AuditSense is committed to...

the continuous improvement of its clients in ways that result in long lasting change.

Resources

Making Sense Of…

Ethics and Decision Making, Part 3

June 14th, 2012 by

“Merger possible. Jail certain.” John G. Johnson telegraphed this famous quote to his robber-baron clients when his client asked for a merger that would have violated the Sherman Anti-Trust Act.

As CPAs, we need to possess integrity, and we also need to consider the integrity of our clients in both the client acceptance and client retention processes. Integrity means intending to do the right thing in all situations.

“I am looking for a new accountant because my accountant will not take a deduction for something I want to deduct. My sister’s hairdresser’s brother said that I should get this tax break.” As silly as that reasoning sounds, prospective clients bring up these types of issues all of the time. Ethically, what is appropriate for one client may not be the right advice for another client. One question that CPAs should always consider is why a prospective client is looking for a new accountant. A prospective client may not have a strong relationship with its current accountant or may be looking for an accountant to take an aggressive and possibly incorrect financial statement or tax position. Warning signs include when a prospective client:

  • wants to defer income to a future period for a more favorable future year
  • listens to his/her friends regarding tax treatment of transactions
  • retires and still wants to deduct “business expenses” (e.g. personal car)

Taking on these types of clients is not worth it if your personal ethics are challenged. Client acceptance and retention should always be a priority in our work as ethical CPAs.

About the Authors:

George is an instructor for the AuditSense team, specializing in providing ethics and core-level staff training. Since 1976, George has worked in many areas of accounting, focusing on Auditing and Accounting Education. In 1976, he participated in the Internal Auditor Intern Program at the Clark Equipment Company. While working for the public accounting firm of Deloitte, Haskins, and Sells, George served as a Senior Assistant Auditor and a Comprehensive Business Services Consultant.
Read More

 

Elizabeth Pittelkow is an Accounting Manager at ArrowStream, and she works in the areas of accounting, taxes, and financial reporting. Elizabeth previously worked in Finance at Motorola and in Assurance at PricewaterhouseCoopers. While at PricewaterhouseCoopers, she audited large public-accelerated GAAP filers, IFRS filers, private equity-owned companies, and non-profit businesses.
Read More

 
Back to Our Blog

Ethics and Decision Making, Part 2

April 30th, 2012 by

A key to understanding how people make decisions is knowing that people are motivated by incentives. For example, Lawrence Kohlberg presents three level of incentives:

  1. Preconventional – “There is no morality.” People make decisions based on fear of punishment. People do not steal inventory for fear of getting arrested or fired.
  2. Conventional – “I did nothing wrong!” “Everyone else does it!” People act to conform their behavior to the expectations of the groups to which they belong. It is against the law to speed on the way to work, but everyone else does it.
  3. Postconventional – “I did the right thing” regardless of what people think or say. People understand the reasoning behind a moral principle. A CPA should turn down a lucrative client because he/she knows that the client may ask the CPA to do things that do not follow the CPA’s ethical code.

Employees work at their jobs because their employers pay them. This example is a positive incentive. A CFO of a public company may not inflate financials for fear of being jailed. This example is a negative incentive.

As CPAs, we must balance the incentive of maintaining the public trust and maintaining our clients’ interests, which may not be the same. A client may want to report investments at historical costs if the values have declined, but the public would like to know the fair value of what those investments are worth today. It is important for CPAs to act with a postconventional framework and do the right thing for the public, even if the client does not agree. For example, if a client asks the CPA to change the method of accounting, the CPA needs to examine the reasons behind the change. Although the change may be permitted under accounting guidance, it may purposely inflate or deflate a number that the client is trying to manage. In other words, a change maybe 100% legal, but only 10% ethical when examining the different stakeholders.

It is impossible for all CPAs to act with a postconventional framework. Therefore, the government has imposed rules upon our independence and objectivity, and the AICPA and state CPA societies have developed ethical committees to investigate unethical behavior by CPAs. These rules and watchdog activities will help curtail the behavior of those CPAs acting at the preconventional and conventional levels, but we challenge you to consider your own professional and personal situations with a postconventional view.

