This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --------------389F47EA4E6A Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.SUN.3.96.981123191837.5922xat_private> http://www.savannahmorningnews.com/exchange/stories/112298/SOLgsu.html Work with your auditor to protect your confidential data By Leslie B. Fletcher, Abbie Gail Parham and A. Lee Gurley III For the Savannah Morning News Management has the responsibility for safeguarding assets. Now, assets include more than cash, inventory and equipment. Systems must be designed to safeguard proprietary company information (for example, new product developments, market surveys, pricing strategies and financial projections), confidential customer files, and personnel records and compensation agreements. Management implements information security systems to protect company data from unauthorized access, modification, theft or destruction. These information security systems include two major areas of risk: limiting access and adequate backup. Security measures must prevent internal and external unauthorized access. Some methods for accomplishing this include the use of passwords, data encryption, disklocking and callback. The security system must also ensure that data are backed up on a regular basis. Backup mediums include floppy disk backup, dual internal drives (one devoted to backup), external hard drives and magnetic tape backup devices. How confident can management be that the information it has secured will actually remain secure once the independent auditors begin their work? Independent auditors make significant use of computers in audit engagements and other client service activities. Client data contained on magnetic media are subject to unauthorized access. Rule 301 of the American Institute of Certified Public Accountants (AICPA) Code of Professional Conduct prohibits a member from disclosing any confidential client information without the specific consent of the client. An auditor's failure to establish and maintain appropriate controls over electronically processed or stored client data could result in unauthorized disclosure, a violation of professional ethics and a possible legal liability. Recommendations: Management should be concerned with the security of hardcopy as well as electronic data. The challenge for electronic data is that it can be accessed from outside the office and can be inadvertently passed to others. A company can establish and enforce security procedures to protect the data as long as the data remain under its control. What happens when the data leave the control of the company? Managers may find that they have to educate their independent auditors on data security. Companies contract with CPA firms to audit their financial statements. The audit provides "reasonable assurance" that the statements contain accurate and reliable financial data. However, the responsibility for the statements still rests with management. Management ensured the integrity and security of its accounting records and other confidential data. This concern for data security should also be extended to the engagement of the accounting firm performing the external audit. During the engagement phase of the audit, management should obtain a clear understanding of the internal control procedures employed by the audit firm to maintain information confidentiality. Before engaging an auditor, management should ask and receive satisfactory answers to the following questions pertaining to the CPA firm's limiting access to confidential data: * Which employees will have access to my files? * Are they adequately trained in maintaining data security? Are certain files restricted to some employees? * How is access restricted -- passwords, read-only fields, data encryption or hidden files? Are passwords required for system access, program access and file access? Are passwords changed on a regular basis? When the audit firm uses some or all of the above methods to restrict access to client data files it adds significantly to the prevention of accidental and intentional unauthorized access to confidential client data. The second area that management should investigate is backup and storage of files. Management needs to review the backup and storage procedures used by the audit firm, so that confidential company data are not compromised during the audit process. When choosing the auditor, management needs to make sure that the audit firm not only has control and backup procedures but that they are effectively implemented by the audit firm. Management needs to receive satisfactory responses to the following questions pertaining to data backup and storage: * Are backup diskettes/tapes stored in a secure place with restricted access? * Are old disks reformatted before reuse? * Is there a stated policy against firm employees using old disks? * Are computer terminals locked/secured when not in use? * Is any of my company information stored on the hard drive? * Are hidden files or data encryption used to encode my customer/employee information? Management may also consider the following additional actions once the independent auditor is engaged. 1. Obtain a written description of the auditing firm's client data security procedures. 2. Obtain assurance that the auditing firm will only retain data needed to support its opinion on the financial documents or other agreed upon service. 3. Require the use of disks that clearly indicate the company name and the engagement for which the disks are being used. This is the same information used for identifying hardcopy workpapers. 4. Provide disks to the auditing firm with the company name permanently affixed and a notice that the disks are to be used only for company business. 5. Require that hard drives on auditing firm personal computers be reformatted at the conclusion of the engagement. 6. Destroy disks and other forms of storing electronic data along with hardcopy workpapers in accordance with the auditing firm's record destruction policy. Remember that data may be recovered even after reformatting a disk. An alternative would be to have the auditing firm return the disks to the company. When management works with the independent auditor, the confidentiality of company data is likely to be maintained. Leslie B. Fletcher, CPA, Ph.D. and Abbie Gail Parham, CPA, MBA are in Georgia Southern University's School of Accountancy. A. Lee Gurley, III, CPA, Ph.D. is in the Department of Accounting at the University of Wyoming. Web posted Sunday, November 22, 1998 --------------389F47EA4E6A-- -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:12:07 PDT