Making Sense Of…

“It is our choices that show what we are, far more than our abilities.” – Harry Potter and the Chamber of Secrets by J.K. Rowling.

‘Ethics’ is derived from the Greek “ethos,” meaning character. Ethics is the study of how we make decisions. Ethics really looks at the relationships between people and the environment around them.

Understanding ethics is about understanding people’s decision-making process. People are forced to make decisions because they face trade-offs. For example, what can you be doing with your time now instead of reading this blog? This concept is also known as opportunity costs. If you spend your resources on one project, what other project could benefit from those resources?

The major trade-off ethically is the promotion of self-interest versus other people’s rights. Have you ever asked someone in a movie theater to turn off a smart phone? No matter how nicely you pose the question, inevitably, the person sees it as an encroachment on his/her personal rights. To him/her, the self-interest is using the phone for texting, playing games, etc., but you have paid to see the movie, and you have the right to see it without distractions. If you could agree with the other person that no smart phones should be used in the theater, then we would have no need for laws (Coase’s Theorem).

CPAs are faced with trade-offs when working with client financials. Clients prefer to have higher income when presenting financials to investors and banks, but then also want to show lower income when reporting to the IRS. What is the best way to represent financials?

The best way to represent financials is in the most ethical way possible using the appropriate accounting guidance. If a client asks you to inflate or deflate numbers, you should think about the reasons why and remember that your ultimate responsibility is to the readers of the financials and not to your client. This concept may be difficult to grasp, as it is your clients that maintain the working relationship with you and pay you. It is imperative that you remain independent and objective, as the reputation of the CPA profession falls squarely upon all of our shoulders. When the public doubts the assurance from CPAs, the government steps in and establishes more legislation to police our profession.

In addition to representing financials in the most ethical way possible, it is important for CPAs to stay educated on the ethical rules of our profession. Reading ethical blogs like this one, taking ethics CPE training courses, and discussing ethical dilemmas with fellow CPAs will strengthen our collective ethical behaviors.

About the Authors:

George is an instructor for the AuditSense team, specializing in providing ethics and core-level staff training. Since 1976, George has worked in many areas of accounting, focusing on Auditing and Accounting Education. In 1976, he participated in the Internal Auditor Intern Program at the Clark Equipment Company. While working for the public accounting firm of Deloitte, Haskins, and Sells, George served as a Senior Assistant Auditor and a Comprehensive Business Services Consultant.
Read More

Elizabeth Pittelkow is an Accounting Manager at ArrowStream, and she works in the areas of accounting, taxes, and financial reporting. Elizabeth previously worked in Finance at Motorola and in Assurance at PricewaterhouseCoopers. While at PricewaterhouseCoopers, she audited large public-accelerated GAAP filers, IFRS filers, private equity-owned companies, and non-profit businesses.
Read More

 
Back to Our Blog

As auditors, it is sometimes hard to see exactly how technology could impact our audit. All of this talk of user groups is difficult to link to our audit assertions. What is the potential impact on my audit? What we should be asking is, “How secure is the financial data that I’m relying on?” I mentioned in my earlier post that I have seen five cases of fraud over the last eight years, and each one had a shortfall in security controls as the root cause. More specifically, each case related to users that had conflicting duties granted by their user security. This month we’ll cover the second of four topics:

1. Password security
2. User Security Groups
3. Periodic User Reviews
4. Administrator Access Rights

User Security Groups

With password parameters in place, we can now focus on whether or not a client is limiting what access a user has within the system.

