Monitoring vs. Auditing Internal Controls

Internal Controls

The auditing of internal controls that provide assurance on the reliability of financial reporting, efficiency and effectiveness of operations and compliance with laws and regulations, should not be viewed as a part of the internal controls’ infrastructure, which includes control environment, risk assessment, information & communication, control activities, and monitoring (COSO, SOC, ISO 27001).

Process owners should guard against the temptation to wait and rely solely on the results of external audits to trigger considerations on the design and operating effectiveness of internal controls in their process. 

External Audit of Internal Controls

External audits can be SOC 1 or SOC 2 engagements or they can be projects performed by the company’s Internal Audit function.  These engagements are typically retrospective in their assessment and sometimes cover periods of substantial duration; for example, the past twelve months.  Therefore, these engagements may be late in bringing to light items of significant consequence to the organization (SOC for Service Organizations).

Process Owner Responsibility

Process owners should instead focus attention on monitoring mechanisms in their process that are designed to assure process objectives are met and risks are addressed consistent with the organization’s risk appetite.  That is, process owners should focus more on mechanisms that can detect and correct exposures instead of relying too heavily on external audits, which are meant to assess and opine to provide reasonable assurance to third-parties on the design, description, and operating effectiveness of process controls.

The good news for process owners ironically, is that external auditors can be a great resource to tap when considering internal controls design.  For example, external auditors can provide valuable insight during an organization’s pursuit of an ISO 27001 information security management system development and implementation initiative (ISO 27001).   

External Auditors

Although external auditors perform engagements to assess internal controls and must not perform the management function of internal controls monitoring, they, because of their garnered knowledge of internal controls, can nevertheless be a valuable resource to tap for recommendations on the design of internal control mechanisms.

Contact CompVisory with questions as we are always available to our current clients and to prospects considering engaging with us for our services.

SOC 1*, SOC 2~, or Both

SOC 1*, SOC 2~, or Both

How should a company decide on whether to have a SOC 1 or a SOC 2, or when it is appropriate to have both? The company should consider its creditors, investors, regulators, and the concerned parties that rely on the information that will be provided by the results of the SOC 1 or SOC 2 engagements. In addition, the company would be wise to consider its customers and their expectations on how the company will use their information, especially given the new European Union’s general data protection regulation (GDPR)) effective May 25, 2018.

SOC 1

A SOC 1 engagement provides assurance on financial information and assesses internal controls over financial reporting. This engagement is appropriate if the company, as a service to other companies, provides transaction support that directly or indirectly impacts the completeness, accuracy, validity, and access controls associated with financial information (COSO, SOC, ISO 27001)..

SOC 2

A SOC 2 engagement provides assurance on what the American Institute of Certified Public Accountants describes as Trust Service Principles. Namely; security, availability, data processing integrity, confidentiality, and privacy. There are some overlaps between the controls that are assessed in SOC 1 and SOC 2 engagements. However, there are some very distinct differences that must not be ignored. The SOC 2 engagement is appropriate if the company handles any information that a reasonable person would consider sensitive (COSO, SOC, ISO 27001)..

Both SOC 1 & SOC 2

SOC 1 and SOC 2 engagements are necessary together when a company provides transaction support that directly or indirectly impacts their clients’ financial information in addition to handling other information that a reasonable person would consider sensitive (COSO, SOC, ISO 27001).

Creditors, Investors, Regulators, & Customers

People want to know that you are treating them with dignity and respect when they engage with you in business. Transparency is critical in how you demonstrate your commitment to treating stakeholders with dignity and respect, so if your company provides transaction support for financial information and handles sensitive data, it is incumbent upon you to engage an independent third-party to provide the compelling evidence of that commitment and demonstrate that you are not just talk. Keep in mind that the EU through the GDPR is sending a clear message.

Important

Contact CompVisory and we will provide you with a readiness assessment, and then a SOC 1, a SOC 2, or both depending on the result of the assessment.

Contact us today.

*Service organization controls engagement cover internal controls over financial reporting relevant to user organizations.
~Service organization controls engagement covering security, availability, processing integrity, confidentiality or privacy.

