Remote-access technologies—such as smartphones, tablets, laptops and at-home desktops—and automated processes have made the CPA’s job more efficient and convenient but also have created more opportunities for fraud and theft. These control procedures can help mitigate the risks.
Don’t trust too much in virtual private networks (VPNs). VPNs provide a secure connection into an organization’s firewall and encrypt communications. However, mobile devices, including laptops, are carried out in public, making them vulnerable to physical access by hackers, who could infiltrate the organization’s network via the mobile devices’ VPNs. VPN-connected desktops at remote locations always should be inside the firewall and isolated from networks outside the firewall. Otherwise, for example, family members surfing the Web could bring an infection into your home-based work desktop and, thus, your organization’s network.
Require personal identification numbers (PINs) or swipe codes on all mobile technologies. Enforce this policy through Active Directory or Lightweight Directory Access Protocol (LDAP), which is an Internet protocol that email and other programs use to look up information from a server. The iPad, iPhone and Android devices all support Active Directory and LDAP.
Have an auditor, owner or senior manager review audit trail reports periodically. Download and inspect audit logs from remote devices. In some cases, this can be done automatically, but most organizations aren’t doing it at all, leaving a big hole in internal controls. Evaluate transactions to make sure that anyone who has signed off on them has the authority to do so. Scour the time and date logs for irregularities.
Require an owner or senior manager to review detective reports periodically. Among the reports that should be examined are credit-memo, inventory-adjustment, new customer, new vendor and change-of-address reports. Consider restricting remote devices from creating or making changes to these records. Access to these reports from remote devices could make it too easy for fraudsters to make changes that are not inspected. It’s easier for hackers to break into critical records through remote connections than if those reports are accessible only from inside the firewall.
Limit the number of vendors that can be paid from remote devices. Create a list of pre-approved vendors annually and review any exceptions. Set up payment systems from remote devices to flow through a separately controlled account. Don’t give hackers an opening into payment systems, from which theft of funds can take place.
Conduct physical inventory at least once a year. It is advisable to use mobile technology to simplify and speed up routine inventory counts, but annual physical inventory checks can help catch or prevent fraud. It is crucial to perform the physical inventory count separately and then check it against the routine inventory counts.
Scrub customer, vendor and employee databases annually. Control what is delivered to remote devices and protect against shadow systems that keep unauthorized data on remote devices. Shadow systems are unauthorized duplicates of information, such as PST files in Outlook. Consider Draconian procedures such as wiping devices periodically to remove unauthorized applications and malware.
Keep accounting systems current and up to date. Routinely patch all remote systems to plug security holes.
—By Randolph P. Johnston, (email@example.com) executive vice president of Network Management Group in Hutchinson, Kan., and K2 Enterprises in Hammond, La.
Note: A version of this column originally appeared in the AICPA CPA Insider e-newsletter. To sign up for the free e-newsletter and read archives, please visit cpa2biz.com/newsletters.
from the JofA: