How safe are your data transmissions?As if electronic data processing See EDP. (application) Electronic Data Processing - (EDP) data processing by electronic machines, i.e. computers. (EDP (Electronic Data Processing) The first name used for the computer field. EDP - Electronic Data Processing ) isn't complex enough, an increasing number of organizations transmit data electronically to and from their various offices, customers and suppliers. The transmitted data, on which major business decisions depend, may be exposed to a wide assortment of dangers: transmission errors, power outages This is a list of famous wide-scale power outages. 1965
Unfortunately, there is a dearth of guidance--other than that of the most general nature--on this subject. In fact, most of the professional guidance provided to CPAs on auditing in an EDP environment concentrates on processing--not transmitting--the data. Data communications--or as those in the business call it, "distributed data processing See distributed processing. "--are critical to many businesses, large and small. Many organizations depend on this technology not only to process accounting data, but also to enhance their financial information services See Information Systems. and support their operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. . In addition, auditors rely heavily on transmitted data and government agencies such as the Securities and Exchange Commission receive financial data directly from public companies. WHAT'S THE CPA'S ROLE Corporate internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. play much less of a role in auditing or supporting the data communication function specifically than they do in auditing or supporting EDP in general. In a survey of internal auditors of 60 United States companies This is a list of companies from the United States:
: that transmit a great deal of data, 85% of the respondents said they were moderately to heavily involved in supporting the data processing data processing or information processing, operations (e.g., handling, merging, sorting, and computing) performed upon data in accordance with strictly defined procedures, such as recording and summarizing the financial transactions of a function, but 55% had little or no involvement in auditing the telecommunication of data (see exhibit 1, page 68). The survey also disclosed that auditing the data communication function is constrained by * A shortage of auditors in the internal audit division to review the function. * Auditors' lack of familiarity with the several complex technologies used to transmit data. * Limited financial resources and difficulties in enforcing controls over system programming activities. There's no question such problems make external audits more complicated and more difficult. THE DATA CONNECTION How much does a CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. need to know about data transmission to keep a watchful eye on this function? This article provides an overview of the essentials. Organizations that transmit data have several options in selecting a data transmission medium, although not all are available in every locality. As a practical matter, organizations usually transmit data using more than one technology--depending on what's available and cost-benefit considerations--which introduces even more complexity. In the following list of transmission methods, the generic term "line" (as in "telephone line") is used. The term is becoming a misnomer misnomer n. the wrong name. MISNOMER. The act of using a wrong name. 2. Misnomers, may be considered with regard to contracts, to devises and bequests, and to suits or actions. 3.-1. ; some of the communication links involve radio transmissions via satellite, microwave transmissions Microwave transmission refers to the technique of transmitting information over a Microwave link. Since microwaves are highly susceptible to attenuation by the atmosphere (especially during wet weather), the use of microwave transmission is limited to a few contexts. and fiber optic cables Noun 1. fiber optic cable - a cable made of optical fibers that can transmit large amounts of information at the speed of light fibre optic cable transmission line, cable, line - a conductor for transmitting electrical or optical signals or electric power . Most of the long-distance carriers switch to such links frequently even when users employ ordinary telephone lines or private, leased lines A private communications channel leased from a common carrier. Most digital lines require four wires (two pairs) for full-duplex transmission. (communications, networking) leased line . The most accessible communication medium is the public telephone--a technology with drawbacks. Public telephone service was not designed for digital transmission, so modems are needed to link phone equipment and computers. While some public carriers offer digital s facilities that do not require modems (making them less prone to distortion or signal loss), such facilities are not available everywhere. Also, telephone networks use switching technology that routes data over various lines to meet the needs of the telephone utility; that means data paths may differ for each transmission. This introduces problems because each route change can distort the signal, and the likelihood of signal loss increases the farther a signal must travel. In addition, phone-line transmission is inherently slow, so transmitting high-volume data over public telephone lines often is not a suitable option. Telex, the typed message medium offered worldwide and operated in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. by Western Union International, is another option. However, it's becoming less popular because it's not cost-effective for anyone but the lowest-volume users. The most efficient means of data transmission is via private phone lines, the most popular choice of large organizations. A company may purchase, or more typically lease, a private line from a phone utility for its exclusive use. Leased lines can be conditioned (enhanced) to ensure a higher level of performance, producing higher transmission speeds and fewer data errors. However, leased lines are relatively expensive. As a result, many organizations turn to companies offering a value-added network A communications network that provides services beyond normal transmission, such as automatic error detection and correction, protocol conversion