Protecting Your Information from Cyber Attacks

Cybersecurity

Cybersecurity is concerned with activities in cyber space, while information security also addresses risks that arise from computer systems that are physically isolated from other electronic systems and the protection of information stored in a format that is not accessible through electronic means, such as printed paper stored in filing cabinets (SOC for Cybersecurity).  Unscrupulous actors can gain access to sensitive and private information by exploiting vulnerabilities including our altruistic desire to help others.  Now is a good time to ensure you have proper protocols in place to protect against the compromise of sensitive and private information.  Having a cyber security plan is a step in the right direction.  A good cyber security plan includes, at a minimum, the following five steps:

  1. Identification: Identifying who has access to, and control of, business information is the first step in a good cybersecurity plan.  Individuals that have access to, and control of, business information should have been vetted during the hiring process; that is, they should have been subjected to a background check that involved, at a minimum, assessing their experience and competence as it relates to the handling of sensitive and private information.  Management however, is obligated to ensure that there are proper policies and procedures in place to guide the handling of sensitive and private information.
  2. Protection: The protection of sensitive and private information, albeit challenging, can be achieved through vigorous physical and logical access controls aimed at preventing or timely detecting and correcting compromise.  Limiting employees’ and vendors’ access to the information that is required for them to perform their duties can aid in preventing the compromise of sensitive and private information.  An employee or vendor should not have access to information they do not need to perform their duties.  In addition, Management is obligated to ensure that there are proper policies and procedures in place, including continuous awareness training, to minimize the risk that outsiders can gain access to sensitive or private information through phishing and social engineering scams.
  3. Detection: Prevention is best and detection and correction is next best only if correction is aligned to the risk response time needed given the gravity of the breach. There is really no excuse for not having, or having but not updating, anti-virus, malware, and spyware programs on your system.  Management is obligated to ensure that there is an assigned process owner for cyber-attack monitoring and response.
  4. Response: A risk assessment plan without a risk response plan is virtually useless.  If sensitive or private information is compromised, it is important to have, at a minimum, a plan to prevent further breach.  Management should ensure there are policies and procedures in place to ensure the proper response to incidents and breaches.
  5. Recovery: Backup and recovery should be performed as a normal business operation that occurs in real-time, daily, or at an interval that the company, its regulators, and its clients find reasonable.  If your business is small you could use external hard drives to make these backups, but for a more convenient solution, or for larger businesses, cloud services are a good option for backup.  If you choose to use cloud services, ensure that such service providers have proper security protocols in place and can provide evidence of such by; for example, a successful yearly SOC 1, SOC 2 and/or SOC for cybersecurity examination (System & Organization Controls).

Protecting sensitive and private information is important.  A stark reminder that staying vigilant in protecting yours and your clients’ information, is the numerous scams that unscrupulous actors/hackers have been attempting and perpetrating during the recent storms.  If you need guidance on best practices in protecting sensitive and private information, please contact the advisors at CompVisory today.

Segregation of Duties Best Practices

SOC 1 & SOC 2 Audits

Segregation of Duties Best Practices

Segregation of Duties (SOD) is the separation of key processes that disperses critical functions to more than one person or department.[1] In short, it is ensuring that the custody, authorization, and record keeping functions of a process are performed by distinct and empowered departments or personnel.  Segregation of duties is an important tool in preventing and detecting and correcting errors or fraud.  Small companies and small business units sometimes find it difficult to implement SOD because of personnel constraints, cost implications, and lack of best practices guidance.

The difficulty of implementing SOD however, should not be used as an excuse to ignore or minimize the importance of having SOD in place because the lack thereof can be very consequential to the survival of a business.  Take for example the $34 million embezzlement that happened at Koss Corp. due to lack of adequate segregation of duties.[2] Koss Corp.’s Vice President of Finance was able to have false journal entries entered, authorized, and posted to the official accounting records without any oversight.[3] The entries were made without any supporting documentation and went undetected because of the inadequacy of the company’s SOD.[4]

Segregation of Duties Considerations

Companies, irrespective of their size, should be proactive in their approach to SOD.  CompVisory recommends the following considerations:

Review of Current Structure 

The number of personnel and processes should be evaluated at the company wide and business unit levels, where appropriate, so that SOD consideration can be evaluated sufficiently.  This endeavor should have the support of senior leadership, appointed an owner with sufficient competence and authority, and monitored for its effectiveness.  Companies should consider the following processes at a minimum:

  • System Administration
  • Accounting system access control
  • Cash collection and disbursement
Review of Current SOD Landscape

Companies should begin with evaluating their processes and resources (personnel & systems) and then perform a risk analysis to evaluate the following implications to the company:

  1. The likelihood of certain occurrence;
  2. The impact they could have on the company;
  3. The velocity/speed of the implications to the company; and
  4. The mitigating factors that their existing controls provide.

High risk items; for example, fraudulent or erroneous activities that could decimate the company should be given immediate attention.  Often times the actual cost to a company that is subjected to a breach is much more than just the lost from the breach; for example, in the Koss Corp. case where $34 million was embezzled, the company was still held liable for the additional costs associated with law suits and fines.  Companies would do well to consider these additional costs as well as reputational costs (brand deterioration) when assessing their risks.

