From the June/July 2006 Issue
When automated accounting and banking programs were first introduced, there
was a common and misplaced expectation that technology would somehow automatically
prevent such problems as embezzlement and identity theft. As we move further
into the computer age, though, it’s becoming obvious that the human factors
involved in working with automated systems are essential to minimizing thefts
and managing risks.
The most common embezzlement scenario in the small business world involves
a business owner who is so busy running the operation that the control of financial
matters is entrusted to an employee with an accounting software program. The
program enables one person to perform all of the cash-related functions of the
business, thereby bypassing basic internal controls such as the separation of
the duties of receiving and disbursing funds, writing and signing checks, and
reconciling bank accounts. In such a scenario, technology actually facilitates
the perpetration of fraud.
At the same time, accountants are expected by clients, the general public and
(all too often) jurors, to always detect fraud and advise and warn clients about
their exposures to fraud. The expectation to always detect fraud can be extremely
difficult to meet, but the expectation to advise and warn is much less difficult.
And by advising and warning clients of their exposures, accountants can reduce
liability stemming from the expectation to detect fraud.
Advice from accountants to clients regarding their business fraud exposures
typically includes having the clients do the following:
- Sseparate cash-related duties;
- Take an active role in activities such as opening and reviewing bank statements
- Conduct background checks on employees who handle finances; and
- Consider an independent inspection by an anti-fraud specialist.
Advice to business owners regarding their fraud exposures from the use of
technology typically includes a checklist such as the following:
Essentially, anyone with enough knowledge about computer programs and bookkeeping
can conceal just about anything unless a business has controls in place to prevent
Electronic Information Security
As more people are victimized by identity theft, accountants need to pay more
attention to the secure transmission and storage of documents containing social
security numbers, bank and credit card account numbers, driver’s license
numbers, birth dates, and medical information. Personal identity information
should be protected at all times in computer programs and in transmissions via
the Internet. Tax and accounting firms should try to obtain computer software
that provides adequate security features. This can be a challenge in light of
the fact that some popular programs provide little in the way of security features.
(Click here for
Operating systems and software programs should provide “restricted user”
or “restrictions to user” modes to offer basic protection of information.
Such modes keep users from having any more rights or access to a system or program
than they need, also known as the “least privilege” concept. “Local
administrator” modes offer little protection from users damaging the system
or breaching security.
Accountants should never e-mail tax returns or other personal information
documents without client consent. Nor should they do so without a layer of encryption,
a digital certificate, password protection or other means of protecting sensitive
information (e.g., Adobe Acrobat can provide password protection for its *.PDF
files). When client personal identity information is transmitted via the Internet,
accountants should require sufficient security measures of third-party providers,
such as the following:
- Encryption techniques;
- The use of private leased lines or virtual private networking (VPN) connections
with authorized users;
- The processing integrity and availability of the information;
- Whether the third-party provider has had an engagement performed (internal
or external) on the security of their systems; and
- Whether the third-party provider has obtained an independent security attestation
regarding their systems.
Third-party providers can use various measures and computer protections that
prevent downloading, printing, scanning or copying client information. Some
use nondisclosure agreements with employees and incorporate firewall security
measures to help prevent outsiders from hacking into the system.
More information on firm privacy issues can be found at www.aicpa.org/privacy.
Electronic Media & Record Retention
The use of technology by accounting firms to render client services has resulted
in more than 90 percent of all business documents being created electronically.
And only 30 percent of those documents are ever committed to paper, according
to Kroll Ontrack, Inc. (www.krollontrack.com),
a company specializing in computer forensics and the collection and
production of electronic and paper evidence.
All data and information that exist on a firm’s backup storage systems
and computers (which may also include personal and laptop computers from home)
are subject to discovery in a lawsuit, resulting in large increases in the volume
of litigation documents. With discovery typically representing 50 percent of
litigation costs in an average case, firms have cause for concern.
A firm will want to address the use of electronic documents and establish
guidelines for document management, which includes document storage and disposal,
file organization, naming conventions, archiving and control of software application
versions (version control). All software applications should enable users to
record when and by whom documents are created, changed or imaged. Applications
should also include security features that authenticate the date and time a
document is created, changed or imaged, and by whom.
Software applications are almost always superseded, requiring the accounting
firm to save the application in a secure environment along with the firm’s
records. This will ensure that the records can be retrieved regardless of whether
the software is still supported or even if the provider is still in business.
There are also issues in maintaining records in two environments: The client
may be running one version at the client site while another version is at the
accountant’s office with the client records. The two versions and environments
may then become out of sync with each other.