About the Authors:

George is an instructor for the AuditSense team, specializing in providing ethics and core-level staff training. Since 1976, George has worked in many areas of accounting, focusing on Auditing and Accounting Education. In 1976, he participated in the Internal Auditor Intern Program at the Clark Equipment Company. While working for the public accounting firm of Deloitte, Haskins, and Sells, George served as a Senior Assistant Auditor and a Comprehensive Business Services Consultant.
Read More

 

Elizabeth Pittelkow is an Accounting Manager at ArrowStream, and she works in the areas of accounting, taxes, and financial reporting. Elizabeth previously worked in Finance at Motorola and in Assurance at PricewaterhouseCoopers. While at PricewaterhouseCoopers, she audited large public-accelerated GAAP filers, IFRS filers, private equity-owned companies, and non-profit businesses.
Read More

 
Back to Our Blog

Ethics and Decision Making

April 17th, 2012 by

“It is our choices that show what we are, far more than our abilities.” – Harry Potter and the Chamber of Secrets by J.K. Rowling.

‘Ethics’ is derived from the Greek “ethos,” meaning character. Ethics is the study of how we make decisions. Ethics really looks at the relationships between people and the environment around them.

Understanding ethics is about understanding people’s decision-making process. People are forced to make decisions because they face trade-offs. For example, what can you be doing with your time now instead of reading this blog? This concept is also known as opportunity costs. If you spend your resources on one project, what other project could benefit from those resources?

The major trade-off ethically is the promotion of self-interest versus other people’s rights. Have you ever asked someone in a movie theater to turn off a smart phone? No matter how nicely you pose the question, inevitably, the person sees it as an encroachment on his/her personal rights. To him/her, the self-interest is using the phone for texting, playing games, etc., but you have paid to see the movie, and you have the right to see it without distractions. If you could agree with the other person that no smart phones should be used in the theater, then we would have no need for laws (Coase’s Theorem).

CPAs are faced with trade-offs when working with client financials. Clients prefer to have higher income when presenting financials to investors and banks, but then also want to show lower income when reporting to the IRS. What is the best way to represent financials?

The best way to represent financials is in the most ethical way possible using the appropriate accounting guidance. If a client asks you to inflate or deflate numbers, you should think about the reasons why and remember that your ultimate responsibility is to the readers of the financials and not to your client. This concept may be difficult to grasp, as it is your clients that maintain the working relationship with you and pay you. It is imperative that you remain independent and objective, as the reputation of the CPA profession falls squarely upon all of our shoulders. When the public doubts the assurance from CPAs, the government steps in and establishes more legislation to police our profession.

In addition to representing financials in the most ethical way possible, it is important for CPAs to stay educated on the ethical rules of our profession. Reading ethical blogs like this one, taking ethics CPE training courses, and discussing ethical dilemmas with fellow CPAs will strengthen our collective ethical behaviors.

About the Authors:

George is an instructor for the AuditSense team, specializing in providing ethics and core-level staff training. Since 1976, George has worked in many areas of accounting, focusing on Auditing and Accounting Education. In 1976, he participated in the Internal Auditor Intern Program at the Clark Equipment Company. While working for the public accounting firm of Deloitte, Haskins, and Sells, George served as a Senior Assistant Auditor and a Comprehensive Business Services Consultant.
Read More

 

Elizabeth Pittelkow is an Accounting Manager at ArrowStream, and she works in the areas of accounting, taxes, and financial reporting. Elizabeth previously worked in Finance at Motorola and in Assurance at PricewaterhouseCoopers. While at PricewaterhouseCoopers, she audited large public-accelerated GAAP filers, IFRS filers, private equity-owned companies, and non-profit businesses.
Read More

 
Back to Our Blog

So Why Is It So Important for My Audit Client to Have User Security Groups?

June 3rd, 2011 by

As auditors, it is sometimes hard to see exactly how technology could impact our audit. All of this talk of user groups is difficult to link to our audit assertions. What is the potential impact on my audit? What we should be asking is, “How secure is the financial data that I’m relying on?” I mentioned in my earlier post that I have seen five cases of fraud over the last eight years, and each one had a shortfall in security controls as the root cause. More specifically, each case related to users that had conflicting duties granted by their user security. This month we’ll cover the second of four topics:

  1. Password security
  2. User Security Groups
  3. Periodic User Reviews
  4. Administrator Access Rights

User Security Groups

With password parameters in place, we can now focus on whether or not a client is limiting what access a user has within the system.

  • Does the client set up security access based on the user’s job responsibilities? This is a critical area for the IT general controls. A common problem for clients is having users with security rights that create a segregation of duties conflict (e.g., CFO’s that can enter journal entries, an Accounts Payable user that can create vendors and pay invoices). We expect to see these conflicts in smaller organizations, and we have to look to other controls to mitigate. These other controls are typically some type of manual review which does not give us as much assurance. When at all possible, look for the segregation to be through the system security rights. It is much easier to audit and provides more assurance.
  • Has the client set up their users in groups? What do I mean by groups? When a user group is used, the group security rights can be adjusted, and all members of that group will be adjusted. This provides a much more efficient way of managing user rights. If it is easier to maintain, it is more likely to be right. Many times a client’s initial response is yes when asked if they use user groups. Upon further investigation, though, it often becomes apparent that this is not the case. Many clients will set up a user by giving them detailed specific system access, also known as “cherry picking.” The problem with this approach is that a change in access for a user must be made at the individual user level. Look for user groups. They are easier to audit, easier for the client to maintain and make the client’s periodic user access reviews much easier.