Determining the Appropriate SOD Posture

Risks should be ranked and prioritized based on their rating, and corrective action plans, if needed, should be developed, implemented, and monitored to provide that the company is staying ahead of the implications of its risk universe.  The exercise should be documented, revisited, and updated as appropriate.  High and medium risk items should be treated as such.

SOD Low Hanging Fruits

Companies at a minimum should strive to ensure the following:

  1. No one in the organization is allowed access to unilaterally create and release a cash transaction;
  2. No one in the accounting department should have system administrator access; and
  3. No one should be able to unilaterally create and post journal entries.

[1] Anthony Ghosn, Segregation of Duties, AICPA, https://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Auditing/InternalControl/Pages/value-strategy-through-segregation-of-duties.aspx

[2] United States Securities Exchange Commission v. Koss Corp. and Michael J. Koss, Civ. No. 2:11-cv-00991 (Cir. Ct. E.D. Mo. 2011) available at https://www.sec.gov/litigation/complaints/2011/comp22138.pdf

[3] Id.  at ¶19

[4] Id. at ¶20

The Internet of Things

The Internet of Things

The Internet of Things (IOT) is a phenomenon that is changing the way businesses and consumers interact.  IBM describes the IOT as a “force of animation.”[1] That is, the IOT is connecting seemingly inanimate objects to the internet to collect and communicate data with other devices.  For example, a refrigerator, a seemingly inanimate object that stores and keeps food cold would, when upgraded to include a few sensors and a computing device, become a smart refrigerator that can communicate data about your diet to your doctor, update your grocery list, and notify your warranty servicer of needed repairs.  These Consumer Devices can connect and transmit data directly to businesses, which in theory would result in improved services and reduced costs to businesses and consumers alike.

There are over 25 billion connected devices in the market and the industry is expected to double in the next four years bringing that number to 50 billion connected devices.[2]  The potential advantages of the IOT phenomenon to businesses and consumers are readily evident; however, a closer look at the IOT will show that there are potential risks to businesses and their consumers if security implications are not assessed and managed appropriately.

Clearly there are advantages to the IOT phenomenon, but undoubtedly there are important risks that businesses must assess and manage sufficiently so as to mitigate the impacts on the businesses themselves and their customers.  Businesses should be proactive in their approach to addressing these risks and take the necessary steps to reasonably secure the data they are receiving, storing, and transmitting.  Below are some steps proactive businesses can take to secure their data reception, storage, and transmission processes.

  • Know and limit what data your business is receiving and storing. A recent survey by Veritas found that 52% of the data stored by businesses is dark data, or data with unknown value.[3]  This is an unnecessary risk for businesses.  If a business does not know the data they are storing they might not know how to properly secure the data.  Also, data thieves are more likely to attack a company with large amounts of data.  Proactive businesses should find out what data they are collecting and then, only keep what is necessary for business and regulatory purposes.
  • Restrict employees’ access to data. The old standard of a need to know basis is especially important here, employees should only be allowed access to data that is required for them to carry out their job duties.  Proactive businesses should restrict access to any other data and use industry standards to encrypt standing data in case inadvertent access is achieved by employees.  This would not only help prevent data loss, but it would also assure employees are not using data in ways that are against company policy or that consumers would find unreasonable.[4]
  • Systematically require employees to use unique and strong passwords that are properly secured. In addition to social engineering, hackers have been known to enter systems by using programs that repeat different combinations of characters until a combination finds a match thereby giving them access to the system.  By providing training and ongoing reminders to employees of the importance of system security, systematically requiring employees use complex passwords, having lockout and password change frequency policies configured in the system, and encrypting password files, companies can go a long way in minimizing the likelihood that hackers gain access to their system.
  • Secure data transmission. Most likely, IOT data will be transmitted from the consumers’ devices to companies’ networks through online services.  It is possible for data thieves to steal the data during transmission if the data is not encrypted and security measures are not properly configured.  In a complaint brought by the FTC against Credit Karma and Fandago, the FTC charged that the companies failed to properly configure the Secure Socket Layer (SSL) Certification on their mobile apps.[5]  This allowed hackers to capture users’ personal information when they accessed the mobile apps to get their credit scores by posing as Credit Karma or Fandago online service using fake SSL Certification.[6]  Users would unknowingly send their personal information to hackers posing as Credit Karma and Fandago.  Proactive businesses should use industry standards to encrypt data during transmission and implement and monitor strict configuration standards.
  • Vet service providers/vendors to verify they have security measures in place to properly secure data. If your business uses a third party service and they will have access to your consumers’ personal data, insist in writing the company take appropriate steps to protect the data and then verify compliance.

