Whether you are a member of Board of Directors, an Officer of the company, senior or middle management, you have probably dealt with IT security issues in the past few months. A recent survey by the AICPA and Chartered Professional Accountants of Canada showed that four of the top six technology initiatives in North America are related to security. From privacy to secure access to preventing fraud, dealing with the risks of IT seems to be overtaking the excitement of the potential productivity enhancements from the use of IT.
And the increasing prevalence of outsourcing IT and using the cloud is not solving these problems as many might have thought. Certainly there are benefits to outsourcing including being able to rely on the “experts” instead of fighting to keep the right talent in-house. The problem is that, as COSO pointed out in its revised framework, you can outsource activity but you can’t outsource responsibility. In order to handle that responsibility many companies include security terms in their contracts outlining what the outsourcer must do so that the companies IT infrastructure is secure. Those terms may be the latest and greatest when the contract is signed, but what happens when the contract is three years old?
In the IT security world time works like dog years. It may be three years on the calendar, but it’s more like twenty-one years in terms of virtual age. Three years ago no one had even heard of a denial of service attacks, day zero viruses or spear phishing just to name a few of the latest IT security concerns. As an outsource provider, you certainly don’t want to be contractual on the hook for unknown future security requirements that can change at the whim of new customer management, but as a customer, you can be left feeling very vulnerable if your security protections are old and outdated.
I don’t know what the solutions to these problems are, but I do know that until we come up with a few, IT security issues will continue to take up more and more critical time from everyone in business.
It hit me as I was preparing for this Board meeting that this was my next to last meeting in New York with the Board. My three year term is nearly up. It has been a great three years, and I am looking forward to the last meeting in August and my final act of making the audit committee presentation at the October AICPA Council meeting. Of course this just marks the end on one stage of my involvement with the profession. I will continue to serve on the AICPA council for two more years as I was nominated to complete the remaining two years of an unexpired term as a member at large. I will also continue to serve through the end of 2014 as the AICPA representative on the IFAC Professional Accountants in Business committee as well as the TSCPA Business and Industry Issues committee. Even though my term on the Board is nearing an end, there are plenty of issues that the Board will have to deal with this year and beyond. Some of them are highlighted in the remainder of this blog.
Mandatory Auditor Rotation – a big topic of discussion was the PCAOB and EU proposals around mandatory auditor rotation for public companies. We had a specific agenda item covering the results of the recent PCAOB roundtables on the subject, but it was also discussed within several other agenda items including the report from the CEO, the report from the Center for Audit Quality (CAQ), and the report on what is happening in Washington. The PCAOB proposals were seriously questioned by members of Congress (both Democrats and Republicans) at recent congressional hearings. The focus of the questions was on what issue is mandatory rotation trying to solve and are there better, less invasive ways to solve those issues. The PCAOB has made it clear they will be discussing this for a while before they even consider proposing any actual rule changes, so we all need to keep up with this issue as it continues to develop.
Cyber Security – If you weren’t aware, the AICPA was the subject of a spoofing attack recently. Over 90 Millions emails were sent out under a spoofed AICPA address stating that the AICPA was canceling your license. Putting aside the fact that the ACIPA has no authority to cancel your CPA license, the incident had many impacts. Clicking on the link in the email resulted in an attempt to install malware on your computer that would potentially send key financial information to the people who launched the spoof. In addition, millions of the emails had bad addresses, so the AICPA email system was temporarily brought down by getting hit with millions non-delivery email responses in less than 15 minutes. Keep in mind, this email didn’t come from AICPA systems – they simply sent out emails from other systems that made it look like they came from the AICPA. The costs of dealing with this attack were significant, but not nearly as much as they would have been had the AICPA systems been actually breached. And this goes beyond just the immediate costs as shown by these statistics.
- 25% of businesses have had a merger, acquisition or new product roll-out stopped or delayed by a Cyber breach per a McAfee/SIAC study
- 20% of victims who have had data compromised cut ties with the institutions that compromised their privacy.
Like all businesses, the AICPA takes security and privacy very seriously and we have extensive controls and procedures to protect your personal information, but as always the controls start with you. If you get an email that looks or sounds strange, don’t be afraid to question it. Did it really come from the purported sender? Is this legitimate? Always ask those questions, no matter who the email is from and don’t be afraid to call the sender to make sure it is real.
Total Tax Insights – the last thing I want to do is mention a tool that will soon be introduced by the AICPA in conjunction with its 125th anniversary in May. This tool will enable people to determine their total tax burden from all taxes (income, property, sales, gasoline, telephone, electricity, alcohol, cigarette, etc.) they pay down to the county level – all 3,035 of them. It will be a great way for people to understand the full tax burden incurred by different people at different income and wealth levels across the country. Be on the look-out for the launch of this fantastic tool.
The AICPA Spring Council meeting and 125th anniversary will take place in mid-May and I will update you on what happened at that meeting and other items impacting our great profession in the coming weeks.