Everyone*s Been Hacked

Karen Evans, national
director of the U.S. Cyber
Challenge and former
Office of Management
and Budget administrator
Auditor Responsibility?
Audit Committee Power
 "The things that senior leadership does respond to are
GAO reports [and] IG reports, and in private industry
the audit committee is the most powerful on any
 Cybersecurity is "now being brought into the audit
committee because that's what leadership looks at –
they look at the results of an audit,"
Sarbanes Oxley
Information Technology Weaknesses
Background Questions
 What is SOX?
 How/Why did it come about?
 What are SOX requirements?
 Which if any rely on or are related to IT controls?
The effect of IT controls on financial reporting
Grant, Miller & Alali (2008)
What Standards does paper use
for support?
 How are these standards used? What do they say (not say) about
IT controls?
 SAS 94
 “The nature and character of an entity’s use of technology in
its information system affects the entity’s overall internal
control structure”
SOX 302
What are the requirements?
The signing officers have reviewed the report
The report does not contain any material untrue statements or material omission or be
considered misleading
The financial statements and related information fairly present the financial condition and the
results in all material respects
The signing officers are responsible for internal controls and have evaluated these internal
controls within the previous ninety days and have reported on their findings
A list of all deficiencies in the internal controls and information on any fraud that involves
employees who are involved with internal activities
Any significant changes in internal controls or related factors that could have a negative
impact on the internal controls
SOX 404
404 (a)
Management statement of responsibility over Internal Controls &
Assessment of Internal Controls
404 (b)
Auditors must attest and report on managements assessment
Report Material Weaknesses in Internal Control and Remediation Plan
What are/define MW’s?
Most Companies use COSO as Internal Control Framework
Section 409
Issuers are required to disclose to the public, on an urgent
basis, information on material changes in their financial
condition or operations.
Section 802
all audit or review papers must be maintained for a period of
5 years
How are audit/review papers maintained in 2012?
What IT deficiencies did the paper
look at?
 IT deficiencies include controls related to
 software programs
 program implementations
 segregation of duties associated with access to computer
accounting or financial reporting records
 problems with access to electronic data and programs
 What other controls might be important for
 Why weren’t they investigated?
General IT Controls
Ensure proper operations
Application IT Controls
Ensure proper functioning of software
Processing of transactions
Storage of Data
IT Deficiency ranked 6th among all MWs (20% so 1 in 5)
IT Deficiency -> Internal Control deficiency
IT Deficiency -> accounting errors (Why?)
revenue recognition
receivables, investments, and cash issues
inventory, vendor, and cost of sales issues
financial statement, footnote, US GAAP, and segment disclosures issues
IT Deficiency -> Higher Audit Fees
SOX 404 Reported Internal Control Weaknesses: A Test of COSO
Framework Components and Information Technology
Klamm and Watson (2009)
Examined IT and non-IT Controls Material Weaknesses with
respect to COSO Components
Material Weaknesses were mapped to a specific COSO
IT Vs. non-IT MWs
What is your assessment of the IT MW’s?
COSO Components
Control environment
Sets tone of the firm
integrity, ethical values, competence, philosophy, and operating style of the firm’s managers and employees
Risk assessment
identification, analysis, and management of (operating, economic, industry, regulatory) risks that may prevent a firm from
achieving its objectives
Management implements control activities
segregation of duties, approvals, reviews, reconciliations, and authorizations
Information & Communication
timely capture and dissemination of pertinent information on internal and external events
communication among and between management, employees, suppliers, and customers
continual evaluation of the other components’ effectiveness.
Weak Control Environment is
related to other weaknesses in
COSO components
Weak Monitoring is related to weak
risk assessment and control
Financial Statement reliability is
affected by the number of weak
COSO components
IT related MW’s are associated with
a greater amount of non-IT related
IT related MW’s are related with:
More misstatements
Greater overall number of
Information Security and Sarbanes-Oxley Compliance: An
Exploratory Study
Wallace, Lin, and Cefaratti (2011)
Model for controlling and managing Internal Control
IT Governance / NOT IT Security Specifically
What needs Controls
Specific IT Security Controls
How To
1. Security Policy
2. Organizational Security
3. Asset Classification and Control
4. Personnel Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Systems Development and Maintenance
9. Business Continuity Management
10. Compliance
In all there are 124 recommended IT controls
What did the research find?
What is the Extent that ISO controls are in place?
Most Common:
Controls such as deploying antivirus software and
authenticating remote users accessing the network
Least Common
Protecting equipment from unauthorized access and tracking
the location of removable computer media
“Not Sure” Responses
CPA’s selected
“not sure” more
frequently than
CISA’s selected
“not sure” less
frequently than
Certified Information Systems
What Is ISO
Category 8? 9?
Auditors with IT Training
35 more controls were likely to be
IT employees participate in SOX
55 more controls were likely to be
IT personnel received SOX
compliance training
65 more controls were likely to be
IT internal control weaknesses and firm performance:
An organizational liability lens
Stoel & Muhanna (2011)
Internal Control
SEC definition:
policies and procedures for the recording of transactions and maintenance of
financial records
Since modern enterprises are heavily dependent on integrated computer- based
“internal control over financial reporting” process regulated by the SEC must
include controls over the accounting and management process as well as
over the organizational IT infrastructure and systems.
Statement of Auditing Standards No. 94 (SAS 94) affirmed that the nature and
characteristics of a company's use of information technology affect the company's
internal control over financial reporting and requiring auditors to consider information
technology as an integral part of overall internal controls (AICPA 2001).
Therefore, SOX requires review of Accounting Internal Control as well as IT controls
IT Controls
Pertain specifically to IT systems, processes and infrastructure
used to capture, process and record raw transactional data corresponding to economic events
as well as support the preparation of financial reports
Encompass the management, operational, and technical safeguards or countermeasures
prescribed for the firm's information systems to protect the
of those systems and their information
What framework does this definition come from?
When examining a companies IC – which framework do companies use? Which are prescribed?
What does PCAOB AS #2 say about IT controls?
What is the business value of IT Controls?
What is the relationship between IT Quality and ROA?
IT Control MW’s -> Lower ROA (Why?)
What were the ROA for the 3 segments examined in this study?
The consequences of Internal Control Weaknesses on Management
Information Systems: The Case of SOX Internal Control Reports
Li, Peters, Richardson, Watson, 2012
What do the researchers assert?
 Quality of financial reporting system output.
 In what form?
 What can impact quality?
IT Controls
 How are these determined?
 How are they coded?
 How did the authors categorize them?
1. Data Processing Integrity
2. Systems Access and Security
3. System Structure and Usage
 What did they find?
A content Analysis of auditors reports
on IT internal control weaknesses...
(Boritz, Hayes, and Lim, 2013)
What is this about?
 Why did they do it?
What did they find?
 Are any of these categories correlated with each
 If so what might be an explanation?
What didn’t they find?
 Or what keywords might you expect that didn’t turn up
or turned up infrequently?
 What might this mean?
 Can it be fixed?