Passwords provide assurance that the right people are logging into the systems. Security groups help provide assurance that they are only able to perform the system functions we’d expect. These two areas are critical to security information in an organization’s financial systems.

Next time we’ll talk about periodic user reviews….

About the Author:

Tony F. Scott, CISA, is Founder & CEO of Technical Financial Solutions, LLC (www.TFSUS.com). TFS is a Georgia-based IT compliance audit firm with a national reach, serving clients across the United States. TFS specializes in IT general controls testing for Financial Statement audits as well as SAS70/SOCIII engagements. TFS also specializes in HIPAA security and HITECH Act security assessments, serving over 65 hospitals in the Southeast.

“Whatever you do, do it heartily, as to the Lord and not to men.” Colossians 3:23

 

Back to Our Blog

What Does a Password Have to Do with My Audit?

April 13th, 2011 by

As auditors, it is often difficult to see exactly how technology could impact our audit. All this talk of passwords, user setup and system security is difficult to link to our audit assertions. What is the potential impact on my audit? What we should be asking is, “How secure is the financial data that I’m relying on?” We’d like to think that everyone is always honest, but there are more financial pressures than ever in today’s economy, and we are all human. When security is not correct, it creates open doors to fraud. I have seen five cases of fraud over the last eight years, and each one had a shortfall in security controls as the root cause. Technically, greed was the root cause, but you know what I mean!  So what can we do, and how do we communicate the need to close these “open doors” to the client?  Here we cover the first of four topics:

  1. Password Security
  2. User Security Groups
  3. Periodic User Reviews
  4. Administrator Access Rights

Password Security

We need to cover the basic general IT controls during our audit. Let’s talk about one key area: password controls.

First, we need to test controls around user passwords and see that their password parameters are in line with common standards:

  • 6-8 character password – take a look at these statistics on how long it takes to hack a password that is just characters. The chart below shows the amount of time needed for a hacker to compromise a password with the stated attributes. I think the chart says it all!

Password Length

All Characters Only Lowercase
3 characters 0.86 seconds 0.02 seconds
4 characters 1.36. minutes 0.046 seconds
5 characters 2.15 hours 11.9 seconds
6 characters 8.51 days 5.15 minutes
7 characters 2.21 years 2.23 hours
8 characters 2.10 centuries 2.42 days


  • Complexity enabled – creating a password that requires both upper and lower case, numeric and symbols significantly increases the strength. Additionally, utilizing password logic such as using the first letter of phrases and symbols to replace certain letters makes a password very strong.
  • Password expiration every 60-90 days – password expiration is a passionately-debated setting.  Some will tell you that they would rather have a strong password that never expires, and some would say that they want to change it every 30 days. Somewhere in between is a more accepted answer. “Never expiring” settings increase the likelihood that others will obtain the password. Whereas, having the password expire too frequently will only increase the likelihood that the password will be found on a sticky note under the keyboard! An expiration of 60-90 days serves as a solid password life.
  • 3-5 passwords remembered – the password remembered is important so that when you have to change your password, it will prevent you from using the same one over and over.
  • 3-5 days minimum password age – a minimum-age setting prevents a user from changing the password 3-5 times (as prescribed in the previous bullet) in a row in order to get back to the original password.

The true point of a password is to ensure that the user logging in is really that user. If passwords are weak, it opens the doors to co-workers being able to process transactions as other users as well as allowing unauthorized users to gain access to the financial data we are relying on for our audit.

Next month we’ll talk about user security groups….

About the Author:

Tony F. Scott, CISA, is Founder & CEO of Technical Financial Solutions, LLC (www.TFSUS.com). TFS is a Georgia-based IT compliance audit firm with a national reach, serving clients across the United States. TFS specializes in IT general controls testing for Financial Statement audits as well as SAS70/SOCIII engagements. TFS also specializes in HIPAA security and HITECH Act security assessments, serving over 65 hospitals in the Southeast.

“Whatever you do, do it heartily, as to the Lord and not to men.” Colossians 3:23

 

Back to Our Blog