Read more articles
in the Fraud Archives
The Threat Within
Can you really trust anyone?
Not if you're a CPA charged with protecting your company's greatest asset.
By Sheryl Nance-Nash
Illinois CPA Society INSIGHT Magazine
With the increasing number of data breaches, and the increasingly complex reporting requirements and hefty fines that accompany them, organizations far and wide are taking data security with ever-greater seriousness. CPAs play an important role in that process.
"Business intelligence is a company asset, no different than cash or a fixed asset," says Jonathan Bobb, CPA and partner with forensic accountants McGovern & Greene. "The role of the CPA in protecting business intelligence has dramatically changed in recent times," he stresses.
What types of data are likely to be on the target list? "Trade secrets rank highest," says Kelly Richmond Pope, associate professor of accounting at DePaul University, Chicago and an expert in forensic accounting. Proprietary financial information, such as earnings projections and sales forecasts, is also high on the list, as well as product launch information, vendor information, employee records, customer data, company contracts and patent information, to name a few. The list is, in fact, intimidatingly long.
The finance department is the information center of any business. As more companies centralize operations, combining the functions of financial, sales and production analysis under one business intelligence umbrella, the CPA's role will continue to evolve into that of a strategic advisor who analyzes broad-range business trends system-wide.
Although hackers, cybercriminals and script kiddies are admittedly on a mission to gain unauthorized access to your company data, threats aren't limited to external attackers. Occupational fraud is high on the list of organizational concerns nationwide.
"Companies need to ensure that agreements are in place with all independent contractors and employees that clearly state that they have been paid for their work and that the company retains full and legal title/rights of those efforts and that contractors/employees commit to not disclosing any trade secrets or to utilize any items for their own gain/use," Bobb warns.
It's not necessarily that your employees are planning to defraud you. Rather, says Donny Shimamoto, founder of CPA consultancy IntrapriseTechKnowledgies and chair of the American Institute of Certified Public Accountants' Information Technology Executive Committee, it's their lack of awareness of the risks that tops the list of threats. "Employees must have an awareness of what data is subject to privacy, confidentiality. They need to be trained on what activities are allowed and which aren't, to know what to do if they think something has been compromised. It must be easy to report and no retribution," he says.
Email and social media continue to be big issues. "The amount of information that's exchanged via social media can be a major threat to an organization. The increased use of cloud computing also increases the risk of business intelligence breaches. How to secure information that remains in a cloud seems to be an area we are still learning about," says Richmond Pope.
In this era of BYOD--bring-your-own-device--CPAs also need an in-depth understanding of how employees use their smartphones and tablets for work purposes; in other words, what devices are supported by the company and how do they access company data? "A CPA can assist in reviewing the internal controls regarding the proper authorization and access of company information," Bobb stresses.
"At a minimum, CPAs should see to it that all server and computer equipment is protected, that proprietary software data and information is encrypted and that firewalls, digital certificates and other control measures are in place," says Jim Taylor, principal of consulting firm Greater Yield. "Access to sensitive and proprietary data should be restricted, and all personnel should be identified through unique passwords to track the activity of anyone logging into the business information system. There should be a daily security review of business intelligence access reports and monitoring of cash-flow data. Data should be classified."
Industrial espionage has been around for eons, and will be ever-present in the future.
"Technology has just made it easier for thieves to steal company secrets," Bobb explains. "What used to require an individual to gain access to a company's files by physical means, like breaking into a company's offices and accessing locked file cabinets, can now be done behind a computer from almost anywhere in the world with an internet connection."
Developing accounting professionals trained in both accounting and information technology is a major issue, says Richmond Pope. "We are developing professionals that can handle the demands of the changing times," she stresses
"Accountants, MIS and IT professionals must work together," Taylor adds soberly. "Each discipline needs the knowledge, skills and abilities to recognize and thwart the ongoing threats being levied at today's business intelligence networks. Any decentralized approach to accounting makes compatibility errors more common and increases the chances of securities risks due to varying data-handling policies and procedures." It's no coincidence that finance and IT are increasingly falling under the CFO's purview.
"A good working relationship between IT and accounting is essential," Shimamoto confirms.