Everyone’s Been Hacked Now What?. OakRidge What happened?

Slides:



Advertisements
Similar presentations
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Advertisements

Control and Accounting Information Systems
Control and Accounting Information Systems
Internal Control.
The Islamic University of Gaza
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works
Audit Planning and Analytical Procedures Chapter 8.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
CHAPTER 10 UNDERSTANDING INTERNAL CONTROLS Fall 2007
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
CHAPTER 9 UNDERSTANDING INTERNAL CONTROLS Winter 2004
Internal Control Pertemuan 05 s.d 06 Matakuliah: F0712 / Lab Sistem Informasi Akuntansi Tahun: 2007.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Section 404 Audits of Internal Control and Control Risk
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
Information Systems Controls for System Reliability -Information Security-
INTERNAL CONTROL OVER FINANCIAL REPORTING
Statement on Auditing Standards (SAS) 112 Communicating Internal Control Related Matters Identified in an Audit.
Karen Evans, national director of the U.S. Cyber Challenge and former Office of Management and Budget administrator Auditor Responsibility?
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Auditing Internal Control over Financial Reporting
Chapter 8 Introduction to Internal Control Systems
Chapter 9: Introduction to Internal Control Systems
An Accountant’s Look at the Changing Horizons within SOX 404 Presented to Colorado Bar Association’s Securities Law Group Presented by Bill Evert Hein.
Karen Evans, national director of the U.S. Cyber Challenge and former Office of Management and Budget administrator Auditor Responsibility?
Karen Evans, national director of the U.S. Cyber Challenge and former Office of Management and Budget administrator Auditor Responsibility?
Planning an Audit The Audit Process consists of the following phases:
Auditing Internal Control over Financial Reporting
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Introduction to Internal Control Systems
INTERNAL CONTROL OVER FINANCIAL REPORTING
Implementation Issues of Sarbanes-Oxley CASE Presentation September 23, 2004 By Denise Farnan.
Chapter Three IT Risks and Controls.
Chapter 5 Internal Control over Financial Reporting
Page 1 Internal Audit Outsourcing The Moss Adams Approach to Internal Audit Outsourcing Proposed SOX 404 Changes.
Considering Internal Control
Internal Control in a Financial Statement Audit
Everyone’s Been Hacked Now What?. OakRidge What happened?
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
NO FRAUD LEFT BEHIND The Effect of New Risk Assessment Auditing Standards on Schools Runyon Kersteen Ouellette.
Internal Control in a Financial Statement Audit
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
Learning Objectives LO5 Illustrate how business risk analysis is used to assess the risk of material misstatement at the financial statement level and.
1. IT AUDITS  IT audits: provide audit services where processes or data, or both, are embedded in technologies.  Subject to ethics, guidelines, and.
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
5-1 McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. Chapter 5 Internal Control Evaluation: Assessing Control Risk.
Richard F. Chambers, CIA, CGAP Vice President, IIA Learning Center The Institute of Internal Auditors.
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal.
CHAPTER 5 INTERNAL CONTROL OVER FINANCIAL REPORTING.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Chapter 9: Introduction to Internal Control Systems
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
Everyone’s Been Hacked  Now What?. OakRidge What happened?
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
Internal Control Chapter 7. McGraw-Hill/Irwin © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Chapter 5 Evaluating the Integrity and Effectiveness of the Client’s Control Systems.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
©©2012 Pearson Education, Auditing 14/e, Arens/Elder/Beasley Considering Internal Control Chapter 10.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall. Chapter
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

Everyone’s Been Hacked Now What?

OakRidge What happened?

Other Hacks What other hacks were mentioned? We know about HB Gary

So..... Kaminsky says, “No one knows how to make a secure network right now.

Do you know if you’ve been hacked? According to Richard Bejtlich, chief security officer for computer security firm Mandiant, which has helped Google and many other companies conduct forensics and clean up their networks after an attack, the average cyberespionage attack goes on for 458 days, well over a year, before a company discovers it’s been hacked. So if hackers are everywhere and everyone has been hacked, what’s a company to do?

New Realities What data needs to be and what does NOT need to be on the network How should data be transmitted?

Information Security and Sarbanes-Oxley Compliance: An Exploratory Study Wallace, Lin, and Cefaratti (2011)

SOX 302 What are the requirements? The signing officers have reviewed the report The report does not contain any material untrue statements or material omission or be considered misleading The financial statements and related information fairly present the financial condition and the results in all material respects The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities Any significant changes in internal controls or related factors that could have a negative impact on the internal controls

SOX 404 Assess Effectiveness of Internal Control No Prescribed Framework

Section 409 Issuers are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations.

