Information Technology Security Engagements
An Evolving Specialty

By Bruce H. Nearon

In Brief

IT Security in the 21st Century

When large mainframe computer systems were in their prime, security was a major concern. Comments about computer security appeared in every management letter. With the movement to PCs and networks, where connectivity is the key to improved productivity, information technology (IT) security is again a high priority.

CPAs considering adding IT security to their service mix should know how to evaluate a possible engagement and follow it through. Technical training is important, but business know-how is essential to ensure the client's needs are met.

The key phrase in IT security engagements is risk-avoidance: identifying potential risks at every level, operational, financial, and perceptual; creating proactive control mechanisms to minimize the probability of a company's worst fears being realized; and knowing what to do when something goes wrong or security has been breached.

In 1968, the Harvard Business Review published Brandt Allen's "Danger Ahead: Safeguard Your Computer." Information technology (IT) security had not been a priority for business managers. They just wanted the computer system up and running, and as quickly as possible. Allen's article was a wake-up call for businesses to pay attention to IT security. They are now requesting IT security engagements from their CPAs.

The large mainframe computers of 30 years ago cost millions of dollars and were critical to corporate success and educational excellence, but only companies that could afford electronic data processing (EDP) audits demanded them. This hasn't changed. But now, businesses that own server "farms" (large numbers of network servers in one location) also need IT security engagements. Breaches of IT security range from publicly embarrassing defacement of the corporate home page by hackers to industrial espionage, theft of proprietary information, denial of service, and destruction of data.

Server farms and the rooms where network servers are maintained are the modern-day descendants of the data processing center, and their critical function in business drives the need for IT security engagements. As the PC-centric era ends and the network-centric era matures, the demand for reporting on IT security will only increase.

Types of IT Security Engagements

A client and practitioner have three types of IT security engagements to consider: the examination, the review, and consulting.

For CPAs, examinations and reviews fall under attestation standards and therefore are subject to more rigorous requirements than consulting engagements, which are governed by the AICPA's Statement on Standards for Consulting Services. When CPAs consider which service to offer, they must keep in mind that attestation engagements are riskier because of the potential of third-party liability.

Under current attestation standards, practitioners that perform an examination or review will issue a written conclusion on the reliability of a written assertion by management regarding the entity's IT operations. According to the attestation standards section AT 100:

The assertion must be capable of being evaluated against reasonable criteria that either have been established by a recognized body through due process or are stated in the assertion in a sufficiently clear and comprehensive manner for a knowledgeable reader to be able to understand them.

If the client is a government agency or financial institution, regulatory criteria may meet the requirements of AT 100. One viable alternative for criteria is the Control Objectives for Information Technology (COBIT), established by the Information Security Audit and Control Foundation.

If the engagement is a consulting service, such as an operational review and improvement study, then no criteria must be met in order to perform the engagement. In most cases, management will be satisfied with the consulting service if it identifies internal control weaknesses and offers recommendations to improve control.

Typically, only government agencies, financial institutions, and large corporations are in the market for attestation-level IT security engagements because they are required by law, regulations, or the need to provide assurance to third parties.

Consulting engagements typically arise because an incident or series of incidents has caused management to feel insecure about its IT systems. Management turns to a CPA for objective advice in the form of recommendations to improve security and reduce risk. Consulting services allow a practitioner to provide this service without increased liability or restrictive standards. Although many middle-market companies request "computer audits," they are usually satisfied to contract for consulting services.

Objectives of Operational Reviews

The most common IT security engagement is an operational review of IT controls. Specifically, the entity needs controls in place to protect information from unauthorized disclosure and to ensure its integrity and availability. At the end of this type of engagement, a practitioner delivers a written report detailing the control weaknesses and risks and recommendations to improve control.

Competencies

Most IT security engagements are performed by IT auditors, specialists in CPA firms, or internal audit departments. Specialists are not the only ones qualified: 60­80% of the skills required for IT security engagements are already used by CPAs in auditing financial statements. The remainder are chiefly definitional and can be acquired by studying hardware and software manuals, security websites, and IT security reference books and professional IT security training courses. In the field, IT security practitioners rely heavily on interviews and observation. The practitioner will not need to analyze computer reports unless the engagement agreement includes an attest-level engagement or testing. Even then, any practitioner smart enough to pass the CPA exam can understand the computer security reports once she knows the jargon.

Time Budgets and Fees

Like all professional services, the time budgeted for the engagement relates directly to the level of service. Each type of engagement involves the following steps and components:

* Initial meeting with management
* Planning
* Research
* Work program and questionnaire preparation
* Interviews and observation
* Document review
* Workpaper documentation
* Supervision
* Consultation
* Drafting and presentation of the final report.

Reviews and consulting services take less time than examinations because they usually do not include testing. Attest-level examinations and reviews may include assisting management in preparing their assertions and complying with additional professional standards.

Examination procedures include design of testing, sampling, and analyzing results. The time to perform these tasks varies, based upon each firm's standard engagement procedures and the size and extent of the client's IT operations. Some firms base their budgeted hours on the typical amount of time to perform financial audit procedures, plus 25%. Because clients expect IT security engagements to involve specialized skills, the practitioner can add a premium to standard hourly rates.

Engagement Letters

The ideal engagement letter clearly states the level of service to be provided and the specific IT systems to be studied. If the consulting service includes testing, the engagement letter will state that testing will be based on the practitioner's judgment and performed on a sample basis.

An attest engagement letter is similar to an audit engagement letter and should reflect the fact that the final report will conform to the reporting requirements of the attestation standards.

