[ISN] Work with auditor to protect confidential data

From: mea culpa (jerichoat_private)
Date: Mon Nov 23 1998 - 18:20:25 PST

  • Next message: mea culpa: "[ISN] Xtra admits password thefts"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimeat_private for more info.
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.981123191837.5922xat_private>
    Work with your auditor to protect your confidential data
    By Leslie B. Fletcher, Abbie Gail Parham and A. Lee Gurley III For the
    Savannah Morning News
    Management has the responsibility for safeguarding assets. Now, assets
    include more than cash, inventory and equipment. Systems must be designed
    to safeguard proprietary company information (for example, new product
    developments, market surveys, pricing strategies and financial
    projections), confidential customer files, and personnel records and
    compensation agreements. 
    Management implements information security systems to protect company data
    from unauthorized access, modification, theft or destruction. 
    These information security systems include two major areas of risk: 
    limiting access and adequate backup.  Security measures must prevent
    internal and external unauthorized access. Some methods for accomplishing
    this include the use of passwords, data encryption, disklocking and
    The security system must also ensure that data are backed up on a regular
    basis. Backup mediums include floppy disk backup, dual internal drives
    (one devoted to backup), external hard drives and magnetic tape backup
    How confident can management be that the information it has secured will
    actually remain secure once the independent auditors begin their work? 
    Independent auditors make significant use of computers in audit
    engagements and other client service activities.  Client data contained on
    magnetic media are subject to unauthorized access. Rule 301 of the
    American Institute of Certified Public Accountants (AICPA) Code of
    Professional Conduct prohibits a member from disclosing any confidential
    client information without the specific consent of the client. 
    An auditor's failure to establish and maintain appropriate controls over
    electronically processed or stored client data could result in
    unauthorized disclosure, a violation of professional ethics and a possible
    legal liability. 
    Management should be concerned with the security of hardcopy as well as
    electronic data. The challenge for electronic data is that it can be
    accessed from outside the office and can be inadvertently passed to
    others. A company can establish and enforce security procedures to protect
    the data as long as the data remain under its control. What happens when
    the data leave the control of the company? Managers may find that they
    have to educate their independent auditors on data security. 
    Companies contract with CPA firms to audit their financial statements. The
    audit provides "reasonable assurance"  that the statements contain
    accurate and reliable financial data. However, the responsibility for the
    statements still rests with management.  Management ensured the integrity
    and security of its accounting records and other confidential data. 
    This concern for data security should also be extended to the engagement
    of the accounting firm performing the external audit. During the
    engagement phase of the audit, management should obtain a clear
    understanding of the internal control procedures employed by the audit
    firm to maintain information confidentiality. 
    Before engaging an auditor, management should ask and receive satisfactory
    answers to the following questions pertaining to the CPA firm's limiting
    access to confidential data: 
    * Which employees will have access to my files? 
    * Are they adequately trained in maintaining data security? Are certain
    files restricted to some employees? 
    * How is access restricted -- passwords, read-only fields, data encryption
    or hidden files? Are passwords required for system access, program access
    and file access? Are passwords changed on a regular basis? 
    When the audit firm uses some or all of the above methods to restrict
    access to client data files it adds significantly to the prevention of
    accidental and intentional unauthorized access to confidential client
    The second area that management should investigate is backup and storage
    of files. Management needs to review the backup and storage procedures
    used by the audit firm, so that confidential company data are not
    compromised during the audit process. 
    When choosing the auditor, management needs to make sure that the audit
    firm not only has control and backup procedures but that they are
    effectively implemented by the audit firm. Management needs to receive
    satisfactory responses to the following questions pertaining to data
    backup and storage: 
    * Are backup diskettes/tapes stored in a secure place with restricted
    * Are old disks reformatted before reuse? 
    * Is there a stated policy against firm employees using old disks? 
    * Are computer terminals locked/secured when not in use? 
    * Is any of my company information stored on the hard drive? 
    * Are hidden files or data encryption used to encode my customer/employee
    Management may also consider the following additional actions once the
    independent auditor is engaged. 
    1. Obtain a written description of the auditing firm's client data
    security procedures. 
    2. Obtain assurance that the auditing firm will only retain data needed to
    support its opinion on the financial documents or other agreed upon
    3. Require the use of disks that clearly indicate the company name and the
    engagement for which the disks are being used. This is the same
    information used for identifying hardcopy workpapers. 
    4. Provide disks to the auditing firm with the company name permanently
    affixed and a notice that the disks are to be used only for company
    5. Require that hard drives on auditing firm personal computers be
    reformatted at the conclusion of the engagement. 
    6. Destroy disks and other forms of storing electronic data along with
    hardcopy workpapers in accordance with the auditing firm's record
    destruction policy. 
    Remember that data may be recovered even after reformatting a disk. An
    alternative would be to have the auditing firm return the disks to the
    When management works with the independent auditor, the confidentiality of
    company data is likely to be maintained. 
    Leslie B. Fletcher, CPA, Ph.D. and Abbie Gail Parham, CPA, MBA are in
    Georgia Southern University's School of Accountancy. A. Lee Gurley, III,
    CPA, Ph.D. is in the Department of Accounting at the University of
    Web posted Sunday, November 22, 1998
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:12:07 PDT