JIS Senior Editors' Blog

Journal of Information Systems

This is a public blog  publicRSS

blog entry

    Aggravated Cybersecurity Risks Implications for Accounting...
    blog entry posted April 22, 2014 by Roger S Debreceny, last edited September 9, 2014, tagged research, teaching 
    1432 Views, 1 Comment
    title:
    Aggravated Cybersecurity Risks Implications for Accounting and Auditing Research and Practice
    intro text:

    There have been a number of important cybersecurity breaches in recent months. This blog posting reviews some of these cybersecurity breaches and points to some of the guidance and standards that assist organizations in building reliable and repeatable security infrastructure. The blog analyzes recent guidance on cybersecurity risks from the Center for Audit Quality, which I see as a taking an overly conservative view of the implications of the risk environment for internal control over financial reporting. Finally, I canvass the implications for the academic research community.

    body:

    Aggravated Cybersecurity Risks
    Implications for Accounting and Auditing Research and Practice

    A Heightened Threat Environment

    Over the last several months we have seen some important cybersecurity challenges faced by several organizations. Probably the most important of these challenges was the breach of credit card and customer data faced by Target Corporation. The attack on Target Corporation, Nieman Marcus and many other organizations are all indicative of a heightened threat environment. In this blog posting, I review some of these cybersecurity breaches and point to some of the guidance and standards that assist organizations in building reliable and repeatable security infrastructure. In my view, there are clear implications of the heightened cybersecurity risks for the conduct of IT audit, which is a core concern for the accounting information systems community that is served by the Journal of Information Systems. I analyze recent guidance on cybersecurity risks from the Center for Audit Quality, which I see as a taking an overly conservative view of the implications of the risk environment for internal control over financial reporting. Finally, I canvass the implications for the academic research community.

    Target and Nieman Marcus breaches

    In December 2013, Target Corporation confirmed that information on more than 40m credit and debit card were exfiltrated from their networks. In January, Target disclosed that, in addition to the loss of card information, that information on “guests” was stolen, including “names, mailing addresses, phone numbers or email addresses for up to 70 million individuals” (goo.gl/Gz1Hev).  In a world where loss of personal data seems a daily occurrence, these are truly startling numbers. There are clearly severe implications of the breach for Target in direct costs, an array of class action legal suits, suits against Target from attorneys-general in states and territories and enforcement actions by regulators, notably the Federal Trade Commission. Target is also likely to face action from credit card issuers through Payment Card Industry Security Standards Council (PCI). Indeed, just in September 2013 Target had been certified as compliant with PCI-DSS.

    The Congress has not been silent in the matter, with hearings from the Commerce and Judiciary committees. While working on my teaching, I watched the Commerce Committee hearing with Target, Niemann Marcus, the University of Maryland and representatives of the FTC and VISA (the hearings are archived at goo.gl/TSrcrN). The hearings were enlightening, and are highly recommended if you have a spare four hours available. Appearing in front of the Committee, amongst others, were John J. Mulligan, CFO of Target Corporation and Dr. Wallace Loh, President of the University of Maryland. The university suffered a breach of identifying information of more than 300,000 students and alumni.

    Concomitantly with the hearings, the Commerce Commission published an analysis of the Target breach in a delightfully titled majority staff report “A “Kill Chain” Analysis of the 2013 Target Data Breach” (goo.gl/zRnKBe). The report provides an excellent overview of the timelines in the breach, the technologies involved and the various breakdowns in Target’s monitoring and controls. The Executive Summary of the report notes that:

    Key points at which Target apparently failed to detect and stop the attack include, but are not limited

    to, the following:

    • Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.
    • Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system.
    • Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets.  Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network (p. i)

     

    Using publicly available information on the breach, the Commerce Committee report shows how the bad actors were able to leverage compromised e-business partner credentials to gain access to Target’s networks. Unsurprisingly, the credentials from the e-business partner were obtained following spear phishing attacks. The report shows how multiple urgent alerts from behavioral network monitoring software were ignored by Target’s security personnel. Figure 5 of the report shows the points in the kill chain where Target missed opportunities to prevent the exfiltration of information. Unfortunately, the report does not provide details on how the bad actors were able to gain access to the “guest” data, which is of significantly greater value to those actors than credit or debit cards.

