I am currently working in the accounting department and I was asked to describes the information security issues facing your industry and your organization; reviews legal/regulatory requirements/constraints; analyzes available technological and procedural mitigants, identify best practices; and frame your plan to manage the risks.
UPDATE IN RESPONSE TO FEEDBACK:
The file is saved in Word 2007. I updated my Word free from the Internet on my old computer, but my new computer only has Word 2007. So, I will download the information at the end of this response instead.
Let's take a closer look at what the business literature has to say! I also attached a relevant article, some of which this response is drawn.
1. I am currently working in the accounting department and I was asked to describe the information security issues facing your industry and your organization:
(a) Review legal/regulatory requirements/constraints;
In the U.S., generally accepted accounting principles, commonly abbreviated as US GAAP or simply GAAP, are accounting rules used to prepare, present, and report financial statements for a wide variety of entities, including publicly-traded and privately-held companies, non-profit organizations, and governments. Generally GAAP includes local applicable Accounting Framework, related accounting law, rules and Accounting Standard.
Similar to many other countries practicing under the common law system, the United States government does not directly set accounting standards, in the belief that the private sector has better knowledge and resources. US GAAP is not written in law, although the U.S. Securities and Exchange Commission (SEC) requires that it be followed in financial reporting by publicly-traded companies. Currently, the Financial Accounting Standards Board (FASB) is the highest authority in establishing generally accepted accounting principles for public and private companies, as well as non-profit entities. For local and state governments, GAAP is determined by the Governmental Accounting Standards Board (GASB), which operates under a set of assumptions, principles, and constraints, different from those of standard private-sector GAAP (see http://cpaclass.com/gaap/sfas/gaap-sfas-01.htm).
The common set of accounting principles, standards and procedures that companies use to compile their financial statements. GAAP are a combination of authoritative standards (set by policy boards) and simply the commonly accepted ways of recording and reporting accounting information. GAAP are imposed on companies so that investors have a minimum level of consistency in the financial statements they use when analyzing companies for investment purposes. GAAP cover such things as revenue recognition, balance sheet item classification and outstanding share measurements. Companies are expected to follow GAAP rules when reporting their financial data via financial statements. If a financial statement is not prepared using GAAP principles, be very wary! That said, keep in mind that GAAP is only a set of standards. There is plenty of room within GAAP for unscrupulous accountants to distort figures. So, even when a company uses GAAP, you still need to scrutinize its financial statements (http://www.investopedia.com/terms/g/gaap.asp)
Financial reporting in federal government entities is regulated by the Federal Accounting Standards Advisory Board (FASAB). The US GAAP provisions differ somewhat from International Financial Reporting Standards, though efforts are underway to reconcile differences in principles so that financial statements created under international standards will be considered acceptable within the United States, and US GAAP financial statements will be acceptable internationally" (http://en.wikipedia.org/wiki/US_generally_accepted_accounting_principles).
The Foreign Corrupt Practices Act of 1977 and the Sarbanes-Oxley Act of 2002 (SOX) assign important legal responsibilities to management. Management and other personnel are expected to provide reasonable assurance annually regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP. Management is expected to establish, evaluate, monitor, and provide written assessments of internal controls, which include policies and procedures that
* pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and disposition of the assets of the registrant;
* provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorization of management and directors of the registrant; and
* provide reasonable assurance regarding the prevention or timely detection of any unauthorized acquisition, use, or disposition of the registrant's assets that could have a material effect on the financial statements (www.sec.gov).
Section 404 of SOX mandates a statement of management's responsibility for establishing and maintaining adequate internal controls over financial reporting and an assessment of the effectiveness of those internal controls: preventive controls, which include techniques designed to reduce the frequency of undesirable or devastating actions; detective controls, which include devices, techniques, and procedures designed to expose undesirable or devastating actions that elude preventive controls; and corrective controls, which involve actions to reverse the effects of undesirable or potentially devastating actions.
SOX does not mandate a single particular form of documentation of internal control compliance; the extent of documentation may vary, depending upon the size and complexity of the organization. Documentation might be paper or electronic, and can include a variety of information, including policy manuals, process models, flowcharts, job descriptions, documents, and forms. Inadequate documentation of the design of controls over relevant assertions related to significant accounts and disclosures is, however, considered a deficiency in the company's internal control system. COSO (www.coso.org), COBIT (www.isaca.org), ISO (www.iso.org), and SysTrust (www. systrustservices.com) have provided useful frameworks and principles for documenting controls.
Management must ask important questions and be able to rely on the answers with confidence:
* Did assets, liabilities, and other elements shown on financial statements actually exist?
* Did recorded transactions included in the financial statements actually occur?
* Did the financial statements include all transactions and accounts that should be presented?
* Were accounts included in the financial statements at appropriate values'?
* Are the assets shown on the balance sheet rights of the company?
