Get the fox out of the hen house: CPAs have the right skills to perform IT risk assessments for clients.

• Author: Russell, Larry
• Position: 2003 Technology & Business Resource Guide: Risk Assessment

It's hard to go through a day without hearing about the increasing number of security risks that threaten our information systems--and the biggest risk to a ii company's information is its employees.

The Association of Certified Fraud Examiners estimates that more than 75 percent of crimes against a business originate from inside the company. The fastest-growing fraud activity is theft or damage of electronically stored data.

So what's at risk? Virtually all accounting records, customer data, credit card information, trade secrets and any other information stored on a computer. Firewalls, virus protection or even locks don't protect against internal risks because company employees--armed with knowledge and access to a company's information system-are already past the main gate. The fox is in the hen house.

Before computers, information risk was easier to evaluate. Internal controls focused on the segregation of duties and procedures that applied checks and balances to the management of a company's assets. But the enormous volume of digitally stored data adds a new dimension to the information risk equation.

If appropriate safeguards are not in place, employees can copy, modify or destroy data without detection. The Internet adds yet another risk: unauthorized access to data from virtually anywhere. The books are no longer locked in the corporate tower.

A CLOSE LOOK

An information technology risk assessment identifies critical data, access paths to that data and employees who may have or do have access to that data. It also examines a system's integrity, reliability, ownership and system documentation. It reviews the company's disaster recovery and business continuity plans; evaluates employee policies and procedures; and tests the internal control structure.

Now, a tech person can attach a laptop to a client's domain, extract passwords and log files, security rights and other data, but may not be qualified to perform an internal control risk evaluation. This is where a CPAs training in evaluating internal control comes into play. It takes a CPA's understanding of the client's business environment, materiality and strategic thinking to evaluate the control risks.

Adding information risk assessments to the CPA's bag of tricks is not that difficult. There is a group of specialists--certified information technology professionals--who are designated by the AICPA and trained to provide this service. Many professional staff members have the tech...