This is the first of two articles on helping clients prepare for and recover from cyberattacks.
With the many benefits of information technology come the increased risks and costs of fraud. Despite this, only 26% of organizations have an enterprisewide cybersecurity incident response plan, according to IBM's 2020 Cyber Resilient Organization Report. That's despite just over half of these groups having experienced at least one attack in the prior two years that caused significant disruption.
As the risk of cyberfraud increases, accounting practitioners are positioned to help their clients and employers prepare for a possible cyberattack.
PREPARING THROUGH FRAUD RISK ASSESSMENT
As CPAs and forensic practitioners, when we work with our clients, we should start by helping them recognize that risk assessments go beyond compliance and are an essential aspect of fraud detection and prevention. This begins with understanding the three elements of a risk assessment:
- Identifying inherent fraud risk;
- Assessing the likelihood and significance of each inherent fraud risk; and
- Responding to likely and significant inherent risks.
EVALUATING ENTITY-LEVEL RISKS
The first step in the risk assessment is performing interviews with management and key employees to gauge entity-level risks.
The tone at the top of an organization is key, and practitioners should consider the culture of the organization. For example, do management and leadership focus on compliance and ethics or is their priority profits at any cost? This focus on profits might result in an organization not investing enough in cybersecurity, leaving it vulnerable to attacks. Practitioners should also research escalation mechanisms within the organization and whether management can override controls.
Here are some questions to ask when putting together the assessment: What risks are pervasive throughout the organization? Are there codes of ethics and documented policies and procedures that are clear, easy to understand, and adhered to by all, including leadership?
Practitioners, in evaluating entity-level risks, should understand an organization's IT usage and evaluate how leadership values IT controls throughout the organization.
Next, practitioners can perform walk-throughs of financial processes, speaking with relevant parties in both financial and IT roles to determine what risks exist and what manual and IT controls are in place to address those risks. As practitioners perform their walk-throughs, they should learn about and evaluate the financial processes and include among their considerations:
- Asking how the organization responded to past fraud, including breaches and attempted breaches: Practitioners should ask these questions of both management and staff as they may get different answers, which could, in turn, say a lot about entity- and process-level risks in the organization.
- Considering the incidence of fraud in the organization's industry: For example, the financial services industry is a prime target for cyberattacks because of its wealth and troves of personal data. Practitioners can help their clients and employers research and update industrywide cyber risk information.
- Identifying complexities in the organization and in processes: Complexity can make it more challenging to pinpoint risks. The more steps and people there are in a process, the more potential there is for risks to exist.
- Ascertaining separation of duties: During a walk-through of processes, practitioners can determine if, within a process, the functions of authorization, recordkeeping, and custody are split among different people. Separation of duties must also be assessed in the IT function. In IT, there should be separation between those who authorize changes, those who develop changes, those who test the changes, and those who implement these changes into production (which is also referred to as going live with the changes).
- Recognizing areas in the company that pose a higher cyber risk: Knowledge of current and emerging threats on the cyber landscape can direct how the CPA evaluates risk areas. Following the outbreak of COVID-19, unemployment insurance fraud escalated, and many companies were finding that clusters of their employees had been targeted, which indicated that their systems may have been compromised.
- Checking IT security and controls: Does the organization use complex passwords that must be changed regularly? Does the organization apply the principle of least privilege, meaning that any users, programs, or processes have only the bare minimum of privileges necessary to perform their functions? Practitioners can review this information by viewing the organization's system settings. Are systems set up so that IT security updates are applied automatically and cannot be turned off by employees? Does the organization have end-of-life software that is no longer supported by the vendor? If so, that could leave the organization more susceptible to security threats. Has IT assessed and addressed risks of remote staff and staff using mobile devices, by implementing measures such as multifactor authentication and the use of virtual private networks? Do the organization's employees receive regular cybersecurity training that is updated to include current threats?
- Researching current business continuity and disaster recovery processes and plans the organization has.
BUILDING AN ASSESSMENT
Following the walk-throughs, practitioners can assemble a fraud risk assessment. This assessment will list the risks involved with the steps in each process evaluated. Practitioners can work with clients to assess the likelihood and significance of those risks, employing both qualitative and quantitative measurements to help organizations determine their risk appetite. Since addressing every risk is generally cost-prohibitive, determining which risks to address, and how, is a key value the practitioner can bring to the assessment.
It should be emphasized that the fraud risk assessment is not a one-off process. As organizations change and as fraud risks evolve, practitioners can continue to help organizations monitor processes, risks, and controls. Controls that become ineffective or do not adequately address new risks can be pinpointed and replaced by more effective controls.
About the author
Rumbi Bwerinofa-Petrozzello, CPA/CFF, is senior director, Consulting at Seramount and a member of the AICPA's Fraud Task Force. She is also president of the New York State Society of CPAs.
To comment on this article or to suggest an idea for another article, contact Drew Adamek, a JofA senior editor, at Andrew.Adamek@aicpa-cima.com.
Understanding the Forensic Technology Landscape, issued by the AICPA Forensic and Litigation Services Forensic Technology Task Force
The Certified in Financial Forensics (CFF) credential positions forensic accounting professionals for increased demand in one of the fastest-growing specialty areas for CPAs. To become a CFF credential holder, the CFF Roadmap serves as a step-by-step guide illustrating how a CPA, at any level of expertise, can utilize the resources provided to FVS Section members to embark on the journey of obtaining the AICPA's CPA-exclusive forensic accounting credential. For more information, visit aicpa.org/membership/join/credentials.html.
The Business of Cybersecurity
CPE SELF-STUDY: Covers mitigation of losses considerations, such as technology products, insurance, and outsourcing.
Cybersecurity Fundamentals for Finance and Accounting Professionals Certificate
CPE SELF-STUDY: This certificate program will cover several cybersecurity topics to help you gain an understanding of the importance and impact of cybersecurity risks on your organization or client, including an introduction to the AICPA's cybersecurity risk management reporting framework.
Forensic Accounting: Fraud Investigations
WEBCAST: This webcast focuses on the processes and considerations in forensic accounting investigations. You will see how the rapid expansion of technology, growth in various sectors of business and industry, and the rise and increase in complexity of white-collar crimes contribute to the growth in forensic accounting.
Forensic and Valuation Services Library
PUBLICATION: The Forensic and Valuation Services Library includes a collection of products essential for those who work in the forensic and valuation services industry.
Leveraging Technology in Forensic Engagements
CPE SELF-STUDY: This course explains the role of technology in supporting the forensic accountant during a customer engagement, including the challenges encountered when providing such services.
For more information or to make a purchase, go to future.aicpa.org/cpe-learning or call the Institute at 888-777-7077.