Florida Government Finance Officer’s Association (FGFOA) | July 25, 2013
IT Risks and New Technology
Phil Gesner, CPA.CITP, CISA
Audit Supervisor and
IT Auditor / Consultant
Disclaimer
The views expressed by the presenters do not necessarily
represent the views, positions, or opinions of the presenter’s
respective organizations or any associated organizations cited.
These materials, and the oral presentation accompanying them,
are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client or
attorney-client relationship.
WHY IT MATTERS
• Pervasiveness of IT throughout the organization,
particularly in accounting and financial reporting
• IT is often critical to manage (plan, organize, direct, and
control) the organization’s:
– Business model, plans, competiveness, etc.
• Business risks
– Transaction flow and reporting
• Accounting and reporting related risks
Today’s business process environment
• 24/7 requirement becoming more common
• Focus on early error detection (Prevent rather than Detective)
• More highly automated - reducing reliance on manual controls
• Integrated with complex and highly efficient IT systems
• Electronic workflow with paperless trails
• Increased business partner involvement through direct access to process - the
network extends beyond the company
WHY IT MATTERS
WHY IT MATTERS
• AICPA Auditing Standards Board Risk Based Auditing Standards Released in
2006
• COSO Updated Internal Control Integrated Framework Released in 2013
–
COSO PowerPoint Presentation on Internal Control Integrated Framework
(Free)
–
COSO Guidance on Internal Control
(For Purchase)
• Supersedes the Original Framework as of December 15, 2014
• Update considers use of, and reliance on, evolving technologies (explicitly)
– Control Environment – Suggests that Boards of Directors should have proper
understanding of relevant systems and technology (or appropriate skills and
expertise) to evaluate management’s approach to managing new technology
innovations, critical systems, and the opportunities and associated challenges
5
WHY IT MATTERS
• COSO Internal Control Integrated Framework Released in 2013
• Update considers use of, and reliance on, evolving technologies
(explicitly)
– Risk Assessment – Suggests that external risk factors, such as technological
developments that can impact the availability and use of data should be
considered.
– Control Activities – To be discussed in next two slides
– Information and Communication – Suggests that management must be
able to rely on relevant and quality information generated from both
internal and external sources to effectively support the functioning of the
other internal control components.
• Such information is very often obtained through information technology
6
Source: Parthun, Janis COSO Framework ED Places Emphasis on IT Controls. Information Technology Corner. AICPA IT Section. March 2012.
#1: Complexity of IT Used
should be considered.
#2: IT may be
involved in business
processes and may
be involved in the
performance of
control activities at
the transaction level
• Application
Controls
• IT-Dependent
Manual Controls
Source: Parthun, Janis COSO Framework ED Places Emphasis on IT Controls. Information Technology Corner. AICPA IT Section. March 2012.
#3: The
effectiveness of
Application and
IT-Dependent Manual
control depends
upon the
effectiveness of IT
General Controls
#4: IT General Controls
(ITGC) aka. General
Computer Controls
(GCC)
Why is IT such a challenge?
• Unlike the certification of financial statements there is no “universally accepted
principle or standard” for IT audit or risk assessment
• The concept of “compliance to best practice”
• Rapid change in IT is at times too rapid for best practices to fully develop or be
recognized as such
• Lack of education and awareness
• Limited resources force organizations to select the “pieces” of IT security that they
feel are absolutely necessary
• Things happen!
• Anti-virus are not updated timely – viruses strike
WHY IT MATTERS
IT Risk | Perception
IT Risk | Reality
Risk | Definition
• A measure of the extent to which an entity is threatened by a potential
circumstance or event, and typically a function of:
– the adverse impacts that would arise if the circumstance or event occurs; and
• How significant is the impact?
– Material Misstatement
– Assets
– Reputation
– Business
– the likelihood of occurrence.
• What are the chances that a risk will materialize?
• The probability that a given threat is capable of exploiting a given vulnerability.
