1. feature
  2. RISK MANAGEMENT

Risky Business

Internal audit teams up with the audit committee to tackle IT security needs.

BY LAWRENCE RICHTER QUINN

Please note: This item is from our archives and was published in 2002. It is provided for historical reference. The content may be out of date and links may no longer function.

Related

TOPICS

EXECUTIVE SUMMARY
CPAs ACKNOWLEDGE THE IMPORTANCE of being proactive on IT security issues but often find it difficult getting corporate boards and audit committees to realize IT security protection requires ongoing, consistent investment in talent and technology.

THOSE WHO PERFORM IT AUDITING must report their risk management concerns to boards in a framework they can understand—cost/benefit analyses, for instance, or concrete comparisons of IT risks with physical or market risks.

COMPANIES HAVE CRITICAL INFORMATION assets consisting of customer files and transactions, strategic business plans and marketing strategies, budgets and other financial information. Internal auditors can help management determine how much information security is enough and who should manage it.

INTERNAL AUDITORS CAN DESIGNATE someone to be responsible for managing information security within an organization, with audit committee oversight. For companies that do not have a chief information officer, avoid having IT security become everyone’s concern, with no one in charge.

AS WITH MANY AUDIT ISSUES, preventing security breaches is more important than fixing the problem after it’s happened. One way to make risks real to boards is to conduct penetration tests of IT systems.

LAWRENCE RICHTER QUINN is a financial writer who lives in Chicago. His e-mail address is larry_quinn1@hotmail.com .

t’s no secret why audit committees are examining their information technology systems and security risks for their companies: They have no choice. Amid more frequent virus and hacker attacks and concerns about cyberterrorism, boards are diligently gathering information on the subject. “Audit committees are beginning to see IT security as a challenge they can’t ignore,” says Stephen Head, CPA, senior security consultant in the enterprise security practice group of Royal & Sun Alliance Inc., Charlotte, North Carolina. Now is a perfect time for internal auditors to identify information risks and get board approval to protect their company’s financial viability by ensuring appropriate, cost-effective IT security controls are in place and working.

“Boards want CPAs to be able to advise them on real and potential cybersecurity risks and what the best practices are for handling them,” says Head, who is also vice-president of the Information Systems Audit and Control Association (ISACA) in Rolling Meadows, Illinois, and serves on the AICPA information technology executive committee (see “Get Your Internal Controls Up and Running,” at the end of this article). Internal auditors can learn from the following “best practice” examples of how their counterparts addressed IT risk management at AT&T Corp., the Williams Cos., J.C. Penney Co. and Comdisco Inc.

TIP 1: CONVINCE THE BOARD TO SPEND WHERE IT COUNTS

Advertisement

CPAs in internal audit acknowledge the importance of “stepping up to the plate” on IT security issues to assure protection of information. But they often find it difficult getting corporate boards to realize IT security requires ongoing, consistent investment in talent and technology. Mark Eckman, CPA, financial director at AT&T in Morristown, New Jersey, observes companies reap many benefits from having e-commerce strategies and a workforce using efficient technologies, but their board members need to understand those benefits come at a price. “One of the unrecognized costs of technology is the one associated with maintaining adequate controls for IT systems. It’s crucial to allocate costs to have employees with the necessary skill sets in both IT and internal audit departments to manage these controls effectively,” says Eckman.

To obtain adequate resources for risk management, internal auditors must report their concerns to boards in a framework they can understand—cost/benefit analyses, for instance, or concrete comparisons of IT risks with physical or market risks. “Boards have got to understand that technology is a strategic initiative. The price includes controls and a commitment to continual employee training to keep the controls adequate and ahead of any potential threat,” Eckman says. One way to get the audit committee’s attention, he says, is to examine the significance of the issue and assign a dollar value to it. The danger in quantifying various risks, however, may focus audit committees’ attention on the obvious costs while missing the bigger picture where risks are less quantifiable. Eckman notes it is very difficult to do a cost/benefit analysis of unknown risks, even though it’s a necessary component of efficient risk mitigation. “But in the end you’re asking what’s the exposure, who’s affected by it, and at what cost,” he says.
Internal Audit and Organizational Risks

In a survey of CFOs, chief audit executives, corporate counsel and chief risk officers from different industries, 90% said the internal audit department conducted risk-based audits at the business unit level, and more than 30% said internal auditors performed companywide risk management assessments.

Source: “Enterprise Risk Management: Trends and Emerging Practices,” 2001 study by the Institute of Internal Auditors Research Foundation and Tillinghast-Towers Perrin, www.theiia.org .

