Monitoring vs. Auditing Internal Controls

Internal Controls

The auditing of internal controls that provide assurance on the reliability of financial reporting, efficiency and effectiveness of operations and compliance with laws and regulations, should not be viewed as a part of the internal controls’ infrastructure, which includes control environment, risk assessment, information & communication, control activities, and monitoring (COSO, SOC, ISO 27001).

Process owners should guard against the temptation to wait and rely solely on the results of external audits to trigger considerations on the design and operating effectiveness of internal controls in their process. 

External Audit of Internal Controls

External audits can be SOC 1 or SOC 2 engagements or they can be projects performed by the company’s Internal Audit function.  These engagements are typically retrospective in their assessment and sometimes cover periods of substantial duration; for example, the past twelve months.  Therefore, these engagements may be late in bringing to light items of significant consequence to the organization (SOC for Service Organizations).

Process Owner Responsibility

Process owners should instead focus attention on monitoring mechanisms in their process that are designed to assure process objectives are met and risks are addressed consistent with the organization’s risk appetite.  That is, process owners should focus more on mechanisms that can detect and correct exposures instead of relying too heavily on external audits, which are meant to assess and opine to provide reasonable assurance to third-parties on the design, description, and operating effectiveness of process controls.

The good news for process owners ironically, is that external auditors can be a great resource to tap when considering internal controls design.  For example, external auditors can provide valuable insight during an organization’s pursuit of an ISO 27001 information security management system development and implementation initiative (ISO 27001).   

External Auditors

Although external auditors perform engagements to assess internal controls and must not perform the management function of internal controls monitoring, they, because of their garnered knowledge of internal controls, can nevertheless be a valuable resource to tap for recommendations on the design of internal control mechanisms.

Contact CompVisory with questions as we are always available to our current clients and to prospects considering engaging with us for our services.

Audit Risk

Audit Risk Description

Audit risk is defined by standard setters, including the American Institute of Certified Public Accountants (AICPA), the Public Company Accounting Oversight Board (PCAOB), and others, as the risk that an auditor will express an inappropriate opinion on a subject matter. 

As I understand it, historically, a certified public accountant (CPA) in the audit of financial statements should perform an audit risk assessment, but lately, given the changes in attestation standards from the AICPA, and changes in continuing professional education (CPE) requirements from States such as Florida, audit risk assessment requirement has expanded to include other subject matters beyond financial statements.

Audit risk is the product of inherent risk, control risk, and detection risk (audit risk = Inherent risk x control risk x detection risk).  A CPA, in following the protocol of the standards that govern the profession performs an “acceptance and continuance” evaluation that allows the CPA to decide whether to accept a new client or continue a relationship with an existing client.  An integral part of the evaluation is the audit risk assessment. 

The audit risk assessment, which factors into the CPA’s decision on accepting a new client or continuing engaging with an existing client, is important to clients of a CPA, or prospective clients of a CPA because, most companies when deciding on maintaining a relationship with an existing partner (subservice organization) that performs functions essential to their operations, or engaging a new partner company to perform functions essential to operations, will make those decisions based on a premise made famous by the words of President Ronald Reagan: “Trust but verify.” 

If a company suspects that an existing subservice organization or a prospective subservice organization is not being transparent in dealings it may (should in my opinion) disengage from the existing relationship or not engage with the prospect.

Inherent Risk

In my opinion, based on my education and experience, the inherent risk associated with company operations, compliance efforts, and financial reporting are those risk that justify a higher level of scrutiny given their nature.  For example, when workflow policies and procedures are too cumbersome employees will tend to circumvent them in company operations.  That is an inherent risk of overly complex operations. 

When compliance is treated as “in addition to” and not as “a part of” operations, the likelihood of noncompliance is increased.  That is an inherent risk of the failure to incorporate compliance measures into operations. 

Certain items reported on the financial statements because of their nature, such as items associated with managements’ bonuses, accruals, and cash that will allow the company to obtain lucrative loans are inherent risks to financial reporting. 

Companies would be wise to identify and control for the inherent risk in their environment.  CPAs must consider inherent risk in their determination on whether to continue existing relationships and accepting new clients.