Threat and Impact | Definition
• Threat:
– Any circumstance or event with the potential to adversely impact organizational
operations (including mission, functions, image, or reputation), organizational assets,
individuals, other organizations, or the Nation through an information system via
unauthorized access, destruction, disclosure, or modification of information, and/or
denial of service.
• Impact:
– The magnitude of harm that can be expected to result from the consequences of
unauthorized disclosure of information, unauthorized modification of information,
unauthorized destruction of information, or loss of information or information system
availability.
Threat | Sources
Threat | Sources
Threat | Catalogs
Impact | Considerations
• Level of classification of the impacted information asset
• Breaches of information security (e.g. loss of confidentiality,
integrity and availability)
• Impaired operations (internal or third parties)
• Loss of business and financial value
• Disruption of plans and deadlines
• Damage of reputation
• Breaches of legal, regulatory or contractual requirements
Source: AICPA Cyber Security Web Seminar Series | Security Framework and Risk Assessment | May 9, 2013Risk | Likelihood Considerations
• Experience and statistics for threat likelihood
• Threat sources: motivation and capabilities
• Availability to possible attackers
• Possible attackers
• Accident sources: geographical /weather factors
• Human errors and equipment malfunction
• Vulnerabilities, individually and aggregation
• Effectiveness of existing controls
Vulnerability| Definition
• Weakness in an information system, system security
procedures, internal controls, or implementation that could be
exploited by a threat source.
Generic Risk Model (NIST 800-30)
Risk | IT Risk Factors
Risk | IT Complexity
• The nature and extent of IT risks are dependent on the level of
“complexity”.
– Generally, as complexity increases, the type and number of potential IT risks
increase.
– The manner in which IT is used in conducting business also has a direct
relationship with the potential IT risks.
– Significant changes made to existing systems, or implementation of new system
increase the potential IT risks.
– Shared data between systems increases the potential IT risks.
– Usage of emerging technologies (cloud computing, mobile - BYOD) increases the
potential IT risks.
– Availability of evidence only in electronic formats increases the potential IT risks.
• Including reports
Risk | Complexity of IT Security
Data &
Business
Processes
Like Ogres
And Onions
IT Security Has Layers
IT Security Protects the Data and Business Process
Data &
Business
Processes
Controls should be in place to protect the
data and business processes.
• Data is an organizational asset
• Value of Data
• May not be readily ascertainable
• Not recorded on Books
• Varies Depending on Perspective
• Your Organization
• Other Organizations
• Employees
• External Individuals
• Vendors
• Your garbage is another individual’s or
organization’s treasure!!!!
Risk | IT Complexity
Low
Medium
High
Servers
1
2 – 3
> 3
Network O/S
COTS
Nonstandard or >1
Multiple / WAN
Workstations
~ 1 – 15
~ 15 – 30
> 30
Application
COTS
Some
customization
ERP and/or
customization
Remote Locations
None
~ 1 – 2
> 2
ICFR
In COTS or Few
Medium number
and/or manual
Large number
Emerging/
Advanced IT
None to few
Few to moderate
Moderate to many
Online Transaction
None
Few
Many
25
COTS = Commercial Off The Shelf (ie. Intuit Quickbooks)
ERP = Enterprise Resource Planning (Ie. Oracle, PeopleSoft, SAP)
Applications |Purchased Systems
• Commercial Off The Shelf (COTS) and/or configurable systems
• Advantages
• Generally cheaper for general business use applications
• On-going support and maintenance
• Disadvantages
• Some limitations related to customizations
• Vendor dependence
• Example: Quickbooks
Applications | Configurable Packages
• Configurable “mid-tier” system
• Not as expensive as an ERP System or Custom Developed Application
• Found in small, mid or large organizations
• Increased capabilities when compared to Commercial Off the Shelf –
Purchased Systems:
– Configuration changes
– Customizations
• Examples: Microsoft Dynamics (Great Plains/Solomon), MAS/90, Navision,
Munis, Eden, etc.