• Does the client set up security access based on the user’s job responsibilities? This is a critical area for the IT general controls. A common problem for clients is having users with security rights that create a segregation of duties conflict (e.g., CFO’s that can enter journal entries, an Accounts Payable user that can create vendors and pay invoices). We expect to see these conflicts in smaller organizations, and we have to look to other controls to mitigate. These other controls are typically some type of manual review which does not give us as much assurance. When at all possible, look for the segregation to be through the system security rights. It is much easier to audit and provides more assurance.
• Has the client set up their users in groups? What do I mean by groups? When a user group is used, the group security rights can be adjusted, and all members of that group will be adjusted. This provides a much more efficient way of managing user rights. If it is easier to maintain, it is more likely to be right. Many times a client’s initial response is yes when asked if they use user groups. Upon further investigation, though, it often becomes apparent that this is not the case. Many clients will set up a user by giving them detailed specific system access, also known as “cherry picking.” The problem with this approach is that a change in access for a user must be made at the individual user level. Look for user groups. They are easier to audit, easier for the client to maintain and make the client’s periodic user access reviews much easier.

Passwords provide assurance that the right people are logging into the systems. Security groups help provide assurance that they are only able to perform the system functions we’d expect. These two areas are critical to security information in an organization’s financial systems.

Next time we’ll talk about periodic user reviews….

About the Author:

Tony F. Scott, CISA, is Founder & CEO of Technical Financial Solutions, LLC (www.TFSUS.com). TFS is a Georgia-based IT compliance audit firm with a national reach, serving clients across the United States. TFS specializes in IT general controls testing for Financial Statement audits as well as SAS70/SOCIII engagements. TFS also specializes in HIPAA security and HITECH Act security assessments, serving over 65 hospitals in the Southeast.

“Whatever you do, do it heartily, as to the Lord and not to men.” Colossians 3:23

Back to Our Blog

As auditors, it is often difficult to see exactly how technology could impact our audit. All this talk of passwords, user setup and system security is difficult to link to our audit assertions. What is the potential impact on my audit? What we should be asking is, “How secure is the financial data that I’m relying on?” We’d like to think that everyone is always honest, but there are more financial pressures than ever in today’s economy, and we are all human. When security is not correct, it creates open doors to fraud. I have seen five cases of fraud over the last eight years, and each one had a shortfall in security controls as the root cause. Technically, greed was the root cause, but you know what I mean!  So what can we do, and how do we communicate the need to close these “open doors” to the client?  Here we cover the first of four topics:

1. Password Security
2. User Security Groups
3. Periodic User Reviews
4. Administrator Access Rights

Password Security

We need to cover the basic general IT controls during our audit. Let’s talk about one key area: password controls.

First, we need to test controls around user passwords and see that their password parameters are in line with common standards:

• 6-8 character password – take a look at these statistics on how long it takes to hack a password that is just characters. The chart below shows the amount of time needed for a hacker to compromise a password with the stated attributes. I think the chart says it all!

• Complexity enabled – creating a password that requires both upper and lower case, numeric and symbols significantly increases the strength. Additionally, utilizing password logic such as using the first letter of phrases and symbols to replace certain letters makes a password very strong.

• Password expiration every 60-90 days – password expiration is a passionately-debated setting.  Some will tell you that they would rather have a strong password that never expires, and some would say that they want to change it every 30 days. Somewhere in between is a more accepted answer. “Never expiring” settings increase the likelihood that others will obtain the password. Whereas, having the password expire too frequently will only increase the likelihood that the password will be found on a sticky note under the keyboard! An expiration of 60-90 days serves as a solid password life.

• 3-5 passwords remembered – the password remembered is important so that when you have to change your password, it will prevent you from using the same one over and over.

• 3-5 days minimum password age – a minimum-age setting prevents a user from changing the password 3-5 times (as prescribed in the previous bullet) in a row in order to get back to the original password.

The true point of a password is to ensure that the user logging in is really that user. If passwords are weak, it opens the doors to co-workers being able to process transactions as other users as well as allowing unauthorized users to gain access to the financial data we are relying on for our audit.

Next month we’ll talk about user security groups….

About the Author:

Tony F. Scott, CISA, is Founder & CEO of Technical Financial Solutions, LLC (www.TFSUS.com). TFS is a Georgia-based IT compliance audit firm with a national reach, serving clients across the United States. TFS specializes in IT general controls testing for Financial Statement audits as well as SAS70/SOCIII engagements. TFS also specializes in HIPAA security and HITECH Act security assessments, serving over 65 hospitals in the Southeast.