For consulting services, the engagement letter should state that the engagement is not an attest or audit and offers no assurance on the computer system, internal controls over the computer system, financial statements, or any other matter. The letter should also state that any matters communicated in the final report are those that existed during the fieldwork and as of the date of the report and cannot be projected to any future periods because controls may deteriorate or other conditions that affect the IT environment may change. The practitioner should also state in the letter that fraud within the IT environment might not be detected by the practitioner's procedures but that any fraud discovered will immediately be brought to the attention of management. Finally, the engagement letter should state that the deliverable is a written report of weaknesses, risks, and recommendations to improve control.

Work Program and Questionnaires

A practitioner should never attempt to perform an IT security engagement without a written work program. For sample work programs and questionnaires, see www.auditnet.org. By combining these tools with the Committee of Sponsoring Organizations (COSO) framework and COBIT, the practitioner can tailor a work program to the engagement at hand.

Procedures

Control environment. The control environment, according to COSO, "sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure."

Accordingly, the practitioner should evaluate the following factors:

* Integrity and ethics of senior and IT management
* Incentives and temptations
* Management's methods of communicating ethical guidance
* Management's philosophy, operating style, and commitment to competence
* Involvement of the board or IT steering committee
* Management's philosophy and operating style
* Assignment of authority and responsibility
* Human resource policies and practices.

The result of the evaluation of the control environment will be a factor in the subsequent procedures in the engagement.

Risk assessment. Management should make a risk assessment of its environment. Many organizations do not formalize and communicate information security objectives, which are a precondition to risk assessment. Consequently, senior management may not realize that its goals are different from the IT department's until information security problems threaten operations, profitability, or the corporate image.

COSO states that certain circumstances demand special attention when assessing risk. The following are relevant examples:

* A changing operating environment. The emergence of the Internet and the pressure to integrate e-business and e-
commerce are creating dramatic changes.

* New personnel. PC-generation managers are more willing to take risks and sacrifice control. Relevance takes precedence over security in the rush to be first to market.

* New and revamped information systems. Migration from controlled mainframe to less controllable LAN and WAN environments and rapid network growth are driving systems changes.

* Accelerated obsolescence. The useful life of legacy hardware and software systems used to be measured in decades, whereas Wintel platforms are obsolete in 18 months or less.

If management hasn't defined the company's IT security objectives or prepared a risk assessment, controlling exposure will be difficult.

Physical controls. The practitioner should consider the following aspects of control when designing the work program:

* Restricting access to the server rooms
* Using proper building materials
* Choosing a location
* Eliminating fire hazards
* Maintaining room temperature and air quality
* Protecting storage media and their external markings.

The risks and exposure for failure to have adequate physical controls include vandalism, natural disasters, fire, and damage to stored media or the inability to identify or locate them when needed.

Operational controls. Although invisible to users and non-IT management, operational controls ensure information protection, integrity, and availability. These procedures include

1) vendor hardware and software manuals,
2) IT procedure manuals,
3) job run schedules,
4) file and storage media retention schedules,
5) proper segregation of duties between IT and business functions, and
6) formal communication of assignment of responsibility.

A company with weak operational controls runs the risk of:

* ignorance of hardware and software security vulnerabilities
* failure to perform critical procedures
* out-of-sequence program runs
* increased exposure to employee fraud
* unmet IT operational and security objectives because no one is directly responsible.

Disaster Recovery

The objective of IT disaster recovery is to restore the availability of information in the event that all or part of the IT assets are destroyed or damaged. Risks to the data center include natural disasters, intentional and unintentional damage, theft, and hardware and software failure. Key controls include a written disaster recovery plan; periodic back-up of the operating system, programs, and data; file-retention schedules; and a complete, written, and up-to-date IT asset inventory maintained off-site.

Personnel Issues

ProtectING Against Cyber Attack By Bruce H. Near Personnel responsible for security and operations management must be trustworthy and adequately trained. The organization should require background checks for employees with broad access to hardware, software, and data. This measure is particularly important for IT security officers that control user authentication or maintain card key systems. Security officers, system administrators, and project development leaders should periodically require comprehensive formal security training. The organization should communicate its security policies to users upon hire and present periodic programs to reinforce security awareness.

The personnel risks and exposure that face the IT function include unscrupulous individuals in positions of trust, key managers unaware of security vulnerabilities, and users unaware of or complacent about IT security policies.

Dotting the i's and Crossing the t's

This discussion of risks and controls is intended to be illustrative rather than exhaustive. Other areas of control to consider include--

* the software development life cycle (SDLC),
* insurance of hardware and data,
* access to network and system utilities and compilers,
* security auditing,
* performance analysis and reporting,
* uninterruptible power supply (UPS),
* control of sensitive forms and reports,
* segregation of duties between systems operations, security administration, and security auditing, and
* vendor, consultant, and contractor procedures.

Demand for IT Security Services

Proper IT security is crucial to a company's survival. Although the demand for IT security engagements declined as PCs replaced mainframes, the emergence of the Internet and the growth of Internet-based business networks has reversed this trend.

Identifying weaknesses in IT security and making recommendations to improve control is an opportunity for CPAs to provide a valuable, specialized client service. In many cases, the practitioner's final report reveals weaknesses that are actually worse than the client expects. IT security engagements can lead to additional work for CPAs when clients look to secure and replace their IT systems. *


Bruce H. Nearon, CPA, is a member of the Cohn Consulting Group, a division of J.H. Cohn LLP, in Roseland, N.J., and a member of the NYSSCPA Emerging Technologies Committee.



Home | Contact | Subscribe | Advertise | Archives | NYSSCPA | About The CPA Journal


The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.


©2009 The New York State Society of CPAs. Legal Notices

Visit the new cpajournal.com.