Eckman believes IT risks differ little from more conventional risks such as shoplifting losses at a retail store—although with IT the potential for extraordinary damage to the bottom line, customer loyalty and shareholder value are exponentially greater. “Retailers want to minimize shoplifting. They hire security guards and put electronic tags on items,” he says. “But those same companies don’t think about how to prevent someone from stealing their products or trade secrets or other online information.” Eckman points out a key difference between these two types of “stealing”: In the physical world, “shoplifting is just shoplifting,” he says, with potential exposures easily estimated, understood and managed. “In the IT environment, there’s a new security threat every day. We don’t know what the next threat is going to be.”

Bruce Adamec, CPA, president of creativeAssurance, an internal audit consulting firm in Chicago and former general auditor of Ameritech, agrees with Eckman: “One of the challenges of managing risks is convincing a company’s decision makers to spend a lot of resources to protect their assets. Management doesn’t necessarily understand the importance of this, but where there’s poor IT security and no (or inadequate) auditing of it, someone can bring a company or an entire industry to its knees.” Ironically, the demands of Y2K provided a wake-up call to companies regarding the importance of IT infrastructure. “Many people thought Y2K was a sham because so much money was spent on it and nothing happened,” says Larry Baye, a principal for IT consulting at Grant Thornton in New York. “Perhaps nothing happened because businesses spent all that money.”

Many CPA firms provide tools to help companies address their IT risk management issues. For example, PricewaterhouseCoopers (PWC), concerned that companies get preoccupied by single IT catastrophes and events instead of looking at a bigger picture, designed a program called ORCA (objectives, risks, controls, alignment) that examines technology and security from the top down. “The model helps companies determine what risks to focus on and what risks will impede or support meeting business objectives,” says Sean Ballington, CA, of PWC in Washington, D.C.

TIP 2: PRACTICE PREVENTION

Advertisement

Security breaches to company systems can come from sources both internal, such as employees, and external, such as e-mail viruses. After the terrorist attacks of September 11, companies started paying more attention to all kinds of security issues, particularly the reliability and integrity of their information systems and internal controls.

Unfortunately, internal auditors and IT security specialists say, some senior executives and board members look at these issues reactively rather than proactively—which makes it harder for IT risk management to be an ongoing and effective corporate governance tool. Where audit committees are responsible for information security oversight, they assess the steps management and auditors have taken to address risks. For example, both internal auditors and the audit committee at Williams in Tulsa, Oklahoma, a large-volume transporter of natural gas, take a proactive approach: “As recently as last year we were providing risk management updates (to the audit committee) on an annual basis, whereas now they want it twice a year or more,” says Kathryn Schooley, CPA, general auditor. “That’s significant when you consider audit committees meet only four times a year.”

As with many audit issues, preventing security breaches is more important than fixing the problem after it’s happened. “Yet, it’s much more difficult to value prevention costs and get management to allocate the expenditure for a potential problem,” says Schooley. “The challenge is getting management and the board to recognize IT risks on a par with financial risks and business opportunities.” Questions auditors should pose to the board include: What events will effective IT security prevent, and what would those events cost the company if unmitigated? And what is the likelihood of those events occurring?

“One way to make the risks more real is to conduct penetration tests of the IT systems,” Schooley says. “Sharing confirmed vulnerabilities with the audit committee is the preferred way of making IT security risk more concrete.” Due diligence is a concept that appeals to boards, of course. “Members of audit committees are very conscientious when it comes to fulfilling their responsibilities,” notes Schooley. “The expectations and standards surrounding IT security are becoming better known since September 11. As they do, audit committees, particularly those at companies in critical infrastructure industries such as energy, will look to those standards to help them perform their fiduciary responsibilities.”

As with most important business decisions, different people in a company may have alternative solutions for protecting the organization’s information assets, making it more complicated to get everyone on the same security wavelength (see “CPAs and Online Confidence,” at right). “IT risk management is not a one-recipe, one-time thing. And it’s not really a technology issue; it’s a senior management issue. It’s a continual cycle of events,” says Carol Langelier, CPA, assistant director, information security issues, the General Accounting Office, Washington, D.C.

TIP 3: MAKE SURE ASSETS ARE SECURE

Companies’ critical information assets consist of customer files and transactions, strategic business plans and marketing strategies, budgets and other financial information. Internal auditors can help management determine how to secure these critical assets. Before implementing an IT system, says Kenneth Askelson, CPA, IT audit manager for J.C. Penney, based in Plano, Texas, IT audit staff in conjunction with other key departments must perform the following tasks: Evaluate business risks and exposure and present them to management, ensure available vendor solutions are compatible with the company’s existing software, determine costs involved to buy, implement and upgrade the software, identify training and staff commitments and assess existing controls including firewalls, routers, virus scanning, network logs and incident response plans.