* Are the liabilities shown on the balance sheet obligations of the company?
* Are elements of financial statements appropriately classified and disclosed?
How much reliance can be placed on the answers if a significant information security threat exists and management has not taken appropriate measures to protect the organization from internal and external attacks? (excerpted from http://www.aicpa.org/download/news/2007/Information_Security_Management_02_07.pdf).
(b) Analyze available technological and procedural mitigants;
In last two decades, society has become increasingly reliant on computers to perform daily operations (Ervin II, 2002, as cited in http://bama.ua.edu/~meggi001/Project/Accounting.html). Presently, there is little or no sympathy for corporations or organizations failing to adequately protect their clients' confidential information. Having this in mind, it's easy to see why information security is such an important issue among accountants today. Audit committees are examining their information technology systems and acknowledging security risks for their companies (Cytron (2001, as cited in http://bama.ua.edu/~meggi001/Project/Accounting.html).
The audit role should be emphasized in all businesses that use technology. In fact, auditing is a big part of providing assurance and consulting services to a company's executives and directors. This job often includes advising on system protection along with giving reasonable assurance to managers and directors that controls are satisfactory when it comes to protecting information. When auditors decode information security discussions into business terms, management can make informed decisions about how much risk is acceptable (Parker, 2002, as cited in http://bama.ua.edu/~meggi001/Project/Accounting.html).
Information technology is so integral to companies and individuals that no one can possibly afford to ignore it. Auditor control knowledge is frequently employed upfront in IT assignments to help consumers develop the tools they need to conduct business successfully. Today, auditors have the opportunity to consult clients, train coworkers, sit on specialized project teams, and essentially be involved in IT developments (Parker, 2002, as cited in http://bama.ua.edu/~meggi001/Project/Accounting.html).
Accountants must develop best practices to protect the security of information involving technology risk. Also see the attached article.
(c) Identify best practices.
The use of Internet technologies has substantially increased the vulnerability of information systems. One of the fastest growing threats on the Internet is the theft of sensitive financial data. Failure to include basic information security unwittingly creates significant business and professional risks. For example, without effective security, a hacker may be able to access user passwords, providing entree to an array of system capabilities and information. Such breaches can have serious legal consequences. Or, trade secrets may be uncovered and disseminated, diminishing competitive advantage and profits. http://findarticles.com/p/articles/mi_qa5346/is_200705/ai_n21288682/print?tag=artBody;col1
Inadequate information security increases the opportunity for manipulation, falsification, or alteration of accounting records. Unauthorized or inappropriate access to the accounting information system, or the failure to establish and maintain separation of duties as part of a system of internal control, may make it difficult to ensure that valid and accurate transactions are recorded, pnx'essed, and reported. There are a number of threats to accounting information systems, especially for those systems used in conjunction with the Internet. These threats represent challenges to management, accountants, auditors, and academicians. http://findarticles.com/p/articles/mi_qa5346/is_200705/ai_n21288682/print?tag=artBody;col1
Also see Professional development in documenting internal control, compliance, and the impact of IT is available through a number of organizations. Information can be found from the SEC (www.sec.gov), AICPA (www.aicpa.org), IIA (www.theiia.org). IMA (www.imanet.org), COSO (www.coso.gov), and ISACA (www.isaca.org).
You might consider the following findings. The 10 most important technology initiatives for 2007, along with their definitions, are as follows:
1. Information Security Management: A systematic approach to encompassing people,
processes and IT systems that safeguards critical systems and information, protecting
them from internal and external threats. Incorporates the preservation of confidentiality
(information is not available or disclosed to unauthorized individuals, entities, or
processes), integrity (safeguarding the accuracy and completeness of key data) and
availability (systems and data are accessible and usable upon demand by an authorized
entity) of information. Other properties such as authenticity, accountability, nonrepudiation
and reliability may also be involved.
2. Identity and Access Management: Identity and access management consists of the
hardware, software and processes used to authenticate a user's identity, i.e. ensure users
are who they say they are; then provide users with appropriate access to systems and data
based pre-established rights and privileges. Identity management may utilize one, two or
three factor authentication and include passwords, tokens, digital certificates (for web
sites and e-mail systems), Public Key Infrastructure (PKI), biometrics and other emerging
3. Conforming to Assurance and Compliance Standards: Creating formalized strategies
and systems to address organizational goals and statutory requirements. These strategies
and systems may include collaboration and compliance tools to monitor, document,
assess, test and report on compliance with specified controls. It encompasses risk
assessment standards, risk management and continuous auditing/continuous monitoring.
4. Privacy Management: The rights and obligations of individuals and organizations with
respect to the ...
In description of the information security issues, this solution reviews legal/regulatory requirements/constraints, analyzes available technological and procedural mitigants, identifies best practices and strategies recommended for managing risks. Supplemented with one article on security issues.