EXECUTIVE
SUMMARY | CPAs ACKNOWLEDGE THE
IMPORTANCE of being proactive
on IT security issues but often find it
difficult getting corporate boards and
audit committees to realize IT security
protection requires ongoing, consistent
investment in talent and technology.
THOSE WHO PERFORM
IT AUDITING must report their
risk management concerns to boards in a
framework they can
understand—cost/benefit analyses, for
instance, or concrete comparisons of IT
risks with physical or market risks.
COMPANIES HAVE
CRITICAL INFORMATION assets
consisting of customer files and
transactions, strategic business plans
and marketing strategies, budgets and
other financial information. Internal
auditors can help management determine
how much information security is enough
and who should manage it.
INTERNAL AUDITORS
CAN DESIGNATE someone to be
responsible for managing information
security within an organization, with
audit committee oversight. For companies
that do not have a chief information
officer, avoid having IT security become
everyone’s concern, with no one in
charge.
AS WITH MANY AUDIT
ISSUES, preventing security
breaches is more important than fixing
the problem after it’s happened. One way
to make risks real to boards is to
conduct penetration tests of IT systems.
| LAWRENCE
RICHTER QUINN is a financial writer who
lives in Chicago. His e-mail address is larry_quinn1@hotmail.com
. |
t’s no secret why audit committees
are examining their information technology systems
and security risks for their companies: They have
no choice. Amid more frequent virus and hacker
attacks and concerns about cyberterrorism, boards
are diligently gathering information on the
subject. “Audit committees are beginning to see IT
security as a challenge they can’t ignore,” says
Stephen Head, CPA, senior security consultant in
the enterprise security practice group of Royal
& Sun Alliance Inc., Charlotte, North
Carolina. Now is a perfect time for internal
auditors to identify information risks and get
board approval to protect their company’s
financial viability by ensuring appropriate,
cost-effective IT security controls are in place
and working. “Boards want CPAs to be able
to advise them on real and potential cybersecurity
risks and what the best practices are for handling
them,” says Head, who is also vice-president of
the Information Systems Audit and Control
Association (ISACA) in Rolling Meadows, Illinois,
and serves on the AICPA information technology
executive committee (see “Get Your Internal
Controls Up and Running,” at the end of this
article). Internal auditors can learn from the
following “best practice” examples of how their
counterparts addressed IT risk management at
AT&T Corp., the Williams Cos., J.C. Penney Co.
and Comdisco Inc.
TIP 1: CONVINCE THE BOARD TO SPEND WHERE
IT COUNTS
CPAs in internal audit acknowledge the
importance of “stepping up to the plate” on IT
security issues to assure protection of
information. But they often find it difficult
getting corporate boards to realize IT security
requires ongoing, consistent investment in talent
and technology. Mark Eckman, CPA, financial
director at AT&T in Morristown, New Jersey,
observes companies reap many benefits from having
e-commerce strategies and a workforce using
efficient technologies, but their board members
need to understand those benefits come at a price.
“One of the unrecognized costs of technology is
the one associated with maintaining adequate
controls for IT systems. It’s crucial to allocate
costs to have employees with the necessary skill
sets in both IT and internal audit departments to
manage these controls effectively,” says Eckman.
To
obtain adequate resources for risk
management, internal auditors must report
their concerns to boards in a framework
they can understand—cost/benefit analyses,
for instance, or concrete comparisons of
IT risks with physical or market risks.
“Boards have got to understand that
technology is a strategic initiative. The
price includes controls and a commitment
to continual employee training to keep the
controls adequate and ahead of any
potential threat,” Eckman says. One way to
get the audit committee’s attention, he
says, is to examine the significance of
the issue and assign a dollar value to it.
The danger in quantifying various risks,
however, may focus audit committees’
attention on the obvious costs while
missing the bigger picture where risks are
less quantifiable. Eckman notes it is very
difficult to do a cost/benefit analysis of
unknown risks, even though it’s a
necessary component of efficient risk
mitigation. “But in the end you’re asking
what’s the exposure, who’s affected by it,
and at what cost,” he says. |
Internal Audit and
Organizational Risks
In a survey of CFOs, chief
audit executives, corporate
counsel and chief risk
officers from different
industries, 90% said the
internal audit department
conducted risk-based audits at
the business unit level, and
more than 30% said internal
auditors performed companywide
risk management assessments.
Source: “Enterprise Risk
Management: Trends and
Emerging Practices,” 2001
study by the Institute of
Internal Auditors Research
Foundation and
Tillinghast-Towers Perrin, www.theiia.org
.
| |
Eckman believes IT risks differ little from
more conventional risks such as shoplifting losses
at a retail store—although with IT the potential
for extraordinary damage to the bottom line,
customer loyalty and shareholder value are
exponentially greater. “Retailers want to minimize
shoplifting. They hire security guards and put
electronic tags on items,” he says. “But those
same companies don’t think about how to prevent
someone from stealing their products or trade
secrets or other online information.” Eckman
points out a key difference between these two
types of “stealing”: In the physical world,
“shoplifting is just shoplifting,” he says, with
potential exposures easily estimated, understood
and managed. “In the IT environment, there’s a new
security threat every day. We don’t know what the
next threat is going to be.” Bruce Adamec,
CPA, president of creativeAssurance, an internal
audit consulting firm in Chicago and former
general auditor of Ameritech, agrees with Eckman:
“One of the challenges of managing risks is
convincing a company’s decision makers to spend a
lot of resources to protect their assets.