CPAs and Online Confidence

CPAs offer IT security consulting to companies—especially to those that don’t have the budgets to hire technology staff. To attest to the validity of financial data, CPAs must look at everything that supports this information, including the existing systems and networks and the design, construction and implementation of new systems.

Advertisement

In some cases auditors decide to pursue another professional designation—certified information technology professional (CITP). There are several ways to earn the CITP designation, involving a 100-point system (see “ IT Credential to Help CPAs Make Business Sense Out of Technology ,” JofA, July00, page 95). Another way CPAs can offer independent verification of system integrity is through these AICPA services: a WebTrust review (see www.cpawebtrust.org ), which identifies and helps reduce e-commerce business risks, and the SysTrust engagement, an evaluation of system reliability against specific criteria and principles (see www.aicpa.org/assurance/systrust/index.htm).

In 2001 the AICPA updated Statement on Auditing Standards no. 94, The Effect of Information Technology on the Auditor’s Consideration of Internal Controls in a Financial Statement Audit, strengthening procedures for auditing internal controls.

Professional associations have jumped into the IT security auditing arena in a variety of ways. For more information see the Institute of Internal Auditors at www.theiia.org and the Information Systems Audit and Control Association at www.isaca.org .

While there is no magic solution for handling IT risks, Askelson recommends internal audit take these steps:

Identify critical information assets of the business. In order to get the right input, create a cross-functional team including employees from areas such as risk management, systems, legal, finance, security and internal audit.

Have insurance providers and external CPA valuators perform risk assessments to determine costs to protect those assets.

Designate someone to be responsible and accountable for managing information security within the organization, with audit committee oversight. For companies that do not have a chief information officer, avoid a situation where IT security becomes the concern of everyone, with no one in charge.

Advertisement

Assign IT audit staff to review the policies and procedures for information security that systems professionals develop prior to their implementation.

Provide training and awareness programs for employees. This can be done through ongoing Web-based training and internal and external programs.

Update the audit committee on initiatives dealing with security and privacy of critical business information. The heads of internal audit and of systems security must get the topic on the audit committee meeting agenda with time allotted for presentation and discussion.

Provide for independent reviews and assessments by internal or external auditors. Internally, the audit department, particularly in larger companies, will do continuous security checks. Outside consultants can perform certain other tests, such as a network penetration study, to see how well the controls work.

TIP 4: EDUCATE EVERYONE

Audit committees need assurances that auditors have the resources to evaluate IT security and management’s responses to risks. A board member and internal audit and IT staffs cooperated to address IT risks at Comdisco, an equipment-leasing company in Rosemont, Illinois.

The chairperson of Comdisco’s audit committee, Carolyn Murphy, attended a seminar on information security held by the Critical Infrastructure Assurance Office (CIAO), a committee—established by former president Bill Clinton—whose co-sponsors included the AICPA, the Institute of Internal Auditors (IIA) and the National Association of Corporate Directors. After Murphy attended the seminar, and with the support of the company’s audit committee, its internal audit and IT departments and the IIA, Comdisco held a corporate forum on IT security which featured a discussion of best practices. Here are some examples:

Security awareness. Make sure IT security is on the radar screen for management and audit committees. Evaluate employee knowledge of policies and standards. Determine whether IT risks are assessed regularly and adequately.

Security procedures. Implement a process to control and document who requests access to information technology, who can approve, revoke and change access and how any “incident” is handled.

Security authentication. Tie rules to specific individuals and ensure privileges are not excessive. Control the number of people who can access systems.

Security IDs. Assign them to individuals rather than to groups or departments. Have the ability to revoke IDs instantly. Install systems that allow encryption and transmission of files.

Security passwords. Consider their length and complexity and the number of passwords needed to gain access. Evaluate how frequently passwords should be changed.

Executives from all of Comdisco’s businesses (leasing, availability services, other technology services) served on the best practices panel and responded to a questionnaire on the adequacy of the company’s information security, who specifically was responsible for it, and what concerns they might have. The upshot of that meeting was that Comdisco created an information protection group consisting of internal audit, IT and other executives which now issues a biweekly bulletin on IT security sent electronically to all employees. “The bulletin has been well received,” says Myles Crane, Comdisco’s director of internal audit and a certified internal auditor. “We have addressed securing laptops after business hours, password construction and usage, junk e-mail and virus hoaxes,” says Crane, who also heads IT security audit, makes a presentation to the audit committee on the subject at every audit committee meeting and has a CPA on his staff specializing in this area. “I believe internal audit should be a catalyst in educating management about IT security risks.”