• Most Prevalent
Applications | Enterprise Resource Planning (ERP) System
• Integrates all facets of financial processing with operations,
marketing, HR
• Requires specialized knowledge to setup (usually with the vendor
and outside consultants)
• Generally, found in large organizations
• Very expensive to purchase & maintain
• Very complex security
• Examples: SAP, JD Edwards, PeopleSoft, Oracle Financials, Lawson,
etc.
Applications |Custom Developed
• Custom Developed Application – those applications that are designed
and developed in-house to meet a specific business need for internal
use (not resale)
• Advantages
• Customized to meet specific business need
• Independence from vendors
• Disadvantages
• No outside vendor support – all by on-staff personnel (higher costs)
• Often longer deployment times and less controls
• Less prevalent, and becoming more so each day
Risk | IT Complexity
Low
Medium
High
Servers
1
2 – 3
> 3
Network O/S
COTS
Nonstandard or >1
Multiple / WAN
Workstations
~ 1 – 15
~ 15 – 30
> 30
Application
COTS
Some
customization
ERP and/or
customization
Remote Locations
None
~ 1 – 2
> 2
ICFR (Internal
Control over
Financial Reporting)
In COTS or Few
Medium number
and/or manual
Large number
Emerging/
Advanced IT
None to few
Few to moderate
Moderate to many
Online Transaction
None
Few
Many
30
COTS = Commercial Off The Shelf (ie. Intuit Quickbooks)
ERP = Enterprise Resource Planning (Ie. Oracle, PeopleSoft, SAP)
Risks |IT Risk Factors for Internal Control Include
• Reliance on systems or programs that are processing data
inaccurately, processing inaccurate data, or both
• Unauthorized access to data that may result in destruction of data
or improper changes to data, including the recording of
unauthorized or nonexistent transactions or inaccurate recording of
transactions
• Unauthorized changes to data in master files
• Unauthorized changes to systems or programs
• Failure to make necessary changes to systems or programs
• Inappropriate manual intervention
• Potential loss of data or inability to access data as required
Source: AICPA IT Audit Training SchoolFinancial Reporting
Risk or RMM
Information
Technology
• RMM High
• IT Relevant
• FS Audit Procedure
Necessary
• RMM High
• IT NOT Relevant
• FS Audit Procedure
Necessary
• RMM Low
• IT Relevant
• FS Audit Procedure
Unnecessary
• Risk High (Non-RMM)
• IT Relevant
• FS Audit Procedure
Unnecessary
• Operational Audit
Procedure Necessary
Relationship of IT Risks to Financial Statements
Risk of Material Misstatement (RMM)
Examples of Potential RMM
• Financial statement level
– Use of a highly customized / configurable application for financial
processing where the entity does not also have effective controls as
to how program changes or configuration changes are authorized,
tested, approved, and deployed
• Assertion level
– Use of customized / configurable application for valuation of
accounts receivable.
35
Examples of Potential Risk of Material Misstatement
Inherent Risks (IR)
Complexity of Calculations – The financial application has been
programmed to perform complex calculations.
•
Payroll
•
Utility Billing
Control Risk (CR)
Risk or What Could Go Wrong?: Human error in coding or computer
error in set up could result in amounts posted to wrong accounts or in
wrong amounts.
Are Controls In Place?: General ledger postings are automatic through
computer set up codes; however, accounting staff are not familiar with the
system set up and rely totally on outside computer service.
36
How Does Use of IT Pose a RMM?
An Example - Billing
• Inherent Risk
– The entity utilizes a customized application for its billing process.
– The billing process requires complex calculations and/or rate
structures.
– The billing application automatically posts billings to the financial
application.
– The entity’s IT or financial personnel make frequent changes to the
billing application.
– The revenue stream processed by the billing application represents a
significant revenue source for the entity.
37
How Does Use of IT Pose a RMM?
An Example - Billing
• Control Risk
– The billing application may not calculate the customer’s bill correctly.
– The billing application may not utilize the correct rates.
– The billing application may post inaccurate or incomplete information
in to the financial application.
– Entity personnel may make inaccurate or unauthorized changes to
the billing application.