Control risk

To prevent or detect-and-correct the risk associated with the achievement of an objective, controls should be put in place to ensure at best, and assure as reasonable, the achievement of the objective.  Control risk is the risk that the measures put in place to prevent or detect-and-correct the risk associated with the achievement of the objective were or were not effective.  The CPA must consider control risk given the standards of the profession.  Companies are responsible for designing, implementing, and performing the needed controls.

Detection risk

The CPA after considering several factors must determine the nature, timing, and extent of the testing needed to be performed to support the opinion expressed on the subject matter.  Detection risk is the risk that the testing performed by the CPA were not enough to provide for a reasonable basis for the opinion expressed.  The nature, timing, and extent of the testing needed to address detection risk is solely the responsibility of the CPA.

Conclusion

Organizations should not assume that audit risk has implications only for the CPA.  The audit risk assessment, which factors into the CPA’s decision on accepting a new client or continuing engaging with an existing client is considered by companies when deciding on maintaining a relationship with an existing partner that performs functions essential to their operations, or engaging a new partner company to perform functions essential to their operations.  Trust but verify. 

Contact CompVisory at the website listed below and we will guide you through the SOC 1, SOC 2, ISO 27001 or other agreed upon procedures engagements seamlessly so you can demonstrate that your company’s internal controls have been verified (COSO, SOC, ISO 27001).

Dean Brown, CEO

www.compvisory.com

SOC 1*, SOC 2~, or Both

SOC 1*, SOC 2~, or Both

How should a company decide on whether to have a SOC 1 or a SOC 2, or when it is appropriate to have both? The company should consider its creditors, investors, regulators, and the concerned parties that rely on the information that will be provided by the results of the SOC 1 or SOC 2 engagements. In addition, the company would be wise to consider its customers and their expectations on how the company will use their information, especially given the new European Union’s general data protection regulation (GDPR)) effective May 25, 2018.

SOC 1

A SOC 1 engagement provides assurance on financial information and assesses internal controls over financial reporting. This engagement is appropriate if the company, as a service to other companies, provides transaction support that directly or indirectly impacts the completeness, accuracy, validity, and access controls associated with financial information (COSO, SOC, ISO 27001)..

SOC 2

A SOC 2 engagement provides assurance on what the American Institute of Certified Public Accountants describes as Trust Service Principles. Namely; security, availability, data processing integrity, confidentiality, and privacy. There are some overlaps between the controls that are assessed in SOC 1 and SOC 2 engagements. However, there are some very distinct differences that must not be ignored. The SOC 2 engagement is appropriate if the company handles any information that a reasonable person would consider sensitive (COSO, SOC, ISO 27001)..

Both SOC 1 & SOC 2

SOC 1 and SOC 2 engagements are necessary together when a company provides transaction support that directly or indirectly impacts their clients’ financial information in addition to handling other information that a reasonable person would consider sensitive (COSO, SOC, ISO 27001).

Creditors, Investors, Regulators, & Customers

People want to know that you are treating them with dignity and respect when they engage with you in business. Transparency is critical in how you demonstrate your commitment to treating stakeholders with dignity and respect, so if your company provides transaction support for financial information and handles sensitive data, it is incumbent upon you to engage an independent third-party to provide the compelling evidence of that commitment and demonstrate that you are not just talk. Keep in mind that the EU through the GDPR is sending a clear message.

Important

Contact CompVisory and we will provide you with a readiness assessment, and then a SOC 1, a SOC 2, or both depending on the result of the assessment.

Contact us today.

*Service organization controls engagement cover internal controls over financial reporting relevant to user organizations.
~Service organization controls engagement covering security, availability, processing integrity, confidentiality or privacy.

