How safe are your data transmissions?
Unfortunately, there is a dearth of guidance--other than that of the most general nature--on this subject. In fact, most of the professional guidance provided to CPAs on auditing in an EDP environment concentrates on processing--not transmitting--the data.
Data communications--or as those in the business call it, "distributed data processing"--are critical to many businesses, large and small. Many organizations depend on this technology not only to process accounting data, but also to enhance their financial information services and support their operating systems. In addition, auditors rely heavily on transmitted data and government agencies such as the Securities and Exchange Commission receive financial data directly from public companies.
WHAT'S THE CPA'S ROLE
Corporate internal auditors play much less of a role in auditing or supporting the data communication function specifically than they do in auditing or supporting EDP in general. In a survey of internal auditors of 60 United States companies that transmit a great deal of data, 85% of the respondents said they were moderately to heavily involved in supporting the data processing function, but 55% had little or no involvement in auditing the telecommunication of data (see exhibit 1, page 68).
The survey also disclosed that auditing the data communication function is constrained by
* A shortage of auditors in the internal audit division to review the function.
* Auditors' lack of familiarity with the several complex technologies used to transmit data.
* Limited financial resources and difficulties in enforcing controls over system programming activities.
There's no question such problems make external audits more complicated and more difficult.
THE DATA CONNECTION
How much does a CPA need to know about data transmission to keep a watchful eye on this function? This article provides an overview of the essentials.
Organizations that transmit data have several options in selecting a data transmission medium, although not all are available in every locality. As a practical matter, organizations usually transmit data using more than one technology--depending on what's available and cost-benefit considerations--which introduces even more complexity.
In the following list of transmission methods, the generic term "line" (as in "telephone line") is used. The term is becoming a misnomer; some of the communication links involve radio transmissions via satellite, microwave transmissions and fiber optic cables. Most of the long-distance carriers switch to such links frequently even when users employ ordinary telephone lines or private, leased lines.
The most accessible communication medium is the public telephone--a technology with drawbacks. Public telephone service was not designed for digital transmission, so modems are needed to link phone equipment and computers. While some public carriers offer digital s facilities that do not require modems (making them less prone to distortion or signal loss), such facilities are not available everywhere.
Also, telephone networks use switching technology that routes data over various lines to meet the needs of the telephone utility; that means data paths may differ for each transmission. This introduces problems because each route change can distort the signal, and the likelihood of signal loss increases the farther a signal must travel. In addition, phone-line transmission is inherently slow, so transmitting high-volume data over public telephone lines often is not a suitable option.
Telex, the typed message medium offered worldwide and operated in the United States by Western Union International, is another option. However, it's becoming less popular because it's not cost-effective for anyone but the lowest-volume users.
The most efficient means of data transmission is via private phone lines, the most popular choice of large organizations. A company may purchase, or more typically lease, a private line from a phone utility for its exclusive use. Leased lines can be conditioned (enhanced) to ensure a higher level of performance, producing higher transmission speeds and fewer data errors. However, leased lines are relatively expensive. As a result, many organizations turn to companies offering a value-added network (VAN) that leases facilities from common carriers and then offers interconnection and communication services to third-party customers at lower rates.
STEPPING UP SECURITY
Organizations can safeguard their data and decrease the possibility of losses and distortions during transmission by following these key steps:
* Use network-monitoring software. Such software monitors the data flow and detects weak points--hardware configurations or software arrangements that are likely to cause transmission errors. Popular network-monitoring software brands include Lantern, which is produced by Novell, Inc.; Lansight, by Intel Corp.; XTree Net, by XTree Co.; and Sniffer, by Network Corp.
* Upgrade to conditioned telecommunication lines. Because such lines are cleaner--producing less static and other encumbrances--transmission rates can be boosted without errors, resulting in lower transmission costs. Fiber optic lines offer the most advantages in data efficiency and security; they are capable of carrying enormous volumes of data at high speeds with little or no distortion, and they are almost impossible to tap. Fiber optic lines, however, are not yet widely available.
* Apply protocol controls. In a typical situation, software monitors the transmission reliability by directing the receiving and sending software to acknowledge the transmission link, then agree on a transmission protocol and finally verify the accuracy of the data transmitted.
* Enforce backup and recovery procedures. No network is fail-safe. As a network design becomes more sophisticated, the probability increases that at least some part of it will fail. Backup and recovery procedures provide contingency planning for network downtime and include securing alternate network facilities, planning for alternate means of data transmission and eliminating confusion over what data were preserved in instances of transmission interruption.
* Use network access controls. As has been demonstrated in recent years, almost every computer network can be broken into by determined hackers. Any organization without access controls--passwords--is inviting trouble. Depending on the organization, passwords should be assigned to every user at various levels of the operation. In some cases, this may even mean assigning selective access to specific computer files.
VANS often offer some or all of these network control enhancements as a part of their services.
To secure data during transmission, users should consider various encryption methods. One popular method is to manipulate the data message in an attempt to perplex intruders who may have intercepted an organization's data transmission. Such procedures break messages into fragments or, alternatively, relay more than one message at a time. Such encryption requires special hardware at both ends of the transmission line to encode the outbound data and then decode it once it has been delivered. Most companies, however, avoid this technique because they consider it too expensive and burdensome. Exhibit 2, at left, details the lack of reliance on encryption techniques.
HOW SENSITIVE ARE THE DATA?
Should an organization establish an internal audit control structure to oversee its communication network? Two factors influence the decision: the volume and the sensitivity of data transmitted. But even when an audit structure is established, it can only add to an organization's internal control structure; it can't substitute for the system control measures described in this article.
Since most of the control measures mentioned here are maintained by the computer system staff, it's critically important that CPAs work closely with these people to stay abreast of the technology being used.
* ACCOUNTANTS AND INTERNAL auditors should play a major role in safeguarding the accuracy of transmitted computer data. Currently, they are much more involved in auditing or supporting the data processing function than in overseeing transmissions.
* HERE ARE THE KEY steps they should take or recommend to safeguard transmitted data:
* Use network-monitoring software to detect weak points--hardware configurations or software arrangements that are likely to cause transmission errors.
* Upgrade to enhanced telecommunication lines to reduce transmission errors and increase security.
* Apply protocol controls to verify the accuracy of transmitted data.
* Enforce backup and recovery procedures.
* Use passwords to deter hackers and other intruders.
SID R. EWER, CPA, CMA, CIA, PhD, is an assistant professor of accounting at Southwest Missouri State University, Springfield. He is a member of the American Institute of CPAs. HAROLD E. WILLS, CPA, is a former managing partner of Baird, Kurtz and Dobson, CPAs, also in Springfield. He is a number of the American Institute of CPAs and served as chairman of the management consulting services committees of the Association for Regional Accounting Firms in Atlanta and the Kentucky Society of CPAs. RICHARD L. NICHOLS, PhD, is head of the accounting department and an associate professor at Southwest Missouri State University. He is a member of the Missouri Society of CPAs.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||protecting electronic information|
|Author:||Nichols, Richard L.|
|Publication:||Journal of Accountancy|
|Date:||Sep 1, 1993|
|Previous Article:||Benchmarking the audit committee.|
|Next Article:||How TQM worked for one firm.|