Section 802 all audit or review papers must be maintained for a period of 5 years How are audit/review papers maintained in 2012?

Frameworks COSO Model for controlling and managing Internal Control COBIT IT Governance / NOT IT Security Specifically What needs Controls ISO Specific IT Security Controls How To

ISO 1. Security Policy 2. Organizational Security 3. Asset Classification and Control 4. Personnel Security 5. Physical and Environmental Security 6. Communications and Operations Management 7. Access Control 8. Systems Development and Maintenance 9. Business Continuity Management 10. Compliance In all there are 124 recommended IT controls

Findings What is the Extent that ISO controls are in place? Most Common: Controls such as deploying antivirus software and authenticating remote users accessing the network Least Common Protecting equipment from unauthorized access and tracking the location of removable computer media

“Not Sure” Responses CPA’s selected “not sure” more frequently than non- CPA’s CISA’s selected “not sure” less frequently than non-CISA’s Certified Information Systems Auditor

Training Auditors with IT Training 35 more controls were likely to be implemented IT employees participate in SOX Compliance 55 more controls were likely to be implemented IT personnel received SOX compliance training 65 more controls were likely to be implemented

SOX 404 Reported Internal Control Weaknesses: A Test of COSO Framework Components and Information Technology Klamm and Watson (2009)

Overview Examined IT and non-IT Controls Material Weaknesses with respect to COSO Components Material Weaknesses were mapped to specific a specific COSO component IT Vs. non-IT MWs

COSO Components Control environment Foundation Sets tone of the firm integrity, ethical values, competence, philosophy, and operating style of the firm’s managers and employees Risk assessment identification, analysis, and management of (operating, economic, industry, regulatory) risks that may prevent a firm from achieving its objectives Management implements control activities segregation of duties, approvals, reviews, reconciliations, and authorizations Information & Communication timely capture and dissemination of pertinent information on internal and external events communication among and between management, employees, suppliers, and customers Monitoring continual evaluation of the other components’ effectiveness.

Findings Weak Control Environment is related to other weaknesses in COSO components Weak Monitoring is related to weak risk assessment and control activities Financial Statement reliability is affected by the number of weak COSO components IT related MW’s are associated with a greater amount of non-IT related MW’s IT related MW’s are related with: More misstatements Greater overall number of MWs

The effect of IT controls on financial reporting Grant, Miller & Alali (2008)

SOX (a) Management statement of responsibility over Internal Controls & Assessment of Internal Controls 404 (b) Auditors must attest and report on managements assessment Report Material Weaknesses in Internal Control and Remediation Plan Most Companies use COSO as Internal Control Framework

COSO & IT General IT Controls Ensure proper operations Application IT Controls Ensure proper functioning of software Processing of transactions Storage of Data

Findings IT Deficiency ranked 6th among all MWs IT Deficiency -> Internal Control deficiency IT Deficiency -> accounting errors revenue recognition receivables, investments, and cash issues inventory, vendor, and cost of sales issues financial statement, footnote, US GAAP, and segment disclosures issues IT Deficiency -> Higher Audit Fees

IT internal control weaknesses and firm performance: An organizational liability lens Stoel & Muhanna (2011)

Internal Control SEC definition: policies and procedures for the recording of transactions and maintenance of financial records Since modern enterprises are heavily dependent on integrated computer- based systems “internal control over financial reporting” process regulated by the SEC must include controls over the accounting and management process as well as over the organizational IT infrastructure and systems. Statement of Auditing Standards No. 94 (SAS 94) affirmed that the nature and characteristics of a company's use of information technology affect the company's internal control over financial reporting and requiring auditors to consider information technology as an integral part of overall internal controls (AICPA 2001). Therefore, SOX requires review of Accounting Internal Control as well as IT controls

IT Controls Pertain specifically to IT systems, processes and infrastructure used to capture, process and record raw transactional data corresponding to economic events as well as support the preparation of financial reports Encompass the management, operational, and technical safeguards or countermeasures prescribed for the firm's information systems to protect the Confidentiality Integrity Availability of those systems and their information

Overview What is the business value of IT Controls? What is the relationship between IT Quality and ROA? IT Control MW’s -> Lower ROA