HomeContact UsOur WritersMedia KitAdvertisersWhite PapersArchives
Main Menu
Issue Archive
Managers Forum
Help Wanted
Used Equipment
Product Directory
Issue Archive Print E-mail


Valuables and Vulnerabilities
by Jeff Brandenburg

Customer information, financial records and other databases are among your company’s most valuable assets. When this information resides on servers that are accessible to employees, customers and the public, these assets can also be among your most vulnerable. Without adequate controls – both technical and procedural – sensitive information can be open to unauthorized access and tampering.

George Fallon, Partner in Clifton Gunderson’s Washington, DC, office, says that as databases continue to proliferate, safeguarding information from internal and external threats has become a top priority. Like all business processes and procedures, security measures should be periodically reviewed and tested to assure their continued effectiveness.

“The need for multiple levels of protection and internal controls governing IT operations has never been greater,” says Fallon. “The more access that is given to your company’s data, the greater your risk.”

Compliance, Accountability and Internal Control
Developments such as HIPPA, Sarbanes-Oxley and the USA Patriot Act, have brought even greater attention to questions of individual privacy, control of personal information and access to sensitive company data.

At the same time, high profile fraud and mismanagement have heightened the demand for accountability in corporate finances. In March 2006, the American Institute of Public Accountants (AICPA) issued new Audit Risk Assessment Standards that, among other requirements, calls upon financial statement auditors to perform a rigorous assessment of IT system risks and vulnerabilities. Beginning with audits of December 2007 financial statements, auditors must –

  • Determine the effect of IT on the audit
  • Identify and assess IT risks
  • Understand IT controls
  • Design and perform tests of IT controls or substantive procedures

Since so much financial information resides in electronic databases, a great deal of time will likely be spent on these assessments in 2007 and beyond.

Fallon suggests that, instead of reacting to problems after a violation has been detected or an audit finding has been reported, CFOs and Chief Information Officers (CIOs) should consider proactively consulting with IT professionals in order to identify and address vulnerabilities. Such an assessment will provide documentation and better prepare them for the review of general and application controls that will be part of financial statement audits under the new risk assessment standards.

An assessment of IT vulnerabilities may use various methodologies, software tools and procedures to examine computer systems and the policies and procedures that govern them. Most assessments include a description and examination of general controls and application controls.

General Controls
General controls are the structures, policies and procedures that create the environment in which applications and controls operate. If general controls are weak, they severely diminish the reliability of individual application controls, which in turn, may diminish the reliability of financial statements.

Access Controls
Are you prepared for a pre-meditated, brutal attack intended to steal sensitive data about employees, clients, customers or trade secrets? Instances of these types of attacks are occurring almost daily. And they’re not limited to large companies — a disgruntled employee or anonymous hacker is just as dangerous to small companies.
If access controls do not effectively limit or detect inappropriate access to property (data, equipment and facilities) and sensitive information, you may be at risk of illicit modification, loss and leaks. An IT assessment should scrutinize everything from gates and security guards to firewalls and passwords.

Software Development and Change Controls
Freeware and shareware sound like a fantastic deal. But the dark side of these products is what may be going on behind the scenes. The user could be unwittingly infecting entire networks with Trojan horses, viruses, spyware, worms and other nasty bugs that permit sensitive data to be transmitted, modified, exposed or destroyed. Software controls assist in preventing the implementation of unauthorized programs or the modification of programs that could later be exploited for personal gain or sabotage.

Segregation of Duties
How often have you wondered about the danger of giving your IT professionals or accounting staff more access privileges than are required for their job? Would you be able to sleep at night knowing that someone who inputs invoices has access to blank check stock and can also cut checks? And what are the risks of having a programmer write, test and approve program changes? An IT assessment should examine the policies, procedures and organizational structures in place to help ensure that one individual cannot independently control all key aspects of a process or computer-related operation.

System Software Controls
If system access can be exploited in order to gather and disclose sensitive company information, you’ll want to know it before the fact, not after. System software controls should limit and monitor access to the programs and files associated with a computer system’s operation, including operating systems, utilities, security software and database management systems. If controls are inadequate, the reliability of information produced by all of the applications supported by the computer system is diminished.

Service Continuity Controls
What are the risks of a natural disaster or accident resulting in the total annihilation of your main processing/manufacturing facility, headquarters or field office locations? Or more likely, what happens if a hard drive fails, resulting in a loss or corruption of data? Service continuity controls minimize the risks associated with unplanned interruptions and ensure that critical operations can continue when unexpected events occur.

Application Controls
If general controls are found to be effective, the audit team should then determine the effectiveness of a company’s application controls. These controls relate directly to computer programs that are used to perform certain types of work, and the policies and procedures associated with user activities.
Three types of application controls are generally subject to examination –

Without adequate segregation of duties, supervisory review of critical processes and limits on system privileges, a situation could exist that opens your entire system to fraud and manipulation. Similar to general access controls, authorization controls for specific applications should establish accountability, prevent unauthorized transactions, limit individual processing privileges, and prevent and detect inappropriate or unauthorized activities.

Inadequate controls could result in incomplete payroll data being transmitted for processing, missing time records, customer payments that do not get recorded and dozens of similar errors. Automated and manual controls can prevent these errors from occurring, or detect errors for timely correction. Common controls include the use of header and trailer records with record counts and control totals, sequence checking, matching of transaction data with data in a master or suspense file, and checking of reports for transaction data.

The phrase “garbage in, garbage out” applies here. If an application accepts erroneous data input, it will produce inaccurate financial statements and other reports. Ideally, inaccurate data is detected when it is entered. Accuracy controls include well-designed data entry procedures, data validation and editing to identify erroneous data, reporting, investigating and correcting erroneous data, and review and reconciliation of output.

In Summary
“Companies know they must guard against external risks, and that’s where most attention has been focused,” Fallon says. “But equally important is the need to protect against internal risks. Now financial auditors will be looking even closer at these risks and their potential impact on the integrity of financial statements. An IT assessment exposes strengths and weaknesses, so you can have confidence in the security and reliability of your electronic assets.”

Back to Articles