Everyone’s Been Hacked Now What?
OakRidge • What happened?
Other Hacks • What other hacks were mentioned? • We know about HB Gary
So..... • Kaminsky says, “No one knows how to make a secure network right now.
Do you know if you’ve been hacked? • According to Richard Bejtlich, chief security officer for computer security firm Mandiant, which has helped Google and many other companies conduct forensics and clean up their networks after an attack, the average cyberespionage attack goes on for 458 days, well over a year, before a company discovers it’s been hacked. • So if hackers are everywhere and everyone has been hacked, what’s a company to do?
New Realities • What data needs to be and what does NOT need to be on the network • How should data be transmitted?
Sarbanes Oxley Information Technology Weaknesses
Background Questions • What is SOX? • How/Why did it come about? • What are SOX requirements? • Which if any rely on or are related to IT controls?
The effect of IT controls on financial reportingGrant, Miller & Alali (2008)
What Standards does paper use for support? • How are these standards used? What do they say (not say) about IT controls? • SAS 94 • “The nature and character of an entity’s use of technology in its information system affects the entity’s overall internal control structure” • SOX • PCAOB AS #5
SOX 302 • What are the requirements? • The signing officers have reviewed the report • The report does not contain any material untrue statements or material omission or be considered misleading • The financial statements and related information fairly present the financial condition and the results in all material respects • The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings • A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities • Any significant changes in internal controls or related factors that could have a negative impact on the internal controls
SOX 404 • 404 (a) • Management statement of responsibility over Internal Controls & • Assessment of Internal Controls • 404 (b) • Auditors must attest and report on managements assessment • Report Material Weaknesses in Internal Control and Remediation Plan • What are/define MW’s? • Most Companies use COSO as Internal Control Framework
Section 409 • Issuers are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations.
Section 802 • all audit or review papers must be maintained for a period of 5 years • How are audit/review papers maintained in 2012?
What IT deficiencies did the paper look at? • IT deficiencies include controls related to • software programs • program implementations • segregation of duties associated with access to computer accounting or financial reporting records • problems with access to electronic data and programs • What other controls might be important for accounting/auditing? • Why weren’t they investigated?
COSO & IT • General IT Controls • Ensure proper operations • Application IT Controls • Ensure proper functioning of software • Processing of transactions • Storage of Data
Findings • IT Deficiency ranked 6th among all MWs (20% so 1 in 5) • IT Deficiency -> Internal Control deficiency • IT Deficiency -> accounting errors (Why?) • revenue recognition • receivables, investments, and cash issues • inventory, vendor, and cost of sales issues • financial statement, footnote, US GAAP, and segment disclosures issues • IT Deficiency -> Higher Audit Fees
SOX 404 Reported Internal Control Weaknesses: A Test of COSO Framework Components and Information TechnologyKlamm and Watson (2009)
Overview • Examined IT and non-IT Controls Material Weaknesses with respect to COSO Components • Material Weaknesses were mapped to a specific COSO component • IT Vs. non-IT MWs • What is your assessment of the IT MW’s?
COSO Components • Control environment • Foundation • Sets tone of the firm • integrity, ethical values, competence, philosophy, and operating style of the firm’s managers and employees • Risk assessment • identification, analysis, and management of (operating, economic, industry, regulatory) risks that may prevent a firm from achieving its objectives • Management implements control activities • segregation of duties, approvals, reviews, reconciliations, and authorizations • Information & Communication • timely capture and dissemination of pertinent information on internal and external events • communication among and between management, employees, suppliers, and customers • Monitoring • continual evaluation of the other components’ effectiveness.
Findings • Weak Control Environment is related to other weaknesses in COSO components • Weak Monitoring is related to weak risk assessment and control activities • Financial Statement reliability is affected by the number of weak COSO components • IT related MW’s are associated with a greater amount of non-IT related MW’s • IT related MW’s are related with: • More misstatements • Greater overall number of MWs
Information Security and Sarbanes-Oxley Compliance: An Exploratory StudyWallace, Lin, and Cefaratti (2011)
Frameworks • COSO • Model for controlling and managing Internal Control • COBIT • IT Governance / NOT IT Security Specifically • What needs Controls • ISO • Specific IT Security Controls • How To
ISO • Security Policy • Organizational Security • Asset Classification and Control • Personnel Security • Physical and Environmental Security • Communications and Operations Management • Access Control • Systems Development and Maintenance • Business Continuity Management • Compliance • In all there are 124 recommended IT controls
Findings • What is the Extent that ISO controls are in place? • Most Common: • Controls such as deploying antivirus software and authenticating remote users accessing the network • Least Common • Protecting equipment from unauthorized access and tracking the location of removable computer media
“Not Sure” Responses • CPA’s selected “not sure” more frequently than non-CPA’s • CISA’s selected “not sure” less frequently than non-CISA’s • Certified Information Systems Auditor • What Is ISO Category 8? 9?
Training • Auditors with IT Training • 35 more controls were likely to be implemented • IT employees participate in SOX Compliance • 55 more controls were likely to be implemented • IT personnel received SOX compliance training • 65 more controls were likely to be implemented
IT internal control weaknesses and firm performance: An organizational liability lensStoel & Muhanna (2011)
Internal Control • SEC definition: • policies and procedures for the recording of transactions and maintenance of financial records • Since modern enterprises are heavily dependent on integrated computer- based systems • “internal control over financial reporting” process regulated by the SEC must include controls over the accounting and management process as well as over the organizational IT infrastructure and systems. • Statement of Auditing Standards No. 94 (SAS 94) affirmed that the nature and characteristics of a company's use of information technology affect the company's internal control over financial reporting and requiring auditors to consider information technology as an integral part of overall internal controls (AICPA 2001). • Therefore, SOX requires review of Accounting Internal Control as well as IT controls
IT Controls • Pertain specifically to IT systems, processes and infrastructure • used to capture, process and record raw transactional data corresponding to economic events • as well as support the preparation of financial reports • Encompass the management, operational, and technical safeguards or countermeasures prescribed for the firm's information systems to protect the • Confidentiality • Integrity • Availability • of those systems and their information • What framework does this definition come from? • When examining a companies IC – which framework do companies use? Which are prescribed? • What does PCAOB AS #2 say about IT controls?
Overview • What is the business value of IT Controls? • What is the relationship between IT Quality and ROA? • IT Control MW’s -> Lower ROA (Why?) • What were the ROA for the 3 segments examined in this study?
The consequences of Internal Control Weaknesses on Management Information Systems: The Case of SOX Internal Control Reports Li, Peters, Richardson, Watson, 2012
What do the researchers assert? • Quality of financial reporting system output. • In what form? • What can impact quality?
IT Controls • How are these determined? • How are they coded? • How did the authors categorize them? • Data Processing Integrity • Systems Access and Security • System Structure and Usage
Findings What did they find?
A content Analysis of auditors reports on IT internal control weaknesses... (Boritz, Hayes, and Lim, 2013)
What is this about? Why did they do it?
What did they find? • Are any of these categories correlated with each other? • If so what might be an explanation?
What didn’t they find? Or what keywords might you expect that didn’t turn up or turned up infrequently? What might this mean? Can it be fixed?