– Entity personnel may have excessive access to the rate master file.
38
IT Risks | Entity Level
• Inadequate Oversight
– IT Strategic Plan does not align with Organization Strategic Plan
– Organization Strategic Plan does not align with IT Strategic Plan
• Parts of the organization pulling in different directions
– Lack of Risk Assessment
– Lack of Risk Management
• If management doesn’t know what the risks are, how can they manage them?
– Vendor Oversight
• Is management monitoring outsourced services (IT or other-wise) to ensure
that the controls and processes are operating as the organization intended?
IT Risks | Logical Access / User Access
• User is not an employee or authorized user – Authentication Risk
• Unauthorized or Excessive User Access – Authorization Risk
– Data
– Functions
• Unauthorized/Authorized or Excessive Access – Segregation of Duties Risks
– Data
– Functions
– Personnel processing transactions should not have
• Direct access to administer user access (setup, change user accounts, groups, and functions)
– Access to administer user access (application security) should be handled by IT
• Direct access to the database
– Inquiry only to the database is fine; however, generally users should be accessing the data through the
application or a report writing application only.
IT Risks | Program Change / Change Management
• Configuration Changes
• Functional Changes – how the functionality of the application
changes
– Business Processes Embedded in the Application
• Security Setup Changes
– Changing from Group/Role-based access (Ideal) to User
Account-level-based access (Not Ideal)
• Interface Changes – how two applications transfer data between
each other
IT Risks | Program Change / Change Management
• Change is not Authorized – Authorization Risk
– A Business Unit has not Authorized the Change
• Risk that a change does not function the way the business intends
• Risk that a change is made to commit fraud or otherwise harm the business
– Access by Developers to the Live Production Environment – Segregation of Duties
Risk
– Allowing Developers Access to the Live Production Environment presents a risk
that they could implement unauthorized program changes at any time without
anyone’s knowledge
– Ideally, someone that is not tasked w/ Development would be the only individual
with access to make implement changes in the Live Production Environment
– Realistically, peer reviews or periodic review of all changes made to the
production environment should be done, if the ideal situation
IT Risks | Program Change / Change Management
• Change is not Tested – Business Process Risk
– Risk that a change does not function the way the business intends
• Change is not approved for implementation – Implementation
Risk
Operational Risk | The CIA Triad
• Confidentiality – Assets must be protected from
unauthorized access, use or disclosure while in storage, use
and transit.
• Integrity – Assets must be modified only by authorized users.
• Security – The system
is protected against unauthorized access
(both physical and logical).
• Processing Integrity – System processing is complete, accurate,
timely, and authorized.
• Availability – Authorized users are granted timely and
uninterrupted access to assets.
Operational Risks | Privacy
• Privacy – Personal information
is collected, used, retained,
disclosed, and destroyed in conformity with the commitments in the
entity’s privacy notice and with criteria set forth in generally accepted
privacy principles (GAPP) issued by the AICPA and CICA.
• Personal information is information that is about or can be related to
an identifiable individual.
• GAPP on Use and Retention:
– The entity limits the use of personal information to the purposes identified
in the notice and for which the individual has provided implicit or explicit
consent. The entity retains personal information for only as long as
Risk | Treatment
Risk | Mitigation
Internal Controls: a practice approved by management to produce a desired
outcome in a process
• Preventive - controls to stop the problem from occurring
• Detective - controls to find the problem
• Corrective - controls to repair the problem after detection
• Administrative - policies, standards, guidelines, and procedures
• Technical - controls using hardware or software for processing and analysis
• Physical - controls to implement barriers or deterrents
• Design > Document > Implement
• Test the controls prior to implementation to validate expectations
• Monitor results
• Re-test controls periodically.
