Get the fox out of the hen house: CPAs have the right skills to perform IT risk assessments for clients. (2003 Technology & Business Resource Guide: Risk Assessment).It's hard to go through a day without hearing about the increasing number of security risks that threaten our information systems--and the biggest risk to a ii company's information is its employees. The Association of Certified Fraud Examiners Established in 1988 the Association of Certified Fraud Examiners is the professional organization that governs professional fraud examiners. Its activities include producing fraud information, tools and training. estimates that more than 75 percent of crimes against a business originate from inside the company. The fastest-growing fraud activity is theft or damage of electronically stored data. So what's at risk? Virtually all accounting records, customer data, credit card information, trade secrets and any other information stored on a computer. Firewalls, virus protection or even locks don't protect against internal risks because company employees--armed with knowledge and access to a company's information system-are already past the main gate. The fox is in the hen house. Before computers, information risk was easier to evaluate. Internal controls focused on the segregation segregation: see apartheid; integration. of duties and procedures that applied checks and balances to the management of a company's assets. But the enormous volume of digitally stored data adds a new dimension to the information risk equation. If appropriate safeguards are not in place, employees can copy, modify or destroy data without detection. The Internet adds yet another risk: unauthorized access to data from virtually anywhere. The books are no longer locked in the corporate tower. A CLOSE LOOK An information technology risk assessment identifies critical data, access paths to that data and employees who may have or do have access to that data. It also examines a system's integrity, reliability, ownership and system documentation. It reviews the company's disaster recovery and business continuity plans; evaluates employee policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental ; and tests the internal control structure. Now, a tech person can attach a laptop Same as laptop computer. laptop - portable computer to a client's domain, extract passwords and log files, security rights and other data, but may not be qualified to perform an internal control risk evaluation. This is where a CPAs training in evaluating internal control comes into play. It takes a CPA's understanding of the client's business environment, materiality MATERIALITY. That which is important; that which is not merely of form but of substance. 2. When a bill for discovery has been filed, for example, the defendant must answer every material fact which is charged in the bill, and the test in these cases seems to and strategic thinking to evaluate the control risks. Adding information risk assessments to the CPA's bag of tricks is not that difficult. There is a group of specialists--certified information technology professionals--who are designated by the AICPA AICPA See American Institute of Certified Public Accountants (AICPA). and trained to provide this service. Many professional staff members have the tech skills needed to embrace this new service. They are only waiting for forward-thinking CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. firms to embrace the concept. ASSESSMENT GUIDELINES guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. Basic components of an information risk assessment include understanding the business environment; building an assessment program; taking inventory of key elements and assigning risk factors; evaluating each component and related controls; analyzing the findings; and presenting a report. These are nothing new to a CPA. Key components of a review include network hardware; system file servers; workstations and terminals; applications; data files; and databases. Each component is then evaluated for its availability, security and integrity. A matrix of users, components and accessibility becomes a center point of an information risk assessment. The user matrix shows who has security rights at the operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. level, application level and database level. It identifies risk areas where a weak password--such as administrative rights granted to someone who does not have an extra secure password or the password is not changed regularly--may allow for potential breaches in the information system. If CPAs stop at this point of the risk assessment, they can render an impartial Favoring neither; disinterested; treating all alike; unbiased; equitable, fair, and just. opinion on the condition of the IT system. It may be natural to go the next step and provide recommendations on how to improve the system, but this would step into the realm of consulting where independence may be impaired. CLIENT BENEFITS Even if an IT risk assessment stops short of making recommendations, the client has received various benefits, including identifying conditions for inherent risk of loss, corruption, incompleteness, theft or misappropriation misappropriation n. the intentional, illegal use of the property or funds of another person for one's own use or other unauthorized purpose, particularly by a public official, a trustee of a trust, an executor or administrator of a dead person's estate, or by any of critical information; providing the first step in building walls of defense around its critical information; documenting its IT infrastructure; providing the foundation for a disaster recovery and business continuity plan; and aiding in the performance evaluation Performance evaluation The assessment of a manager's results, which involves, first, determining whether the money manager added value by outperforming the established benchmark (performance measurement) and, second, determining how the money manager achieved the calculated return of the technical support personnel. Historically, local and regional CPA firms have not evaluated internal control risks inherent in their clients' information systems, but the leading CPA firms of the 21st century will be evaluating their clients' information systems, along with their financial statements. Are you ready for the 21st century? Larry Russell, CPA, CITP (Certified Information Technology Professional) A specialty credential awarded by the AICPA to its CPA members who excel in the provision of technology-related business services. , is with Los Angeles-based Accoun Tec. You can reach him at Larry@AccounTec.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion