http://www.savannahmorningnews.com/exchange/stories/112298/SOLgsu.html
Work with your auditor to protect your confidential data
By Leslie B. Fletcher, Abbie Gail Parham and A. Lee Gurley III For the
Savannah Morning News
Management has the responsibility for safeguarding assets. Now, assets
include more than cash, inventory and equipment. Systems must be designed
to safeguard proprietary company information (for example, new product
developments, market surveys, pricing strategies and financial
projections), confidential customer files, and personnel records and
compensation agreements.
Management implements information security systems to protect company data
from unauthorized access, modification, theft or destruction.
These information security systems include two major areas of risk:
limiting access and adequate backup. Security measures must prevent
internal and external unauthorized access. Some methods for accomplishing
this include the use of passwords, data encryption, disklocking and
callback.
The security system must also ensure that data are backed up on a regular
basis. Backup mediums include floppy disk backup, dual internal drives
(one devoted to backup), external hard drives and magnetic tape backup
devices.
How confident can management be that the information it has secured will
actually remain secure once the independent auditors begin their work?
Independent auditors make significant use of computers in audit
engagements and other client service activities. Client data contained on
magnetic media are subject to unauthorized access. Rule 301 of the
American Institute of Certified Public Accountants (AICPA) Code of
Professional Conduct prohibits a member from disclosing any confidential
client information without the specific consent of the client.
An auditor's failure to establish and maintain appropriate controls over
electronically processed or stored client data could result in
unauthorized disclosure, a violation of professional ethics and a possible
legal liability.
Recommendations:
Management should be concerned with the security of hardcopy as well as
electronic data. The challenge for electronic data is that it can be
accessed from outside the office and can be inadvertently passed to
others. A company can establish and enforce security procedures to protect
the data as long as the data remain under its control. What happens when
the data leave the control of the company? Managers may find that they
have to educate their independent auditors on data security.
Companies contract with CPA firms to audit their financial statements. The
audit provides "reasonable assurance" that the statements contain
accurate and reliable financial data. However, the responsibility for the
statements still rests with management. Management ensured the integrity
and security of its accounting records and other confidential data.
This concern for data security should also be extended to the engagement
of the accounting firm performing the external audit. During the
engagement phase of the audit, management should obtain a clear
understanding of the internal control procedures employed by the audit
firm to maintain information confidentiality.
Before engaging an auditor, management should ask and receive satisfactory
answers to the following questions pertaining to the CPA firm's limiting
access to confidential data:
* Which employees will have access to my files?
* Are they adequately trained in maintaining data security? Are certain
files restricted to some employees?
* How is access restricted -- passwords, read-only fields, data encryption
or hidden files? Are passwords required for system access, program access
and file access? Are passwords changed on a regular basis?
When the audit firm uses some or all of the above methods to restrict
access to client data files it adds significantly to the prevention of
accidental and intentional unauthorized access to confidential client
data.
The second area that management should investigate is backup and storage
of files. Management needs to review the backup and storage procedures
used by the audit firm, so that confidential company data are not
compromised during the audit process.
When choosing the auditor, management needs to make sure that the audit
firm not only has control and backup procedures but that they are
effectively implemented by the audit firm. Management needs to receive
satisfactory responses to the following questions pertaining to data
backup and storage:
* Are backup diskettes/tapes stored in a secure place with restricted
access?
* Are old disks reformatted before reuse?
* Is there a stated policy against firm employees using old disks?
* Are computer terminals locked/secured when not in use?
* Is any of my company information stored on the hard drive?
* Are hidden files or data encryption used to encode my customer/employee
information?
Management may also consider the following additional actions once the
independent auditor is engaged.
1. Obtain a written description of the auditing firm's client data
security procedures.
2. Obtain assurance that the auditing firm will only retain data needed to
support its opinion on the financial documents or other agreed upon
service.
3. Require the use of disks that clearly indicate the company name and the
engagement for which the disks are being used. This is the same
information used for identifying hardcopy workpapers.
4. Provide disks to the auditing firm with the company name permanently
affixed and a notice that the disks are to be used only for company
business.
5. Require that hard drives on auditing firm personal computers be
reformatted at the conclusion of the engagement.
6. Destroy disks and other forms of storing electronic data along with
hardcopy workpapers in accordance with the auditing firm's record
destruction policy.
Remember that data may be recovered even after reformatting a disk. An
alternative would be to have the auditing firm return the disks to the
company.
When management works with the independent auditor, the confidentiality of
company data is likely to be maintained.
Leslie B. Fletcher, CPA, Ph.D. and Abbie Gail Parham, CPA, MBA are in
Georgia Southern University's School of Accountancy. A. Lee Gurley, III,
CPA, Ph.D. is in the Department of Accounting at the University of
Wyoming.
Web posted Sunday, November 22, 1998
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Dec 8 09:01:03 1998