IT Security, Control, and
Risk Assessment Frameworks
• Security Program Development
–
ISO
31000
/
27005
• International Standards Organization
• Security Controls Development
–
COBIT (Control OBjectives for IT) 5
• Information Systems Audit and Control Association –
ISACA
• IT Governance Institute –
ITGI
–
NIST 800-53
– Security and Privacy Controls for Federal Information Systems and Organizations
• National Institute of Standards and Technology
• Risk Assessment
–
NIST 800-30
– Guide for Conducting Risk Assessments
• National Institute of Standards and Technology
–
OCTAVE
(Operationally Critical Threat, Asset, and Vulnerability Evaluation)
• by
CERT
(Computer Emergency Response Team)
IT Security, Control, and
Risk Assessment Frameworks
• Corporate Governance
–
COSO
–
TOGAF (The Open Group Enterprise Architecture Framework)
• Process Management
–
ITIL (Information Technology Infrastructure Library)
– Six Sigma
New Technologies | Mobile Computing
• Tablets
• Smartphones
• Laptops
• Readers
• Removable Devices
• Remote Connections
• Cloud Services
Risks | Mobile Computing
Mobile Device Platform
• Android, iOS, Windows Mobile, Blackberry, etc. all have unique bugs and
security vulnerabilities
• Malware, Trojan, virus, worms, spyware
• Authentication bypass
• Lost or stolen devices
• Substandard Cryptography
• Removable device storage
• Jail breaking
• Configuration errors and defaults
• Device service vulnerabilities
• Shared or common authentication (same passwords)
Risks | Mobile Computing
Mobile Applications
• Attack vectors for each device type
• Integrated malware, Trojan, virus, worms, spyware delivery and
execution
• Malicious application functionality
• Insecure application programming
• Data leakage and remote access compromises
• Launch pad for pivot attacks
• Mobile devices are subject to the same traditional application
based attacks
Risk | Mobile Computing
Mobile Networks
• Attacks against each mobile network type (WiFi, Bluetooth,
Carrier)
• Synchronization
• Each network type requires different security protections
• Services are enabled by default or left on
• Mobile devices are subject to the same traditional network
based attacks
Risks | Mobile Computing
Backend Applications and Storage
• Attacks against web, dbase, & storage servers
• Data leakage and compromise from backend services
• Vulnerabilities can be used to attack devices
• All data is potentially one click/touch away on cloud storage
Risks | Mobile Computing
Backend Applications and Storage
• Device and data compromise (unauthorized Bluetooth
connections)
– BluePrinting
– BlueJacking
– BlueSnarfing
• NFC
• Mobile forensics
• Removable media theft
• BYOD/BYOT
Risk | Mobile Computing
BYOD Risks
• Unknown third-party access via mobile apps
• Challenges in tracking data
• Data management, segregation difficult for compliance
• Stolen, lost mobile devices leak data
• Disgruntled employees a risk
Risk | Mobile Computing
Privacy Concerns
• Applications that monitor traffic and history
• Applications that have access to all your contacts, calendar, etc.
• Location services and geolocation
• Single sign-on security
• Malware that uses the camera and mic to spy (scary!)
• Voicemail access
• Call history, browser history
• Trusted connections
• Ease drop on phone conversations & SMS
Source: AICPA Cyber Security Web Seminar Series | Mobile Computing | May 14, 2013Mobile Mitigation
• Device Authentication
– Require secure authentication
– Multi-factor authentication
• Device encryption
• Transport encryption
– SSL, VPN, TLS
• Wireless authentication and encryption
– WPA, WPA2, WPA Enterprise, RADIUS
• Don’t leave devices unattended
• Device timeouts
• Privacy screens
• Secure enclosures
Mobile Mitigation
• Download apps from trusted sources
• Secure application development methodology
• Mobile device management (iCloud, Find iPhone, MobileMe, Lookout Mobile Security)
• Control application permissions
• Device OS and firmware updates
• AV and Malware software
• Secure mobile browsing
• Disable service when not in use (Bluetooth, WiFi, gps, etc.)
• Device and media decommissioning
• Do not access corporate or sensitive websites over public wireless
• Use secure technology for remote access to backend systems (SSH, VPN, SSL, TLS)
Mobile Mitigation
• Download apps from trusted sources
• Secure application development methodology
• Mobile device management (iCloud, Find iPhone, MobileMe, Lookout Mobile Security)
• Control application permissions
• Device OS and firmware updates
• AV and Malware software
• Secure mobile browsing
• Disable service when not in use (Bluetooth, WiFi, gps, etc.)