Managing IT risks requires companies to conduct continuous reevaluation and review. The internal auditor’s role is to help the company design a cost-effective solution for ensuring the security and privacy of critical assets. By using the CPA’s usual control and auditing skills, organizations can strengthen their information security, reduce technology risks and set up an ongoing, companywide dialogue to build and operate systems with effective controls.

Get Your Internal Controls Up and Running

Security consultants often come into a company after something bad happens: a hacker breaks in, an employee is suspected of stealing intellectual property, accounting systems fail to keep track of receivables. When these “security cops” analyze what led to the security breaches, they frequently find common threads: No one equipped a server with security patches after the manufacturer released them, no one checked the background of an employee who had a prior history of problems or installers did not configure a firewall properly. If the company’s internal controls had been working, many of these situations would not have occurred.

Most companies already have staff who are experts in internal control design and monitoring—the internal auditors, who can play a vital role in helping to prevent high-tech disasters. Internal auditors will ultimately be involved when a crisis occurs and can use their financial control skills in the planning process to establish who is responsible for and what the responses are to IT security risks.

Here are some items for an internal audit checklist to help companies avoid IT system problems:

Install and maintain security patches. Vendors such as Microsoft and others regularly issue patches to fix newly discovered security problems called “holes” in software already in use. Hackers distribute the code needed to attack the system by passing through the hole. The patch code closes the hole and protects the system from attack. An internal auditor should be responsible for ensuring that IT is aware of any new patches issued and installs them promptly.

Do background checks. Are new employees trustworthy? Kroll Information Security Group investigated a technology employee who was stealing laptop computers, printers and thousands of dollars worth of other hardware from his employer. The investigators caught him red-handed and then learned worse news: His former employer had dismissed him for theft. Internal audit can design control and audit features for human resources personnel to assure procedures are followed—for example, something as simple as matching up new hires with credit histories from a background checking service.

Use simple technology. If there is not enough staff to support a complex firewall, install a simple one. Vendors can implement effective firewalls either in hardware or in software that provide great protection with little maintenance. (See “ Remote—But Connected ,” JofA, Mar.02, page 63.) Early in the planning process, internal audit can insist on sticking with the simplest solutions.

Monitor the Internet. Organizations should discover themselves that information on the Internet about them is either untrue, defamatory or represents an unauthorized release of confidential data, rather than learning about it from shareholders or journalists. Sometimes IT support finds simple search engines such as Northern Light, Altavista or Google are all it needs to review what’s being said online about the company. Large organizations can engage a monitoring service to track a site; searches should include names of executives and brand names.

Monitor your network. Network security has become a tremendous issue for most companies. Monitoring computer use logs, network logs, firewall logs, intrusion-detection-system logs and similar data sources requires a lot of work to identify significant events. If the network operates on a 24/7 basis, it may be necessary to oversee the security and interpret alerts continuously. If an employee cannot realistically do this job, internal audit can recommend the use of an outside monitoring service.

Install appropriate user identification systems. Authenticate the people who have access to systems either on-site or remotely. At the very least employees should select passwords to computer systems that are hard to guess and change them regularly. If a password is not enough protection, IT staff should choose stronger techniques such as tokens (which range from devices plugged into the computer’s USB port to credit-card-sized units that display passwords that change every minute) or biometrics. For companies requiring more sophisticated ID systems, fingerprint readers and iris scanners are becoming more practical and less expensive.

Account for invisible people. Many companies require employees to sign a confidentiality/nondisclosure/computer-use agreement. But some with network access may not sign one, such as nonemployees with only occasional access to their system, temporary workers, vendors or contracted personnel. Companies should make sure they sign. Another “invisible person” is the ex-employee whose access was not terminated promptly. Strong controls must assure IT knows when someone is leaving, so it can cut off that person’s access immediately and make sure he or she doesn’t have additional ways of getting into the system (for example, through another account or by using someone else’s password).

Watch data backups. A backup tape represents potential danger; it can contain confidential files in a form easily reloaded onto another computer. Employees should be particularly wary of what happens to the backup tapes when new ones are created and not throw them into a box of tapes to reuse. Until tapes are erased, they contain sensitive data and should be protected and inventoried.

Clear out long memories. Files deleted long ago can still linger on the hard drive. When computers that processed confidential company or customer information are going out for repair, being returned to the leasing company at the end of the lease or being given to charity, it is not hard to unerase files. Internal audit should assure every computer going out the door, for whatever reason, is cleared of confidential information.

—Alan E. Brill, senior managing director, Kroll Information Security Group, New York, www.krollworldwide.com .