Changes to the software or data bring up the issue of version control (i.e.,
matching the updated version in one environment to the outdated version in another
environment). Another issue is data validation, or ensuring that both environments
produce the same records and numbers. The Sarbanes-Oxley Act and subsequent
SEC rules have provided guidance in the realm of publicly held company audits
Ten Tips for Effective Electronic Data Management”), but other areas
of law and accounting are still evolving.
For example, in September 2005 the U.S. Judicial Conference approved amendments
to the Federal Rules of Civil Procedures (the “playbook” for civil
litigation in the U.S. federal court system). The amendments are designed to
address the impact of electronically stored information on civil litigation,
but the Rules are projected to take effect on Dec. 1, 2006, after the U.S. Supreme
Court promulgates them and Congress approves them, according to Kroll Ontrack,
Certain states have also implemented statutes and rules relating directly
to the discovery of electronic documents. Accounting firms will want to stay
current on the rules in the states where they do business, either through legal
counsel or other resources such as those listed
E-mail messages are subject to discovery and therefore should be addressed
by an e-mail usage policy that defines the circumstances under which e-mail
use is authorized and not authorized. Guidelines should also be established
for deleting or retaining e-mail messages, according to the nature of the e-mail
and the firm’s general record retention policy. Since e-mail continues
to exist on both the sender’s and recipient’s hard drive or server
because of backup systems, an IT specialist may need to be consulted regarding
the use of e-mail “overwriting” software that will permanently remove
it. In addition to establishing guidelines, the policies should also be consistently
followed. Issues may arise if firm personnel are not consistently following
their own policies on the retention and purging of information.
Voicemail is also widely used during client engagements but is not considered
as secure as e-mail. Nor is it recommended as a form of documentation for storage
and retrieval. All significant communications should be put in writing to facilitate
clear communication with clients and to preserve a clear record of advice provided
and decisions made. Recorded telephone conversations tend to fall in the same
category as voicemail, but state laws vary so widely on the subject that an
attorney should be consulted before recording any telephone conversation.
Instant Messaging (IM) is also subject to discovery in a lawsuit but is another
method of communication that is not considered secure or recommended for retaining
and storing information pertaining to firm clients. Most documents that are
created electronically are accepted by courts into evidence records as long
as the document can be authenticated as an unaltered original, does not amount
to hearsay, and comes with evidence establishing its contents, who created it,
and how it was created. Some software providers have had legal analyses prepared
on the admissibility into evidence of documents that have been duplicated or
stored by their systems. Accounting firms should obtain a copy of such analyses
and have an attorney with expertise on rules of evidence review them in light
of legal considerations.
Hard Drive & Server Cleansing
Accounting firms are also responsible for securing adequate disk cleansing processes
before recycling or selling computers and servers. The Gramm-Leach-Bliley Act,
the Health Insurance Portability and Accountability Act (HIPAA), and other regulations
require enterprises to employ secure data sanitization procedures in order to
minimize the risk of stolen personal identity information.
Some approaches to protecting personal identity information on a drive before
it is released are considered inadequate. For example, deleting or clearing
a file does not always remove it from the hard drive. The file just disappears
from a directory or list of files, but it can be retrieved by someone who knows
how. This applies to e-mail as well. Formatting or reformatting a hard drive
is a popular way to remove data from it, although formatting is not 100 percent
effective in removing all data.
Many organizations outsource data sanitization and drive disposal to an external
service provider. The advantages to this option are that some providers will
offer the following:
- On-site destruction of hard drives;
- Acertificate of data destruction, which should verify adherence to EPA
- An audit or paper trail of the serial-numbered inventory and a description
of the equipment, method of disposal, and date of disposal, in the event the
accounting firm faces an audit, litigation, investigation or other inquiry;
- Indemnification for improper data disclosures.
Firms choosing to outsource data sanitization and drive disposal should perform
appropriate and thorough due diligence before contracting with a provider, as
firms should with any third-party provider that will be handling confidential
client data. Contractual agreements with third-party service providers should
contain language indicating that the third-party provider will treat any client
data it receives as confidential and will not allow any unauthorized disclosures
or use of the information; and the provider will be financially responsible
for any unauthorized disclosures or use that it commits.
The use of technology has brought with it new liability exposures as well
as the need for accounting firms to establish risk management processes to address
those exposures. Firms that commit the time to succeed in managing the risks
will find themselves much more insurable than they would otherwise be and will
more fully reap the significant benefits technology has to offer.
Ric Rosario, CPA, CFE, is vice president of risk management services with
CAMICO Mutual Insurance Company.
A Certified Fraud Examiner with experience in public accounting and private
industry, he advises CAMICO’s member-owners and other CPAs on loss prevention
principles and techniques. Several of his articles have appeared in national
publications, and he co-authored the CCH-published books, “CPA’s
Guide to Loss Prevention Practices” and “CPA’s Guide to Effective
Engagement Letters.” Rosario is also active with many state society and