Protecting Your Information from Cyber Attacks

Cybersecurity

Cybersecurity is concerned with activities in cyber space, while information security also addresses risks that arise from computer systems that are physically isolated from other electronic systems and the protection of information stored in a format that is not accessible through electronic means, such as printed paper stored in filing cabinets (SOC for Cybersecurity).  Unscrupulous actors can gain access to sensitive and private information by exploiting vulnerabilities including our altruistic desire to help others.  Now is a good time to ensure you have proper protocols in place to protect against the compromise of sensitive and private information.  Having a cyber security plan is a step in the right direction.  A good cyber security plan includes, at a minimum, the following five steps:

  1. Identification: Identifying who has access to, and control of, business information is the first step in a good cybersecurity plan.  Individuals that have access to, and control of, business information should have been vetted during the hiring process; that is, they should have been subjected to a background check that involved, at a minimum, assessing their experience and competence as it relates to the handling of sensitive and private information.  Management however, is obligated to ensure that there are proper policies and procedures in place to guide the handling of sensitive and private information.
  2. Protection: The protection of sensitive and private information, albeit challenging, can be achieved through vigorous physical and logical access controls aimed at preventing or timely detecting and correcting compromise.  Limiting employees’ and vendors’ access to the information that is required for them to perform their duties can aid in preventing the compromise of sensitive and private information.  An employee or vendor should not have access to information they do not need to perform their duties.  In addition, Management is obligated to ensure that there are proper policies and procedures in place, including continuous awareness training, to minimize the risk that outsiders can gain access to sensitive or private information through phishing and social engineering scams.
  3. Detection: Prevention is best and detection and correction is next best only if correction is aligned to the risk response time needed given the gravity of the breach. There is really no excuse for not having, or having but not updating, anti-virus, malware, and spyware programs on your system.  Management is obligated to ensure that there is an assigned process owner for cyber-attack monitoring and response.
  4. Response: A risk assessment plan without a risk response plan is virtually useless.  If sensitive or private information is compromised, it is important to have, at a minimum, a plan to prevent further breach.  Management should ensure there are policies and procedures in place to ensure the proper response to incidents and breaches.
  5. Recovery: Backup and recovery should be performed as a normal business operation that occurs in real-time, daily, or at an interval that the company, its regulators, and its clients find reasonable.  If your business is small you could use external hard drives to make these backups, but for a more convenient solution, or for larger businesses, cloud services are a good option for backup.  If you choose to use cloud services, ensure that such service providers have proper security protocols in place and can provide evidence of such by; for example, a successful yearly SOC 1, SOC 2 and/or SOC for cybersecurity examination (System & Organization Controls).

Protecting sensitive and private information is important.  A stark reminder that staying vigilant in protecting yours and your clients’ information, is the numerous scams that unscrupulous actors/hackers have been attempting and perpetrating during the recent storms.  If you need guidance on best practices in protecting sensitive and private information, please contact the advisors at CompVisory today.

Power Structure & Internal Controls

Power Structure & Internal Controls

“You can delegate the activity but you cannot delegate the responsibility” is an old saying in the auditing field. The idea of internal controls, after outsourcing, may seem complex but is not as insurmountable as it seems. There are only a handful of key considerations that you face if you are a company contemplating engaging another company, or a company that has already engaged another company to perform a service for you. One of the most important consideration is the topic of this piece.

The power structure of the organization that you plan to engage, or have already engaged, is the determining factor in its reliability. I believe that the structure of the arrangement of responsibility, authority, and accountability drives the behavior, and ultimately, the quality of the outputs from an organization.

None-without-the-other (NWTO) is what you need to look for in an organization that you plan to entrust with valuable/important processes. There should be no person in an organization that has authority and no accountability, and there should be no person in an organization that has responsibility and no authority, as it is the recipe for dysfunction.

Responsibility for a process must be given with consideration for the resources, commitment, and time needed for the quality envisioned for that process to be achieved. I believe that anything other than that show of consideration is a ploy to distract. Basically, responsibility must be given to the right person, the right infrastructure, and the right applications to afford the task a chance at success. I believe that anything other than that show of consideration is a ploy to distract.

Authority for a process must be given with the consideration for decision making agility, the consideration for allocation of resources, and the consideration for quality controls. Namely, the ability to make prompt and appropriate decisions must be evident, the ability to influence decision makers must be evident, and the ability to sufficiently assess the quality of the outputs of a process must be evident, in the authority figure. When authority is appropriately dispensed, it presents itself as a team operating seamlessly.

Accountability must be rigidly transparent, unmoving, and consistently applied without hesitation. If that is baked into the culture of the organization, it is a great signal of its trustworthiness. The way an organization responds to a routine request for information is an indication of its level of trustworthiness.

In short, the arrangement of responsibility, authority, and accountability in an organization is a testament to its trustworthiness. Smart outsourcers look to see if an independent and objective practitioner has audited an organization before entrusting to its care valuable/important processes.

Contact CompVisory to learn more if you plan to outsource to a third party, if you have already outsourced to a third party, or if you are a third party that has been entrusted with the valuable/important processes of another entity. Keep in mind that NWTO should shape the culture of an organization, otherwise inefficiencies, or worse things, could raise their ugly heads.

Segregation of Duties Best Practices

SOC 1 & SOC 2 Audits

Segregation of Duties Best Practices

Segregation of Duties (SOD) is the separation of key processes that disperses critical functions to more than one person or department.[1] In short, it is ensuring that the custody, authorization, and record keeping functions of a process are performed by distinct and empowered departments or personnel.  Segregation of duties is an important tool in preventing and detecting and correcting errors or fraud.  Small companies and small business units sometimes find it difficult to implement SOD because of personnel constraints, cost implications, and lack of best practices guidance.

The difficulty of implementing SOD however, should not be used as an excuse to ignore or minimize the importance of having SOD in place because the lack thereof can be very consequential to the survival of a business.  Take for example the $34 million embezzlement that happened at Koss Corp. due to lack of adequate segregation of duties.[2] Koss Corp.’s Vice President of Finance was able to have false journal entries entered, authorized, and posted to the official accounting records without any oversight.[3] The entries were made without any supporting documentation and went undetected because of the inadequacy of the company’s SOD.[4]

Segregation of Duties Considerations

Companies, irrespective of their size, should be proactive in their approach to SOD.  CompVisory recommends the following considerations:

Review of Current Structure 

The number of personnel and processes should be evaluated at the company wide and business unit levels, where appropriate, so that SOD consideration can be evaluated sufficiently.  This endeavor should have the support of senior leadership, appointed an owner with sufficient competence and authority, and monitored for its effectiveness.  Companies should consider the following processes at a minimum:

  • System Administration
  • Accounting system access control
  • Cash collection and disbursement
Review of Current SOD Landscape

Companies should begin with evaluating their processes and resources (personnel & systems) and then perform a risk analysis to evaluate the following implications to the company:

  1. The likelihood of certain occurrence;
  2. The impact they could have on the company;
  3. The velocity/speed of the implications to the company; and
  4. The mitigating factors that their existing controls provide.

High risk items; for example, fraudulent or erroneous activities that could decimate the company should be given immediate attention.  Often times the actual cost to a company that is subjected to a breach is much more than just the lost from the breach; for example, in the Koss Corp. case where $34 million was embezzled, the company was still held liable for the additional costs associated with law suits and fines.  Companies would do well to consider these additional costs as well as reputational costs (brand deterioration) when assessing their risks.

Determining the Appropriate SOD Posture

Risks should be ranked and prioritized based on their rating, and corrective action plans, if needed, should be developed, implemented, and monitored to provide that the company is staying ahead of the implications of its risk universe.  The exercise should be documented, revisited, and updated as appropriate.  High and medium risk items should be treated as such.

SOD Low Hanging Fruits

Companies at a minimum should strive to ensure the following:

  1. No one in the organization is allowed access to unilaterally create and release a cash transaction;
  2. No one in the accounting department should have system administrator access; and
  3. No one should be able to unilaterally create and post journal entries.

[1] Anthony Ghosn, Segregation of Duties, AICPA, https://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Auditing/InternalControl/Pages/value-strategy-through-segregation-of-duties.aspx

[2] United States Securities Exchange Commission v. Koss Corp. and Michael J. Koss, Civ. No. 2:11-cv-00991 (Cir. Ct. E.D. Mo. 2011) available at https://www.sec.gov/litigation/complaints/2011/comp22138.pdf

[3] Id.  at ¶19

[4] Id. at ¶20

Largest litigated amount ever obtained by FTC in latest ruling by U.S. District Court of Nevada

A U.S. District Court Judge in Nevada ruled in favor of the FTC, imposing a record $1.3 billion judgment against AMG Services Inc. owned by Scott A. Tucker.  The court found AMG Services misled consumers about a one-time servicing fee and the actual cost of the loan.  Instead of charging a one-time servicing fee, AMG Services would make several withdrawals from consumer bank accounts and then charge a financing fee for every withdrawal.  AMG Services Inc., as well as any of Tucker’s businesses, are prohibited from providing any consumer lending services.

You can read more here:

https://www.ftc.gov/news-events/press-releases/2016/10/us-court-finds-ftcs-favor-imposes-record-13-billion-judgment?utm_source=govdelivery

The CFPB Released Their Updated Exam Procedures to Address the New Requirements of the Military Lending Act

The CFPB has released their updated exam procedures to align with the requirements of the amended Military Lending Act.  The Military Lending Act was amended in July 2015 to provide further protections to service members and their families when they are acquiring certain types of credit.  Most Creditors are expected to comply with the new regulations by October 3, 2016 and most credit card companies are expected to comply by October 3, 2017.  The CFPB will begin to evaluate financial institutions’ implementation plans to address the new requirements of the Military Lending Act as early as October.

You can read more about the Military Lending Act and the CFPB’s updated exam requirements here:

http://www.consumerfinance.gov/about-us/newsroom/cfpb-releases-updated-exam-procedures-military-lending-act/

The Internet of Things

The Internet of Things

The Internet of Things (IOT) is a phenomenon that is changing the way businesses and consumers interact.  IBM describes the IOT as a “force of animation.”[1] That is, the IOT is connecting seemingly inanimate objects to the internet to collect and communicate data with other devices.  For example, a refrigerator, a seemingly inanimate object that stores and keeps food cold would, when upgraded to include a few sensors and a computing device, become a smart refrigerator that can communicate data about your diet to your doctor, update your grocery list, and notify your warranty servicer of needed repairs.  These Consumer Devices can connect and transmit data directly to businesses, which in theory would result in improved services and reduced costs to businesses and consumers alike.

There are over 25 billion connected devices in the market and the industry is expected to double in the next four years bringing that number to 50 billion connected devices.[2]  The potential advantages of the IOT phenomenon to businesses and consumers are readily evident; however, a closer look at the IOT will show that there are potential risks to businesses and their consumers if security implications are not assessed and managed appropriately.

Clearly there are advantages to the IOT phenomenon, but undoubtedly there are important risks that businesses must assess and manage sufficiently so as to mitigate the impacts on the businesses themselves and their customers.  Businesses should be proactive in their approach to addressing these risks and take the necessary steps to reasonably secure the data they are receiving, storing, and transmitting.  Below are some steps proactive businesses can take to secure their data reception, storage, and transmission processes.

  • Know and limit what data your business is receiving and storing. A recent survey by Veritas found that 52% of the data stored by businesses is dark data, or data with unknown value.[3]  This is an unnecessary risk for businesses.  If a business does not know the data they are storing they might not know how to properly secure the data.  Also, data thieves are more likely to attack a company with large amounts of data.  Proactive businesses should find out what data they are collecting and then, only keep what is necessary for business and regulatory purposes.
  • Restrict employees’ access to data. The old standard of a need to know basis is especially important here, employees should only be allowed access to data that is required for them to carry out their job duties.  Proactive businesses should restrict access to any other data and use industry standards to encrypt standing data in case inadvertent access is achieved by employees.  This would not only help prevent data loss, but it would also assure employees are not using data in ways that are against company policy or that consumers would find unreasonable.[4]
  • Systematically require employees to use unique and strong passwords that are properly secured. In addition to social engineering, hackers have been known to enter systems by using programs that repeat different combinations of characters until a combination finds a match thereby giving them access to the system.  By providing training and ongoing reminders to employees of the importance of system security, systematically requiring employees use complex passwords, having lockout and password change frequency policies configured in the system, and encrypting password files, companies can go a long way in minimizing the likelihood that hackers gain access to their system.
  • Secure data transmission. Most likely, IOT data will be transmitted from the consumers’ devices to companies’ networks through online services.  It is possible for data thieves to steal the data during transmission if the data is not encrypted and security measures are not properly configured.  In a complaint brought by the FTC against Credit Karma and Fandago, the FTC charged that the companies failed to properly configure the Secure Socket Layer (SSL) Certification on their mobile apps.[5]  This allowed hackers to capture users’ personal information when they accessed the mobile apps to get their credit scores by posing as Credit Karma or Fandago online service using fake SSL Certification.[6]  Users would unknowingly send their personal information to hackers posing as Credit Karma and Fandago.  Proactive businesses should use industry standards to encrypt data during transmission and implement and monitor strict configuration standards.
  • Vet service providers/vendors to verify they have security measures in place to properly secure data. If your business uses a third party service and they will have access to your consumers’ personal data, insist in writing the company take appropriate steps to protect the data and then verify compliance.