Management doesn’t necessarily understand the
importance of this, but where there’s poor IT
security and no (or inadequate) auditing of it,
someone can bring a company or an entire industry
to its knees.” Ironically, the demands of Y2K
provided a wake-up call to companies regarding the
importance of IT infrastructure. “Many people
thought Y2K was a sham because so much money was
spent on it and nothing happened,” says Larry
Baye, a principal for IT consulting at Grant
Thornton in New York. “Perhaps nothing happened
because businesses spent all that money.”
Many CPA firms provide tools to help companies
address their IT risk management issues. For
example, PricewaterhouseCoopers (PWC), concerned
that companies get preoccupied by single IT
catastrophes and events instead of looking at a
bigger picture, designed a program called ORCA
(objectives, risks, controls, alignment) that
examines technology and security from the top
down. “The model helps companies determine what
risks to focus on and what risks will impede or
support meeting business objectives,” says Sean
Ballington, CA, of PWC in Washington, D.C.
TIP 2: PRACTICE PREVENTION
Security breaches to
company systems can come from sources both
internal, such as employees, and external, such as
e-mail viruses. After the terrorist attacks of
September 11, companies started paying more
attention to all kinds of security issues,
particularly the reliability and integrity of
their information systems and internal controls.
Unfortunately, internal auditors and IT
security specialists say, some senior executives
and board members look at these issues reactively
rather than proactively—which makes it harder for
IT risk management to be an ongoing and effective
corporate governance tool. Where audit committees
are responsible for information security
oversight, they assess the steps management and
auditors have taken to address risks. For example,
both internal auditors and the audit committee at
Williams in Tulsa, Oklahoma, a large-volume
transporter of natural gas, take a proactive
approach: “As recently as last year we were
providing risk management updates (to the audit
committee) on an annual basis, whereas now they
want it twice a year or more,” says Kathryn
Schooley, CPA, general auditor. “That’s
significant when you consider audit committees
meet only four times a year.” As with many
audit issues, preventing security breaches is more
important than fixing the problem after it’s
happened. “Yet, it’s much more difficult to value
prevention costs and get management to allocate
the expenditure for a potential problem,” says
Schooley. “The challenge is getting management and
the board to recognize IT risks on a par with
financial risks and business opportunities.”
Questions auditors should pose to the board
include: What events will effective IT security
prevent, and what would those events cost the
company if unmitigated? And what is the likelihood
of those events occurring? “One way to make
the risks more real is to conduct
penetration tests of the IT systems,”
Schooley says. “Sharing confirmed
vulnerabilities with the audit committee
is the preferred way of making IT security
risk more concrete.” Due diligence is a
concept that appeals to boards, of course.
“Members of audit committees are very
conscientious when it comes to fulfilling
their responsibilities,” notes Schooley.
“The expectations and standards
surrounding IT security are becoming
better known since September 11. As they
do, audit committees, particularly those
at companies in critical infrastructure
industries such as energy, will look to
those standards to help them perform their
fiduciary responsibilities.” As with
most important business decisions,
different people in a company may have
alternative solutions for protecting the
organization’s information assets,
making it more complicated to get
everyone on the same security wavelength
(see “CPAs and Online Confidence,” at
right). “IT risk management is not a
one-recipe, one-time thing. And it’s not
really a technology issue; it’s a senior
management issue. It’s a continual cycle
of events,” says Carol Langelier, CPA,
assistant director, information security
issues, the General Accounting Office,
Washington, D.C.
TIP 3: MAKE SURE ASSETS ARE
SECURE
Companies’ critical information
assets consist of customer files and
transactions, strategic business plans
and marketing strategies, budgets and
other financial information. Internal
auditors can help management determine
how to secure these critical assets.
Before implementing an IT system, says
Kenneth Askelson, CPA, IT audit manager
for J.C. Penney, based in Plano, Texas,
IT audit staff in conjunction with other
key departments must perform the
following tasks: Evaluate business risks
and exposure and present them to
management, ensure available vendor
solutions are compatible with the
company’s existing software, determine
costs involved to buy, implement and
upgrade the software, identify training
and staff commitments and assess
existing controls including firewalls,
routers, virus scanning, network logs
and incident response plans. |
CPAs and Online
Confidence CPAs
offer IT security consulting
to companies—especially to
those that don’t have the
budgets to hire technology
staff. To attest to the
validity of financial data,
CPAs must look at everything
that supports this
information, including the
existing systems and networks
and the design, construction
and implementation of new
systems. In some cases
auditors decide to pursue
another professional
designation—certified
information technology
professional (CITP). There are
several ways to earn the CITP
designation, involving a
100-point system (see “ IT
Credential to Help CPAs Make
Business Sense Out of
Technology ,” JofA,
July00, page 95). Another
way CPAs can offer independent
verification of system
integrity is through these
AICPA services: a WebTrust
review (see www.cpawebtrust.org
), which identifies and
helps reduce e-commerce
business risks, and the
SysTrust engagement, an
evaluation of system
reliability against specific
criteria and principles (see
www.aicpa.org/assurance/systrust/index.htm).