“Whatever you do, do it heartily, as to the Lord and not to men.” Colossians 3:23

Back to Our Blog

One of the things that can kill the effectiveness and efficiency of an audit engagement is making assumptions.  While they seem to save time at first, assumptions — if they turn out to be incorrect — can be quite harmful to an engagement.  Oftentimes, assumptions are made concerning the client, your staff, and how the audit will progress.  Some of the more common assumptions are as follows:

1. The client will actually be ready on time.
2. The staff professionals will be able to perform at a level that you will need them to perform, and detailed instructions will not be needed because the staff has been part of the firm for a year — despite the fact that this is a new industry for them.
3. The client actually got the email that you sent and is vigorously working on putting together the requested schedules.
4. The review will happen in the field as planned.
5. There have been no changes in the general operations of the client.
6. It is impossible to obtain data in an electronic form.
7. The client personnel you will be working with will be knowledgeable, competent and available to you.
8. The world of your client revolves around you for as many days as you are on-site during fieldwork.
9. The time budgeted to perform the audit is sufficient, because there will be no major issues or roadblocks, and the budget was prepared properly.
10. The files (whether electronic or hard copy) that you will need to complete the audit will look the same as in prior years, be stored in the same place and work the same way.

Yet another key to performing an audit in an effective and efficient manner is simply to take some time at the beginning of the engagement or, better yet, at the end of the prior year engagement and identify — perhaps with the client — ways in which the process could go smoother in the following year.

Back to Our Blog

Whatever you want to call those handheld devices that once upon a time were referred to exclusively as telephones, there is no doubt that they are changing the way we communicate.  When we go to buy one now, we not only want to know about receptivity, but we also want to know the all the specs concerning memory, resolution, megapixels, and what generation of mobile technology it is using.  It is not just the camera, calendars, games, web access and apps that are diminishing our vocal use of the phone, it is written electronic communications as well.

Perhaps it is not surprising that a survey taken by Nielsen found that people in their 50’s and early 60’s tend to talk on the phone as much as they ever did.  On the other hand, young adults, specifically 18 to 34 year olds, are talking on the phone substantially less, a fall from an average of 1200 to 900 minutes per month over the past two years.  During that same time period, there was an increase in the average number of text messages from 600 to more than 1400 per month in that same age group.  The reason given for this is that they feel the more personal nature of a phone call gives them less control over the communication than the more impersonal text message or email.  They also feel that phone calls are more interruptive to the other party than an incoming text message.

While the progress we have made technologically is fantastic, it appears that live, person-to-person voice communication is on a steep downslope.  The question is does this help us or hurt us in our profession?

As with every debate, there are clearly two sides to the issue.  On the one hand, text messaging and emails do have their place.  First, they provide a record of the communication that can be invaluable.  For example, if you have given instructions to your team by email, you have that documentation to refer back to if a conflict arises.  Furthermore, emails can save a lot of time when you need to get clarification on an issue from a client that is not too complicated and has a short answer.

Where emails are not appropriate is when they are used as a substitute for calling in order to avoid speaking directly with a client.  That would not be the best approach for someone wanting to maintain or even improve client relations.  There may be times that it is unpleasant to call clients, especially if you are bringing them some bad news.  However, by not talking directly with them, you may miss certain opportunities with your clients such as:

• solving problems that arise in the fastest and most efficient way possible — one phone call may save you a lot of time spent receiving and answering multiple emails,
• learning more about your client’s business, thereby gaining more rapport with your client — the client may say things in person that he/she would not necessarily elaborate on in an email, and
• adding timely value through your conversation and leaving the door open for additional work from your client.

I hear many times that newer staff are just too quick in sending email requests for information from clients as opposed to picking up the phone and having a real-time conversation with them.  Frankly, I think that we are all guilty of taking the easy, least-effective way sometimes when it comes to communications with other people.

I would be interested in what you think of this subject.  How would you handle it if it was to go the other way in that a client preferred emailing you, and he/she never returned your telephone calls?

Back to Our Blog