Everyone’s Been Hacked
Now What?
What happened?
Other Hacks
What other hacks were mentioned?
We know about HB Gary
Kaminsky says, “No one knows how to make a secure network right now.
Do you know if you’ve been hacked?
According to Richard Bejtlich, chief security officer for computer security firm
Mandiant, which has helped Google and many other companies conduct
forensics and clean up their networks after an attack, the average
cyberespionage attack goes on for 458 days, well over a year, before a
company discovers it’s been hacked.
So if hackers are everywhere and everyone has been hacked, what’s a
company to do?
New Realities
What data needs to be and what does NOT need to be on the network
How should data be transmitted?
The effect of IT controls
on financial reporting
Grant, Miller & Alali (2008)
What Standards does paper use for
How are these standards used? What do they say (not say) about IT controls?
SAS 94
What IT deficiencies did the paper look at?
IT deficiencies include controls related to
software programs
program implementations
segregation of duties associated with access to computer accounting
or financial reporting records
problems with access to electronic data and programs
What other controls might be important for accounting/auditing?
Why weren’t they investigated?
SOX 404
404 (a)
Management statement of responsibility over Internal Controls &
Assessment of Internal Controls
404 (b)
Auditors must attest and report on managements assessment
Report Material Weaknesses in Internal Control and Remediation Plan
What are/define MW’s?
Most Companies use COSO as Internal Control Framework
General IT Controls
Ensure proper operations
Application IT Controls
Ensure proper functioning of software
Processing of transactions
Storage of Data
IT Deficiency ranked 6th among all MWs (20% so 1 in 5)
IT Deficiency -> Internal Control deficiency
IT Deficiency -> accounting errors (Why?)
revenue recognition
receivables, investments, and cash issues
inventory, vendor, and cost of sales issues
financial statement, footnote, US GAAP, and segment disclosures issues
IT Deficiency -> Higher Audit Fees
SOX 404 Reported Internal Control Weaknesses: A Test of
COSO Framework Components and Information Technology
Klamm and Watson (2009)
Examined IT and non-IT Controls Material Weaknesses with respect to
COSO Components
Material Weaknesses were mapped to a specific COSO component
IT Vs. non-IT MWs
What is your assessment of the IT MW’s?
COSO Components
Control environment
Sets tone of the firm
integrity, ethical values, competence, philosophy, and operating style of the firm’s managers and employees
Risk assessment
identification, analysis, and management of (operating, economic, industry, regulatory) risks that may prevent a firm from achieving its objectives
Management implements control activities
segregation of duties, approvals, reviews, reconciliations, and authorizations
Information & Communication
timely capture and dissemination of pertinent information on internal and external events
communication among and between management, employees, suppliers, and customers
continual evaluation of the other components’ effectiveness.
Weak Control Environment is related
to other weaknesses in COSO
Weak Monitoring is related to weak
risk assessment and control
Financial Statement reliability is
affected by the number of weak
COSO components
IT related MW’s are associated with
a greater amount of non-IT related
IT related MW’s are related with:
More misstatements
Greater overall number of MWs
Information Security and Sarbanes-Oxley Compliance: An
Exploratory Study
Wallace, Lin, and Cefaratti (2011)
SOX 302
What are the requirements?
The signing officers have reviewed the report
The report does not contain any material untrue statements or material omission or be considered misleading
The financial statements and related information fairly present the financial condition and the results in all
material respects
The signing officers are responsible for internal controls and have evaluated these internal controls within the
previous ninety days and have reported on their findings
A list of all deficiencies in the internal controls and information on any fraud that involves employees who are
involved with internal activities
Any significant changes in internal controls or related factors that could have a negative impact on the internal
SOX 404
Assess Effectiveness of Internal Control
No Prescribed Framework
Section 409
Issuers are required to disclose to the public, on an urgent basis, information
on material changes in their financial condition or operations.
Section 802
all audit or review papers must be maintained for a period of 5 years
How are audit/review papers maintained in 2012?
Model for controlling and managing Internal Control
IT Governance / NOT IT Security Specifically
What needs Controls
Specific IT Security Controls
How To
Security Policy
Organizational Security
Asset Classification and Control
Personnel Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Systems Development and Maintenance
Business Continuity Management
10. Compliance
In all there are 124 recommended IT controls
What is the Extent that ISO controls are in place?
Most Common:
Controls such as deploying antivirus software and authenticating remote
users accessing the network
Least Common
Protecting equipment from unauthorized access and tracking the location
of removable computer media
“Not Sure” Responses
CPA’s selected “not
sure” more
frequently than nonCPA’s
CISA’s selected “not
sure” less frequently
than non-CISA’s
Certified Information Systems Auditor
What Is ISO
Category 8? 9?
Auditors with IT Training
35 more controls were likely to be
IT employees participate in SOX
55 more controls were likely to be
IT personnel received SOX
compliance training
65 more controls were likely to be
IT internal control weaknesses and firm performance: An
organizational liability lens
Stoel & Muhanna (2011)
Internal Control
SEC definition:
policies and procedures for the recording of transactions and maintenance of financial records
Since modern enterprises are heavily dependent on integrated computer- based systems
“internal control over financial reporting” process regulated by the SEC must include controls
over the accounting and management process as well as over the organizational IT
infrastructure and systems.
Statement of Auditing Standards No. 94 (SAS 94) affirmed that the nature and characteristics of a
company's use of information technology affect the company's internal control over financial reporting
and requiring auditors to consider information technology as an integral part of overall internal controls
(AICPA 2001).
Therefore, SOX requires review of Accounting Internal Control as well as IT controls
IT Controls
Pertain specifically to IT systems, processes and infrastructure
used to capture, process and record raw transactional data corresponding to economic events
as well as support the preparation of financial reports
Encompass the management, operational, and technical safeguards or countermeasures prescribed for the firm's information
systems to protect the
of those systems and their information
What framework does this definition come from?
When examining a companies IC – which framework do companies use? Which are prescribed?
What does PCAOB AS #2 say about IT controls?
What is the business value of IT Controls?
What is the relationship between IT Quality and ROA?
IT Control MW’s -> Lower ROA (Why?)
What were the ROA for the 3 segments examined in this study?