• Device and media decommissioning
• Do not access corporate or sensitive websites over public wireless
• Use secure technology for remote access to backend systems (SSH, VPN, SSL, TLS)
Mobile Enterprise Mitigation
• Mobile device inventory management
• Mobile security and privacy governance
• Mobile computing policies and procedures
• Incorporate data classification standards
• Mobile device central management consoles
• Central policy based management (authentication, encryption,
remote wiping, etc.)
– Blackberry Enterprise Server
– Active Sync (Android, iOS)
• Mobile device synchronization standards
Source: AICPA Cyber Security Web Seminar Series | Mobile Computing | May 14, 2013Mobile Enterprise Mitigation
• Mobile device application management
• Sandboxes or virtual phone technology
– Vmware
– Good Mobile Security
• Central endpoint protection
– (AV, malware, software installation, service and device control)
• Wireless authentication and encryption
– WPA, WPA2, RADIUS
• Don’t leave devices unattended
• Privacy screens
• Device and media decommissioning
• Mobile incident response
• Employee training and awareness
New Technologies | Cloud Computing
Cloud Computing Models
Risk | New Technologies | Mobile Computing
Cloud Computing Models
Risk | New Technologies | Mobile Computing
Cloud Computing Models
Risks | Cloud Computing
Cloud Technical Threats
• Vulnerable access management
• Data visible to other tenants
• Multi-tenancy visibility
• Hypervisor attacks
– Hypervisor: A computer tool allowing various software
applications running on different OSs to coexist on the
same server at the same time thereby enabling server
virtualization
• Application attacks
• Application compatibility
• Collateral damage
• SaaS access security
• Outdated Virtual Machine (VM) security
Risks | Cloud Computing
Cloud Security Concerns
• Hypervisor exploit to compromise VMs
• Data leakage / data storage
• Insecure Application Programming Interfaces
(API’s)
• Improper access configuration
• Malicious Insiders / Subcontractors
• Storage and memory allocation / reallocation
/ clearing
• Maintenance of secure infrastructure:
– Hypervisor level
– Guest Machine / OS level
Risks | Cloud Computing
Cloud Governance Threats
• Regulatory Threats
– Asset ownership
– Asset disposal
– Asset location
• Information Security Governance Threats
– Physical security on all premises where data are stored
– Visibility of the security measures put in place by the CSP
– Media management
– Secure software SDLC
– Common security policy for community clouds
– Service termination issues
– Solid enterprise governance
– Support for audit and forensic investigations
Risk Mitigation | Cloud Computing
Cloud Security Essentials
• Contractual musts
– Definition of rights / ownership
– Right to audit / right to obtain assurance
• Cloud Service Provider (CSP) Security Program Management
– Information Security Policy
– Information Security Management System
– Personnel Management (vetting, training, monitoring)
– Perimeter/Internal defense and monitoring (DPI/ IDS/IPS, and DLP)
– Incident management
– Hardening and Change Control
– Redundancy
– DRP / BCP policies / procedures
Risk Mitigation| Cloud Computing
Cloud Security Frameworks
Risk Mitigation| Cloud Computing
Assess the Competency of Cloud Service Provider (CSP)
• CSP should be clear about their roles and responsibilities, the
risks they represent to the end user, and be able to provide
evidence of mitigating controls.
• Strong independent monitoring and auditing program and
effective assurance reporting.
Risk Mitigation| Cloud Computing
Understand Inherent Security Risks
• What exactly are the scope of services?
• What are the CSPs’ responsibilities?
• What are the end users’ responsibilities?
• What infrastructure components does the CSP have control
over?
– What components does the CSP have access to and does this enable
access to data and/or applications?
Risk Mitigation| Cloud Computing
Understand Inherent Security Risks
• What data and applications are involved?
– Confidential? Personal? Compliance?