and message storing and forwarding. Telenet and Tymnet are examples of value-added networks. (VAN) that leases facilities from common carriers and then offers interconnection and communication services to third-party customers at lower rates. STEPPING UP SECURITY Organizations can safeguard their data and decrease the possibility of losses and distortions during transmission by following these key steps: * Use network-monitoring software. Such software monitors the data flow and detects weak points--hardware configurations or software arrangements that are likely to cause transmission errors. Popular network-monitoring software brands include Lantern, which is produced by Novell, Inc.; Lansight, by Intel Corp.; XTree Net, by XTree Co.; and Sniffer, by Network Corp. * Upgrade to conditioned telecommunication lines. Because such lines are cleaner--producing less static and other encumbrances--transmission rates can be boosted without errors, resulting in lower transmission costs. Fiber optic lines offer the most advantages in data efficiency and security; they are capable of carrying enormous volumes of data at high speeds with little or no distortion, and they are almost impossible to tap. Fiber optic lines, however, are not yet widely available. * Apply protocol controls. In a typical situation, software monitors the transmission reliability by directing the receiving and sending software to acknowledge the transmission link, then agree on a transmission protocol and finally verify the accuracy of the data transmitted. * Enforce backup and recovery procedures See: explosive ordnance disposal procedures. . No network is fail-safe. As a network design becomes more sophisticated, the probability increases that at least some part of it will fail. Backup and recovery procedures provide contingency planning for network downtime and include securing alternate network facilities, planning for alternate means of data transmission and eliminating confusion over what data were preserved in instances of transmission interruption. * Use network access controls. As has been demonstrated in recent years, almost every computer network can be broken into by determined hackers. Any organization without access controls--passwords--is inviting trouble. Depending on the organization, passwords should be assigned to every user at various levels of the operation. In some cases, this may even mean assigning selective access to specific computer files. VANS often offer some or all of these network control enhancements as a part of their services. To secure data during transmission, users should consider various encryption methods. One popular method is to manipulate the data message in an attempt to perplex intruders who may have intercepted an organization's data transmission. Such procedures break messages into fragments or, alternatively, relay more than one message at a time. Such encryption requires special hardware at both ends of the transmission line to encode (1) To assign a code to represent data, such as a parts code. Contrast with decode. (2) To convert from one format or signal to another. See codec and D/A converter. (3) The term is sometimes erroneously used for "encrypt. the outbound data and then decode (1) To convert coded data back into its original form. Contrast with encode. (2) Same as decrypt. See cryptography. (cryptography) decode - To apply decryption. it once it has been delivered. Most companies, however, avoid this technique because they consider it too expensive and burdensome. Exhibit 2, at left, details the lack of reliance on encryption techniques. HOW SENSITIVE ARE THE DATA? Should an organization establish an internal audit control structure to oversee its communication network? Two factors influence the decision: the volume and the sensitivity of data transmitted. But even when an audit structure is established, it can only add to an organization's internal control structure; it can't substitute for the system control measures described in this article. Since most of the control measures mentioned here are maintained by the computer system staff, it's critically important that CPAs work closely with these people to stay abreast of the technology being used. EXECUTIVE SUMMARY * ACCOUNTANTS AND INTERNAL auditors should play a major role in safeguarding the accuracy of transmitted computer data. Currently, they are much more involved in auditing or supporting the data processing function than in overseeing transmissions. * HERE ARE THE KEY steps they should take or recommend to safeguard transmitted data: * Use network-monitoring software to detect weak points--hardware configurations or software arrangements that are likely to cause transmission errors. * Upgrade to enhanced telecommunication lines to reduce transmission errors and increase security. * Apply protocol controls to verify the accuracy of transmitted data. * Enforce backup and recovery procedures. * Use passwords to deter hackers and other intruders. SID R. EWER, CPA, CMA CMA - Concert Multithread Architecture from DEC. , CIA CIA: see Central Intelligence Agency. (1) (Confidentiality Integrity Authentication) The three important concerns with regards to information security. Encryption is used to provide confidentiality (privacy, secrecy). , PhD, is an assistant professor of accounting at Southwest Missouri State University Missouri State University is a state university located in Springfield, Missouri. It is the state's second largest university in student enrollment, second only to the University of Missouri. From 1972 to 2005, Missouri State was known as Southwest Missouri State University. , Springfield. He is a member of the American Institute of CPAs. HAROLD E. WILLS, CPA, is a former managing partner of Baird, Kurtz and Dobson, CPAs, also in Springfield. He is a number of the American Institute of CPAs and served as chairman of the management consulting Noun 1. management consulting - a service industry that provides advice to those in charge of running a business service industry - an industry that provides services rather than tangible objects services committees of the Association for Regional Accounting Firms in Atlanta and the Kentucky Society of CPAs. RICHARD L. NICHOLS, PhD, is head of the accounting department and an associate professor at Southwest Missouri State University. He is a member of the Missouri Society of CPAs. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion