Top IT Concerns of Audit Committees

INFORMATION TECHNOLOGY AND THE

AUDIT COMMITTEE:Results of the AICPA’s 2010 Top Ten Technology Survey

New York State Society of Certified Public Accountants

2010 Banking Conference

November 4, 2010

JOEL LANZ CPA.CITP, CFF, CFE, CISSP, CISA, CISM

• Joel served as Co-Chair for the American Institute of Certified Public Accountants 2010 Top Technology Survey.

• He currently is an Adjunct Professor at State University of New York - College at Old Westbury, teaching graduate Accounting Information Systems, Advanced Auditing & Assurance Services, Auditing for Public Accounting and Forensic Accounting.

• Joel’s articles have been published in many peer-reviewed accounting and financial industry publications. He serves on the Editorial Board of The CPA Journal and Bank Accounting and Finance.

• Joel currently serves on the American Institute of Certified Public Accountants CITP credential committee, and serves as that committee’s liaison to the IT Executive Committee, a committee on which he recently completed a three-year term. He also serves on various Institute Task Forces.

• Joel previously served as Chairman of the New York State Society of Certified Public Accountants Information Technology Committee and the society’s Technology Assurance committee. He serves on the Institute of Internal Auditors – LI Chapter Board of Governors.

• Joel’s practice focuses on technology risk management, IT audit and information security. Prior to starting his practice in 2001, Joel was a Technology Risk Consulting Partner at Arthur Andersen and was a Manager at Price Waterhouse. His industry experience includes Vice President and Audit Manager at The Chase Manhattan Bank and senior IT auditor positions at two insurance companies.

2010 Top Technology Initiatives

• 2010 represents the 21st continuous year of publication for the AICPA Top Technologies Initiative (TTI) List.

• Various evolution of the list(s) during the 21 years to reflect changing business landscapes and heightened expectations of CPAs.

• Last five years saw an increasing trend relating to the CPAs unique perspective to comment on the use and importance of technology.

• TTI continues to recognize the enablement of paradigm shifts in the delivery of CPA services – whether in public practice or in industry.

3

Why Add the Audit Committee and Executive Mgmt?

• This list represents questions currently being asked by audit committees, CEOs, CFOs, etc. to AICPA members responding to the TTI survey.

• They reflect expectations by this constituency as to the ability of CPAs to consult and advise on critical areas of IT Governance and Risk Management.

• CPAs, whether as part of their audit involvement or participating in various management advisory or employment roles, should be sufficiently prepared to discuss these matters with the above stakeholders.

• The ability to appropriately discuss these questions can create competitive situations with other CPAs in the market

4

2010 Top Technology Initiatives – 2 Lists

How Do You Use Technology in Your Everyday Work To Deliver on Client or Employer Commitments?

•This list provides technologies ranked 1 – 10 that surveyed members of the AICPA believe will grow in importance over the next 12 – 18 months. The objectives of this list are very similar to those published over the past 21 years through the AICPA’s Top Technology Initiatives.

What are Audit Committees and Executive Management asking of CPAs as it relates to Information Technology?

•As new technologies mature, businesses show interest in adopting IT to achieve competitive advantage. Increasingly, CPAs are asked to guide and assist in the selection, implementation and assessment of technology investments and effectiveness. Many clients expect that their CPAs to deliver trusted advisor guidance relating to IT’s impact on the business.

5

What Audit Committees and Executive Managers are

Asking of Their CPAs

2010 Top Technology InitiativesStrategic Priorities, List 1 – Item Number 1

•Are we ensuring that our data and technology resources are protected against hacking, viruses, or other compromises?

• Ongoing Security Training• Management support and policies• Frequent Risk and Countermeasure Assessment• Properly configured firewalls and antivirus• System Patches Current• Review Access Controls• Segregation of Duties

7


•Are we considering/ implementing organizational security precautions even though we haven’t had a data breach or loss?

• Maintain Confidentiality, Integrity, and Availability (CIA) preventative controls• Defense in depth• Offsite backup and testing of systems and data• Disaster recovery and business continuity planning• “War Games” simulations• Incident response plans

8


•Are our current internal controls and IT governance policies and procedures effective?

• Well constructed and maintained security policy• Penetration testing• Thorough and frequent vulnerability assessments• Assess legal and regulatory requirements for compliance environment• See US Government NIST governance 800 Series http://csrc.nist.gov/publications/PubsSPs.html

9

http://csrc.nist.gov/publications/PubsSPs.html

http://csrc.nist.gov/publications/PubsSPs.html


•Are we receiving the most relevant and current information from our reporting functions (business intelligence, dashboards, etc.) or are there areas for improvement? •

• Business Intelligence involves creating value from “siloed” data• Release locked up data• Key finance benefit – not just an IT benefit• Validate and standardize data – not just a grouping of spreadsheets or dashboards

10


•Have we implemented a sound/appropriate privacy policies and procedures within the organization and for our customers? •

• Review all privacy rules applicable to specific environment (medical, financial, etc.)• Require written privacy policy for organization• Determine FTC “Red Flag Rules” applicability and required actions• Do employees acknowledge no right to privacy on company systems (i.e. e-mail)?

11


•Are we appropriately considering the IT risks associated with the organization in initial planning of any audit or attest engagement? •

• Attest engagement covers all major functions of IT function in organization• Use standardized and validated metrics to evaluate IT risk factors across business units• Written guidelines established by audit committee covering risk assessment models, tools, etc.

12


•Are we capturing the appropriate control objectives during the initial planning of any audit or attest engagement to address the IT risks associated with the organization? •

• Are assurance efforts focused on areas of higher risks vs. easy to audit controls?• What risks are/aren’t addressed by general controls reviews or SAS 70s?• What type of recognized standards or guidance is leveraged to help ensure that appropriate concerns are addressed?

13


•Should we refresh our core and financial accounting software to leverage technology efficiencies every few years? •

• Large, complex organizations should generally schedule major technology changes to achieve specific objectives.• Systems as pervasive and complex as financial accounting software require significant time and expense to refresh. • Significant technology changes should not be made lightly or on a predetermined schedule.

14


•Can our data remain safe if we utilize cloud computing/ Software as a Service (SaaS) services? •

• Security is a concern when using cloud computing / SaaS.• Consider obtaining a valid SAS 70 (or new SSAE 16 when available) attestation Type II report.• Understand the limitations inherent in a SAS 70/ SSAE 16 report – It is no guarantee of absolute security in the cloud.• Consider the need for onsite due diligence and ongoing monitoring.

15


•Can we deliver on our service and product promises to our customers if we utilize cloud computing/ Software as a Service (SaaS) services? •

• Many believe that cloud computing / SaaS will experience explosive growth over the next few years.• Carefully selected cloud computing / SaaS infrastructures can be reliable and relatively inexpensive platforms for customer service. • A significant amount of due diligence is required to determine the best Cloud / SaaS providers.

16

Key Takeaways

Key Takeaways• The demand for CPA services has expanded to

include guidance with information technology issues.• Client executives will very likely ask questions on IT

issues, and the 2010 TTI provides a defined resource in preparing for the CPA’s expanded role in IT.

• Information security, in various forms, is a key concern for most businesses. This subject takes the top concern on both of the 2010 TTI lists, and information security has been the top concern on the single TTI list for eight consecutive years.

18

Key Takeaways• Virtualization, cloud computing, and SaaS will

probably take on larger roles as active IT projects in the near future. Prepare to advise on these technologies.

• Some businesses are more evolved than others on the technology curve, and there are still opportunities to assist with mature technologies.

• Fundamental IT issues are often overlooked in the rush of day-to-day operation. Backup execution, disaster recover, and business continuity are key concerns for TTI and should be considered as part of any IT review.

19

Key Takeways

• IT governance, including compliance with privacy laws, and IT audit planning are key concerns for many executives. Familiarity with compliance issues and SAS 70 (soon to be SSAE 16) will increase probably in importance.

20

FOR FURTHER INFORMATION

• Contact Joel directly at:

Joel Lanz

Joel Lanz, CPA, P.C.

471 N. Broadway-pmb 395

Jericho, NY 11753

(516) 933-3662

[email protected]

www.joellanzcpa.com

• Visit www. joellanzcpa.com for related articles and other related presentations

mailto:[email protected]

mailto:[email protected]

http://www.joellanzcpa.com/

http://www.joellanzcpa.com/