– Impact of security breaches to compliance, operations, etc.?
– What are the CSP’s terms of agreement?
– What is the jurisdiction of data?
– Cross-border transfer of personal data?
Risk Mitigation | Cloud Computing
Specify security requirements during evaluation based on inherent risks
• Personnel requirements, including clearances, roles, and
responsibilities
• Identity & Access Management
• Monitoring & Incident Management
• Information handling and disclosure agreements and
procedures
• Network access control, connectivity, and filtering
• System configuration and patch management
Risk Mitigation | Cloud Computing
Specify security requirements during evaluation based on inherent risks
• Change Management
• Backup and recovery
• Data retention and sanitization
• Vulnerability scanning / penetration tests
• Risk assessment
• Independent auditing.
• Perimeter security
• Penetration Detection
• Data Loss Prevention
• Data erasure for PaaS / SaaS
• Physical Security
Risk Mitigation | Cloud Computing
Cloud Service Provider Agreement – Key Terms
• The process for assessing the cloud provider’s compliance with the service level
agreement, including independent audits and testing
• Compensating controls the end-user may carry out at their discretion.
• Procedures, protections, and restrictions for collocating or commingling
organizational data and for handling sensitive data
• The cloud provider’s obligations upon contract termination, such as the return
and expunging of data.
• Ownership rights over data
• Security and privacy performance visibility
• Data backup and recovery
• Incident response coordination and information sharing
• Disaster recovery.
Risk Mitigation | Cloud Computing
Cloud Service Provider Agreement – Key Terms
• The process for assessing the cloud provider’s compliance with the service level
agreement, including independent audits and testing
• Compensating controls the end-user may carry out at their discretion.
• Procedures, protections, and restrictions for collocating or commingling
organizational data and for handling sensitive data
• The cloud provider’s obligations upon contract termination, such as the return
and expunging of data.
• Ownership rights over data
• Security and privacy performance visibility
• Data backup and recovery
• Incident response coordination and information sharing
• Disaster recovery.
Risk Mitigation | Cloud Computing
How can I be sure that the Cloud Service Provider’s controls are effective?
• CPA (Independent) Attestation Reporting:
– For Internal Control Over Financial (ICFR) Reporting Purposes:
• Statement on Standards for Attestation Engagement (SSAE) 16
• Service Organization Control (SOC) 1 Reports
• Formerly SAS 70 Reports
– For Operational / Compliance Risk Scenarios
• SOC 2 Reports
– Other Attestations
• AT 101 Examinations
• AT 201 Agreed Upon Procedures
• AT 601 Compliance
Risk Mitigation | Cloud Computing
How do I evaluate Cloud Service Provider Reporting?
• Confirm Scope / System Description aligns to agreements and
service level agreements (SLAs)
• Does the subject matter being reported on align to the user
entity control requirements and risk management needs?
• Do the controls defined by the CSP prevent or detect risks
represented by the CSP related to compliance with laws and
regulations, and the efficiency and effectiveness of operations?
Risk Mitigation | Cloud Computing
How do I evaluate Cloud Service Provider Reporting?
• Do the controls provide sufficient information for users to
understand how that control may affect the their entity?
– Frequency
– Responsible party
– Nature of activity performed
– Subject matter to which the control is applied
• Is timing, nature, extent of testing adequate to meet risk
management needs.
• Is period of coverage of testing adequate.
• Do testing results indicate performance of controls is sufficient?
Source: AICPA Cyber Security Web Seminar Series | Cloud Security Considerations | June 6, 2013SOC Reports from User’s Perspectives
SOC 2 Principle and Control Objectives
• Security – e.g., protection of the system from unauthorized access, both logical and physical
• Confidentiality - system’s ability to protect the information designated as confidential, as
committed or agreed
• Processing Integrity – e.g., completeness, accuracy, validity, timeliness, and authorization of
system processing
• Availability – accessibility to the system, products, or services as advertised or committed
by contract, service-level, or other agreements
• Privacy – personal information is collected, used, retained, disclosed, and destroyed in
conformity with the entity’s privacy notice and with criteria set forth in generally accepted
privacy principles
• Request Expansion of Principles and Control Objectives When in Doubt
– User entities can request that the Cloud Service Provider / Service Organization extend the above
criteria to address additional criteria related to regulatory requirements, service level
agreements, etc.