    Figure 6 of the report gives a timeline of the breach, showing the length and complexity of the kill chain:

    The Commerce Committee has been active in promotion of national legislation but without much success thus far. There is draft legislation (“The Data Security and Breach Notification Act”) before the Commerce Committee but other similar bills from the House and Senate have withered away and this bill will probably suffer the same fate.

    Recent developments in guidance

    Over the years, the security standards landscape has been heavily populated. ISO/IEC17799, now renumbered as ISO/IEC27002 provides a useful framework for security management. The COBIT IT governance framework has always had security as a core component.  COBIT 5 for Information Security presents an IT security centric view of COBIT. The NIST 800 series from the National Institute of Standards and Technology (NIST) provide guidance for federally regulated organizations such as financial institutions. At the national level, in February NIST published its “Framework for Improving Critical Infrastructure Cybersecurity” (goo.gl/a41MrX). This framework was a response to an executive order from President Obama in 2013. To readers of the other guidance listed above, the framework will be familiar. The framework describes four tiers that “describe an increasing degree of rigor and sophistication in cybersecurity risk management practices and the extent to which cybersecurity risk management  is informed by business needs and is integrated into an organization’s overall risk management practices.” The tiers are closely aligned to the levels of process maturity in CMM and CMMI. Importantly, the framework does not see the world ab initio. Rather, it is tightly coupled with COBIT 5, ISO and NIST 800. What is important about the Framework is that it represents a national and integrated perspective on hardening information security defenses for a wide range of organizations.

    Reaction by regulators in the securities and audit domain

    The issue of information security has also been of heightened interest to the Securities and Exchange Commission (SEC). The Commission held an all-day Cybersecurity Forum in March archived at goo.gl/JAOoj8. There were four panels on the “cybersecurity landscape,” “public company disclosure,” “market systems,” and “broker-dealers, investment advisers, and transfer agents.” Panelists included Mary E. Galligan, Director, Cyber Risk Services, Deloitte & Touche; Adam Sedgewick, Senior Information Technology Policy Advisor, National Institute of Standards and Technology The quality of the archived webcast reminds me of video on the Internet in the last millenium, but is well worth while listening to.

    The response to the increased threat environment by other regulators and professional organizations closer to the accounting and AIS community has been mixed. A search for “cybersecurity” on the PCAOB website turned up only the following November 2013 statement from PCAOB Board Member Harris in the context of the Board’s strategic direction (see goo.gl/f2v3DX):  

    The Board will also continue to monitor current events and emerging trends that may lead to increased audit risk. For example, cybersecurity risk recently has become a topic of concern for the Securities and Exchange Commission and other financial regulators.  Such risk pose significant issues for companies such as: increased security costs; loss of material intellectual property; claims by customers; and litigation. Therefore, I believe that auditors must examine the internal controls companies have in place to address such risks. I think it important that the Board will consider forming an internal task force and preparing a practice alert related to cybersecurity and its impact on audits. I support the formation of such a task force and the issuance of an audit alert, if the Board deems such an alert appropriate.

     There were also a comment by one of the participants in the most recent meeting of the Board’s Strategic Advisory Group (SAG) pointing to the significantly elevated importance of cybersecurity in the mindshare of corporate board and audit committee members. There seems, however, to be no concrete action by the PCAOB on security at any point in its history. Similarly, a search of the Auditing Standards Board did not reveal any targeted (so to speak) action on security.

    Prior to the aforementioned SEC roundtable, the Center for Audit Quality (CAQ) issued a practice alert on “Cybersecurity and the External Audit” (available at http://goo.gl/oG1bJ0). In absence of detailed guidance from the PCAOB or ASB, the practice alert presents the best guide to thinking in the auditing community on the implications of cybersecurity for the external audit. I encourage all in the AIS community to read the practice alert. I am, however, concerned that the practice alert downplays the risks to internal control and ultimately to the integrity of financial reporting that comes from information security threats. The alert states:

    The responsibility of the independent auditor relates to the audit of the  financial statements and, when applicable, the audit of internal control over financial reporting (ICFR). The financial reporting-related information technology (IT) systems and data that may be in scope for the external audit usually are a subset of the aggregate systems and data used by companies to support their overall business operations and may be separately managed or controlled. Accordingly, the financial statement and ICFR audit responsibilities do not encompass an evaluation of cybersecurity risks across a company’s entire IT platform.