The IOT is poised to continue to grow. The advantages to businesses and consumers are readily evident and the risks, if managed appropriately, can be mitigated such that the significant potential benefits of this phenomenon does not get derailed by security concerns.


[1] Behan, Anthony, No really, what is the Internet of Things?,  Internet of Things Blog (Sept. 20, 2016), https://www.ibm.com/blogs/internet-of-things/what-is-the-internet-of-things/  (last visited Sept. 26, 2016).

[2] Federal Trade Commission, Internet of Things: Privacy & Security in a Connected World 1 (Jan. 2015) [hereinafter FTC Staff Report}, https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf .

[3] The Databurg Report: See What Others Don’t, Identify the Value, Risk, and Cost of Your Data 3 (Mar. 15, 2016) https://www.veritas.com/content/dam/Veritas/docs/reports/veritas-strike-global-report_a4-sdc2.pdf.

[4] FTC Staff Report at IV https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.

[5] Fair, Leslie, Default lines: How the FTC says Credit Karma and Fandango SSLighted Security Systems, Business Blog (Mar. 28, 2014), https://www.ftc.gov/news-events/blogs/business-blog/2014/03/default-lines-how-ftc-says-credit-karma-fandango-sslighted (last visited Sept. 27, 2016).

[6] Id.

Drones and Privacy

The Federal Trade Commission (FTC) is set to meet October 13, 2016 in an effort to explore concerns about the potential impact to privacy that could result from the use of drones.  The meeting will feature representatives from the Electronic Privacy Information Center, the University of Washington, Ohio State University, Drone Manufacturers, and many others.  This is likely to be the first of many discussions as the Federal Aviation Administration (FAA) expects to issue over 2 million commercial drone permits by the year 2020.[1]   Companies would be wise to be proactive and get ahead of the concerns around privacy to stave off future potential problems.

The FAA has already issued commercial drone permits so companies are now poised to take advantage of the technology but will also be exposed to the privacy concerns that comes along with it.  Insurance companies and Industrial Inspection companies will likely be responsible for the majority of the commercial drone permit requests because they stand to readily benefit from the  advantages of the technology.  For example, an insurance company could use drones to fly over and assess damage to an area struck by a hurricane or tornado and Industrial companies can use drones to survey mines or construction sites.

The expected  increase in the use of drones raises concerns about data collection and privacy.  Since a video recording device can easily be attached to these drones, the public is concerned with who is recording and what data is being collected as the drones fly over private property including homes.[2]

Companies who wish to be proactive will want to stay ahead of the risk that they may compromise a person or an entity’s privacy and be subjected to the legal repercussions.  They should consider who they are hiring to operate these drones; how the information is being recorded, transmitted, and stored; and whether the information can be compromised/hacked.  For example, they would need to consider physical and logical access to the data, encryption methodologies, and the security practices in general of the individuals or entities entrusted with their drone initiative.

The FTC discussion is likely to be the beginning of many such discussions.  The commercial use of drones can be very beneficial but concerns over privacy are increasing due to the ease of attaching recording devices to drones.  It is important for companies to be proactive in assessing and addressing the risks associated with collecting data via drones so they can be addressed before they become a problem.


 

[1] “The Future of Commercial Drone Use.”  The Insurance Journal, March 29, 2016, available at:  http://www.insurancejournal.com/news/national/2016/03/29/403149.htm  Accessed September 21, 2016.

[2] EPIC v. FAA, No. 16-1297 (D.C. Cir. Aug. 22, 2016) available at https://epic.org/privacy/litigation/apa/faa/drones/EPIC-Petition-08222016.pdf   where EPIC is suing the FAA to require drone operators to provide information to individuals about who is recording and what is being recorded.