In 2001 the AICPA
updated Statement on Auditing
Standards no. 94, The
Effect of Information
Technology on the Auditor’s
Consideration of Internal
Controls in a Financial
Statement Audit,
strengthening procedures
for auditing internal
controls. Professional
associations have jumped into
the IT security auditing arena
in a variety of ways. For more
information see the Institute
of Internal Auditors at www.theiia.org
and the Information
Systems Audit and Control
Association at www.isaca.org
.
| |
While there is no magic solution for handling
IT risks, Askelson recommends internal audit take
these steps:
Identify critical information assets
of the business. In order to get the right input,
create a cross-functional team including employees
from areas such as risk management, systems,
legal, finance, security and internal audit.
Have insurance providers and external
CPA valuators perform risk assessments to
determine costs to protect those assets.
Designate someone to be responsible
and accountable for managing information security
within the organization, with audit committee
oversight. For companies that do not have a chief
information officer, avoid a situation where IT
security becomes the concern of everyone, with no
one in charge.
Assign IT audit staff to review the
policies and procedures for information security
that systems professionals develop prior to their
implementation.
Provide training and awareness
programs for employees. This can be done through
ongoing Web-based training and internal and
external programs.
Update the audit committee on
initiatives dealing with security and privacy of
critical business information. The heads of
internal audit and of systems security must get
the topic on the audit committee meeting agenda
with time allotted for presentation and
discussion.
Provide for independent reviews and
assessments by internal or external auditors.
Internally, the audit department, particularly in
larger companies, will do continuous security
checks. Outside consultants can perform certain
other tests, such as a network penetration study,
to see how well the controls work.
TIP 4: EDUCATE EVERYONE
Audit committees need
assurances that auditors have the resources to
evaluate IT security and management’s responses to
risks. A board member and internal audit and IT
staffs cooperated to address IT risks at Comdisco,
an equipment-leasing company in Rosemont,
Illinois. The chairperson of Comdisco’s
audit committee, Carolyn Murphy, attended a
seminar on information security held by the
Critical Infrastructure Assurance Office (CIAO), a
committee—established by former president Bill
Clinton—whose co-sponsors included the AICPA, the
Institute of Internal Auditors (IIA) and the
National Association of Corporate Directors. After
Murphy attended the seminar, and with the support
of the company’s audit committee, its internal
audit and IT departments and the IIA, Comdisco
held a corporate forum on IT security which
featured a discussion of best practices. Here are
some examples:
Security awareness. Make
sure IT security is on the radar screen for
management and audit committees. Evaluate employee
knowledge of policies and standards. Determine
whether IT risks are assessed regularly and
adequately.
Security procedures.
Implement a process to control and document
who requests access to information technology, who
can approve, revoke and change access and how any
“incident” is handled.
Security authentication. Tie
rules to specific individuals and ensure
privileges are not excessive. Control the number
of people who can access systems.
Security IDs. Assign them to
individuals rather than to groups or departments.
Have the ability to revoke IDs instantly. Install
systems that allow encryption and transmission of
files.
Security passwords. Consider
their length and complexity and the number of
passwords needed to gain access. Evaluate how
frequently passwords should be changed.
Executives from all of Comdisco’s businesses
(leasing, availability services, other technology
services) served on the best practices panel and
responded to a questionnaire on the adequacy of
the company’s information security, who
specifically was responsible for it, and what
concerns they might have. The upshot of that
meeting was that Comdisco created an information
protection group consisting of internal audit, IT
and other executives which now issues a biweekly
bulletin on IT security sent electronically to all
employees. “The bulletin has been well received,”
says Myles Crane, Comdisco’s director of internal
audit and a certified internal auditor. “We have
addressed securing laptops after business hours,
password construction and usage, junk e-mail and
virus hoaxes,” says Crane, who also heads IT
security audit, makes a presentation to the audit
committee on the subject at every audit committee
meeting and has a CPA on his staff specializing in
this area. “I believe internal audit should be a
catalyst in educating management about IT security
risks.” Managing IT risks requires
companies to conduct continuous reevaluation and
review. The internal auditor’s role is to help the
company design a cost-effective solution for
ensuring the security and privacy of critical
assets. By using the CPA’s usual control and
auditing skills, organizations can strengthen
their information security, reduce technology
risks and set up an ongoing, companywide dialogue
to build and operate systems with effective
controls. |