    It is difficult to quibble with this statement. Many corporations will have production systems running on different local area networks quite distinct from those systems such as sales systems that feed the core accounting applications or the core accounting applications themselves. The “entire IT platform” is not in scope. The alert goes on to state, however, that:

    Systems and data in scope for most audits usually are a subset of the totality of systems and data used by companies to support their overall business operations, and the audit’s focus is on access and changes to systems and data that could impact the financial statements and the effectiveness of ICFR. In contrast, a company’s overall IT platform includes systems (and related data) that address the operational, compliance and financial reporting needs of the entire organization.

    From an operational risk or privacy perspective, companies implement processes and controls to restrict access to their systems, applications and data, including third party records and other sensitive information. Accordingly, given the focus on a narrower slice of a company’s overall IT platform, the execution of an audit of the financial statements and ICFR in accordance with professional standards likely would not include areas that would address such a cybersecurity breach. However, if information about a material breach is identified, the auditor would need to consider the impact on financial reporting, including disclosures, and the impact on ICFR. (Emphasis added).

    This seems almost dangerously naïve. The practice alert argues, essentially, that application systems that are within the scope of ICFR are typically corralled from other operational systems. Therefore the external auditor need not concern herself with broader questions of information security and cybersecurity risks and controls. If recent events such as the Target Corporation and Neiman Marcus breaches teach us anything, they teach us that cybercriminals are capable of burying deep within corporate networks and attacking a wide variety of application systems. As the Commerce Committee staff report on Target notes, “it appears that the attackers succeeded in  moving through various key Target systems.” Just because an ERP or General Ledger system is on a different local area network than a production management or logistics systems does not, in my view, reduce the risk of external attack. Given the centrality of accounting information systems to the functioning of corporations; the wealth of data that resides on those systems that is likely to be of great interest to cybercriminals, surely the external auditor should consider the potential risks that come from cybersecurity threats. Perhaps the CAQ had a typographical mishap and the word “not,” highlighted above, was not meant to be in the alert?

    Information Security and the Accounting Information Systems Research Community

    And now we turn to the role played by our accounting, auditing and AIS research community in general and the Journal of Information Systems in particular. How well has the accounting and auditing research community faced the challenge faced by enterprises, governments and not-for-profits? Not well. As a quick metric, I searched the last five years of abstracts of papers published in all AAA journals, using the keywords “security,” “cybersecurity challenges,” and “information security.” The search revealed only six references, interestingly all published in the Journal of Information Systems. This compares with 64 papers on “earnings management” and 72 papers on “audit fees” and “audit pricing.”

    In the broader academic community, there are a limited number of initiatives from the AIS community that involved information security. For the last many years, Efrim Boritz at the University of Waterloo has organized a biennial symposium on information assurance, which touches lightly on information security. Accounting at the Robert H Smith School of Business at the University of Maryland, is organized into the  Accounting and Information Assurance (AIA) Department with Larry Gordon and Marty Loeb conducting vital research on information security. At Akron University, Akhilesh Chandra and Thomas Calderon along with other colleagues organize an annual symposium on information security, hosted by the Center for Research and Training in Information Security and Assurance (CReTISA). While individually important, these initiatives are hardly indicative of a robust teaching and research attack on information security in our community.

     

    As senior editors of the Journal of Information Systems, Mary Curtis and I are very much interested in publishing leading edge research in information security. As might be imagined, we are particularly interested in papers that have a strong connection with our accounting and auditing community. The first theme issue we initiated was on Information Security. The theme issue is edited by Dr Akhilesh Chandra, Professor of Accounting and Director of the Institute for Global Business, The University of Akron and Carlin Dowling, Associate Professor at The University of Melbourne. Papers close on October 15 and the call for papers is at aaahq.org/InfoSys/JIS/calls/InfoSecurity2014_Oct.pdf. 

    Roger Debreceny
    Senior Editor
    Journal of Information Systems

    April 2014

    Comment

     

    • John Alan

      Thanks for sharing a valuable post regarding cyber security risks and threats for accounting and auditing. This will provide reliable information to all professional accountants to have a safe and secured online accounting procedure. Do my essay for me