as e-mail viruses. After the terrorist attacks of September 11, companies started paying more attention to all kinds of security issues, particularly the reliability and integrity of their information systems and internal controls.
Unfortunately, internal auditors and IT security specialists say, some senior executives and board members look at these issues reactively rather than proactively—which makes it harder for IT risk management to be an ongoing and effective corporate governance tool. Where audit committees are responsible for information security oversight, they assess the steps management and auditors have taken to address risks. For example, both internal auditors and the audit committee at Williams in Tulsa, Oklahoma, a large-volume transporter of natural gas, take a proactive approach: “As recently as last year we were providing risk management updates (to the audit committee) on an annual basis, whereas now they want it twice a year or more,” says Kathryn Schooley, CPA, general auditor. “That’s significant when you consider audit committees meet only four times a year.”
As with many audit issues, preventing security breaches is more important than fixing the problem after it’s happened. “Yet, it’s much more difficult to value prevention costs and get management to allocate the expenditure for a potential problem,” says Schooley. “The challenge is getting management and the board to recognize IT risks on a par with financial risks and business opportunities.” Questions auditors should pose to the board include: What events will effective IT security prevent, and what would those events cost the company if unmitigated? And what is the likelihood of those events occurring?
|“One way to make the risks more real is to conduct penetration tests of the IT systems,” Schooley says. “Sharing confirmed vulnerabilities with the audit committee is the preferred way of making IT security risk more concrete.” Due diligence is a concept that appeals to boards, of course. “Members of audit committees are very conscientious when it comes to fulfilling their responsibilities,” notes Schooley. “The expectations and standards surrounding IT security are becoming better known since September 11. As they do, audit committees, particularly those at companies in critical infrastructure industries such as energy, will look to those standards to help them perform their fiduciary responsibilities.”
As with most important business decisions, different people in a company may have alternative solutions for protecting the organization’s information assets, making it more complicated to get everyone on the same security wavelength (see “CPAs and Online Confidence,” at right). “IT risk management is not a one-recipe, one-time thing. And it’s not really a technology issue; it’s a senior management issue. It’s a continual cycle of events,” says Carol Langelier, CPA, assistant director, information security issues, the General Accounting Office, Washington, D.C.
Companies’ critical information assets consist of customer files and transactions, strategic business plans and marketing strategies, budgets and other financial information. Internal auditors can help management determine how to secure these critical assets. Before implementing an IT system, says Kenneth Askelson, CPA, IT audit manager for J.C. Penney, based in Plano, Texas, IT audit staff in conjunction with other key departments must perform the following tasks: Evaluate business risks and exposure and present them to management, ensure available vendor solutions are compatible with the company’s existing software, determine costs involved to buy, implement and upgrade the software, identify training and staff commitments and assess existing controls including firewalls, routers, virus scanning, network logs and incident response plans.
|CPAs and Online Confidence
CPAs offer IT security consulting to companies—especially to those that don’t have the budgets to hire technology staff. To attest to the validity of financial data, CPAs must look at everything that supports this information, including the existing systems and networks and the design, construction and implementation of new systems.
In some cases auditors decide to pursue another professional designation—certified information technology professional (CITP). There are several ways to earn the CITP designation, involving a 100-point system (see “ IT Credential to Help CPAs Make Business Sense Out of Technology ,” JofA, July00, page 95). Another way CPAs can offer independent verification of system integrity is through these AICPA services: a WebTrust review (see www.cpawebtrust.org ), which identifies and helps reduce e-commerce business risks, and the SysTrust engagement, an evaluation of system reliability against specific criteria and principles (see www.aicpa.org/assurance/systrust/index.htm).
In 2001 the AICPA updated Statement on Auditing Standards no. 94, The Effect of Information Technology on the Auditor’s Consideration of Internal Controls in a Financial Statement Audit, strengthening procedures for auditing internal controls.
Professional associations have jumped into the IT security auditing arena in a variety of ways. For more information see the Institute of Internal Auditors at www.theiia.org and the Information Systems Audit and Control Association at www.isaca.org .
While there is no magic solution for handling IT risks, Askelson recommends internal audit take these steps:
Identify critical information assets of the business. In order to get the right input, create a cross-functional team including employees from areas such as risk management, systems, legal, finance, security and internal audit.
Have insurance providers and external CPA valuators perform risk assessments to determine costs to protect those assets.
Designate someone to be responsible and accountable for managing information security within the organization, with audit committee oversight. For companies that do not have a chief information officer, avoid a situation where IT security becomes the concern of everyone, with no one in charge.
Assign IT audit staff to review the policies and procedures for information security that systems professionals develop prior to their implementation.
Provide training and awareness programs for employees. This can be done through ongoing Web-based training and internal and external programs.
Update the audit committee on initiatives dealing with security and privacy of critical business information. The heads of internal audit and of systems security must get the topic on the audit committee meeting agenda with time allotted for presentation and discussion.
Provide for independent reviews and assessments by internal or external auditors. Internally, the audit department, particularly in larger companies, will do continuous security checks. Outside consultants can perform certain other tests, such as a network penetration study, to see how well the controls work.
Audit committees need assurances that auditors have the resources to evaluate IT security and management’s responses to risks. A board member and internal audit and IT staffs cooperated to address IT risks at Comdisco, an equipment-leasing company in Rosemont, Illinois.
The chairperson of Comdisco’s audit committee, Carolyn Murphy, attended a seminar on information security held by the Critical Infrastructure Assurance Office (CIAO), a committee—established by former president Bill Clinton—whose co-sponsors included the AICPA, the Institute of Internal Auditors (IIA) and the National Association of Corporate Directors. After Murphy attended the seminar, and with the support of the company’s audit committee, its internal audit and IT departments and the IIA, Comdisco held a corporate forum on IT security which featured a discussion of best practices. Here are some examples:
Security awareness. Make sure IT security is on the radar screen for management and audit committees. Evaluate employee knowledge of policies and standards. Determine whether IT risks are assessed regularly and adequately.
Security procedures. Implement a process to control and document who requests access to information technology, who can approve, revoke and change access and how any “incident” is handled.
Security authentication. Tie rules to specific individuals and ensure privileges are not excessive. Control the number of people who can access systems.
Security IDs. Assign them to individuals rather than to groups or departments. Have the ability to revoke IDs instantly. Install systems that allow encryption and transmission of files.
Security passwords. Consider their length and complexity and the number of passwords needed to gain access. Evaluate how frequently passwords should be changed.
Executives from all of Comdisco’s businesses (leasing, availability services, other technology services) served on the best practices panel and responded to a questionnaire on the adequacy of the company’s information security, who specifically was responsible for it, and what concerns they might have. The upshot of that meeting was that Comdisco created an information protection group consisting of internal audit, IT and other executives which now issues a biweekly bulletin on IT security sent electronically to all employees. “The bulletin has been well received,” says Myles Crane, Comdisco’s director of internal audit and a certified internal auditor. “We have addressed securing laptops after business hours, password construction and usage, junk e-mail and virus hoaxes,” says Crane, who also heads IT security audit, makes a presentation to the audit committee on the subject at every audit committee meeting and has a CPA on his staff specializing in this area. “I believe internal audit should be a catalyst in educating management about IT security risks.”
Managing IT risks requires companies to conduct continuous reevaluation and review. The internal auditor’s role is to help the company design a cost-effective solution for ensuring the security and privacy of critical assets. By using the CPA’s usual control and auditing skills, organizations can strengthen their information security, reduce technology risks and set up an ongoing, companywide dialogue to build and operate systems with effective controls.