The IOT is poised to continue to grow. The advantages to businesses and consumers are readily evident and the risks, if managed appropriately, can be mitigated such that the significant potential benefits of this phenomenon does not get derailed by security concerns.


[1] Behan, Anthony, No really, what is the Internet of Things?,  Internet of Things Blog (Sept. 20, 2016), https://www.ibm.com/blogs/internet-of-things/what-is-the-internet-of-things/  (last visited Sept. 26, 2016).

[2] Federal Trade Commission, Internet of Things: Privacy & Security in a Connected World 1 (Jan. 2015) [hereinafter FTC Staff Report}, https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf .

[3] The Databurg Report: See What Others Don’t, Identify the Value, Risk, and Cost of Your Data 3 (Mar. 15, 2016) https://www.veritas.com/content/dam/Veritas/docs/reports/veritas-strike-global-report_a4-sdc2.pdf.

[4] FTC Staff Report at IV https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.

[5] Fair, Leslie, Default lines: How the FTC says Credit Karma and Fandango SSLighted Security Systems, Business Blog (Mar. 28, 2014), https://www.ftc.gov/news-events/blogs/business-blog/2014/03/default-lines-how-ftc-says-credit-karma-fandango-sslighted (last visited Sept. 27, 2016).

[6] Id.

Drones and Privacy

The Federal Trade Commission (FTC) is set to meet October 13, 2016 in an effort to explore concerns about the potential impact to privacy that could result from the use of drones.  The meeting will feature representatives from the Electronic Privacy Information Center, the University of Washington, Ohio State University, Drone Manufacturers, and many others.  This is likely to be the first of many discussions as the Federal Aviation Administration (FAA) expects to issue over 2 million commercial drone permits by the year 2020.[1]   Companies would be wise to be proactive and get ahead of the concerns around privacy to stave off future potential problems.

The FAA has already issued commercial drone permits so companies are now poised to take advantage of the technology but will also be exposed to the privacy concerns that comes along with it.  Insurance companies and Industrial Inspection companies will likely be responsible for the majority of the commercial drone permit requests because they stand to readily benefit from the  advantages of the technology.  For example, an insurance company could use drones to fly over and assess damage to an area struck by a hurricane or tornado and Industrial companies can use drones to survey mines or construction sites.

The expected  increase in the use of drones raises concerns about data collection and privacy.  Since a video recording device can easily be attached to these drones, the public is concerned with who is recording and what data is being collected as the drones fly over private property including homes.[2]

Companies who wish to be proactive will want to stay ahead of the risk that they may compromise a person or an entity’s privacy and be subjected to the legal repercussions.  They should consider who they are hiring to operate these drones; how the information is being recorded, transmitted, and stored; and whether the information can be compromised/hacked.  For example, they would need to consider physical and logical access to the data, encryption methodologies, and the security practices in general of the individuals or entities entrusted with their drone initiative.

The FTC discussion is likely to be the beginning of many such discussions.  The commercial use of drones can be very beneficial but concerns over privacy are increasing due to the ease of attaching recording devices to drones.  It is important for companies to be proactive in assessing and addressing the risks associated with collecting data via drones so they can be addressed before they become a problem.


 

[1] “The Future of Commercial Drone Use.”  The Insurance Journal, March 29, 2016, available at:  http://www.insurancejournal.com/news/national/2016/03/29/403149.htm  Accessed September 21, 2016.

[2] EPIC v. FAA, No. 16-1297 (D.C. Cir. Aug. 22, 2016) available at https://epic.org/privacy/litigation/apa/faa/drones/EPIC-Petition-08222016.pdf   where EPIC is suing the FAA to require drone operators to provide information to individuals about who is recording and what is being recorded.

 

Rise Above Your Risks

Companies in the normal course of business must define their objectives; assess the risks to achieving those objectives; and design, implement, and monitor controls to address those risks. The professionals at CompVisory are uniquely qualified to help our clients do more than just address their risks. The CompVisory Team helps our clients rise above their risks by applying state of the art process improvement methodologies to our approach at providing audit, advisory, and consulting services.

The View From Above

Your business landscape is complex.  From the latest technological advances to the laws and regulations that impact your business, identifying, assessing, and managing risks can be complicated.  You need a view from above to stay ahead.  The professionals at CompVisory are thought leaders who have the experience and knowledge to help you understand the landscape and look to the horizon to customize a plan to suit your business needs.  Let the CompVisory team help you get your view from above.