Additional Cloud Computing Information / References
• Cloud Security Alliance: Security Guidance for critical areas of
focus in cloud computing, 3.0
• NIST Special Publication 800-144, Guidelines on Security and
Privacy in Public Cloud Computing
• NIST 800-53: Information Security
• AICPA Service Organization Control:
– www. aicpa.org/soc
Why do we even use IT?
• Consistently apply predefined business rules and perform
complex calculations in processing large volumes of transactions
or data
• Enhance the timeliness, availability, and accuracy of information
• Facilitate the additional analysis of information
• Enhance the ability to monitor the performance of the entity’s
activities and its polices and procedures
• Reduce the risk that controls will be circumvented
• Enhance the ability to achieve effective segregation of duties by
implementing security controls In applications, databases, and
operating systems
AICPA Top Technology Initiatives for CPA’s Survey –
2013
1.
Managing and retaining data
2.
Securing the IT environment
3.
Managing IT risk and compliance
4.
Ensuring privacy
5.
Managing system implementations
Source: Woodard, Jocelyn. 2013 TTI Survey Lists Top 10 Technology Initiatives in U.S. and Canada. AICPA Insights. May 1, 2013.
AICPA Top Technology Initiatives for CPA’s Survey –
2013
6.
Preventing and responding to computer fraud
7.
Enabling decision support and analytics
8.
Governing and managing IT investment/spending
9.
Leveraging emerging technologies
10. Managing vendors and service providers
Source: Woodard, Jocelyn. 2013 TTI Survey Lists Top 10 Technology Initiatives in U.S. and Canada. AICPA Insights. May 1, 2013.
AICPA Top Technology Initiatives for CPA’s Survey –
2013
• Ranges of 22% to 57% of survey respondents indicated that they were
confident that their organizations were addressing these initiatives.
• Overall, this confidence was down from the 2012 survey.
• “The decline in confidence levels may mean professionals are making more
knowledgeable assessments of the ability of organizations to achieve
technology goals. This more realistic assessment indicates that the goals
may be more challenging than originally thought, and that organizations
must have the focus, commitment and drive to achieve them.”
– Donny Shimamoto, CPA, CITP, CGMA, Chair of the AICPA’s Information
Management and Technology Assurance (IMTA) Executive Committee
Source: Woodard, Jocelyn. 2013 TTI Survey Lists Top 10 Technology Initiatives in U.S. and Canada. AICPA Insights. May 1, 2013.
AICPA Top Technology Initiatives for CPA’s Survey –
2013
1. Managing and retaining data
– Key Risk Factors
• Data management is integral to an organization’s ability to mitigate risks.
• An organization whose data management policies and procedures are insufficient or
ineffective is exposed to the consequences of poor data management.
• Business decisions or client advice may be based on incomplete or inaccurate data.
• Data may be stored in outdated or incompatible formats for retrieval or improperly
backed up, resulting in irrevocable loss of data.
Source: Woodard, Jocelyn. 2013 TTI Survey Lists Top 10 Technology Initiatives in U.S. and Canada. AICPA Insights. May 1, 2013.
AICPA Top Technology Initiatives for CPA’s Survey –
2013
1. Managing and retaining data
– Key Risk Management Factors
• An organization needs to develop a strategic plan for managing data in order to
realize the most value from its investment in data acquisition and usage.
• An organization must develop policies and procedures to meet the internal, legal and
compliance-related requirements for data retention and usage.
• An organization must be able to back up data and restore data in the event of a data
loss (or a need to access historical data).
Source: Woodard, Jocelyn. 2013 TTI Survey Lists Top 10 Technology Initiatives in U.S. and Canada. AICPA Insights. May 1, 2013.
