For David Cieslak and the Information Technology Group, deciding to provide security services to clients, including CPA firms, seemed unavoidable in California in the post-Enron era.
Like what you see? Click here to sign up for Accounting Today's daily newsletter to get the latest news and behind the scenes commentary you won't find anywhere else.
“We can hear the sound of the distant train coming,” says Cieslak, a principal of ITG, the technology affiliate of CPA firm Hamilton, Boynton & Speakman, based in Encino, Calif. The train in California includes a recent law affecting CPAs and their security systems.
“You have to report you’ve been hacked. You’ve got to send announcements to all of these people that ‘I may have exposed all of your confidential information,’” says Cieslak, who is familiar with the state regulatory stance, having served as president of the California Education Foundation board and who is a current member of the board of the California Society of CPAs.
“All of these things have one thing in common, using the Internet. We either know it and we know the upsides and downsides, and how to mitigate risk or that we are aligned with providers that can help cover the exposure,” says Cieslak. For California CPAs, “unless you are taking minimal steps to protect yourself, you are out of your mind,” he continues.
There are certainly many big firms that have been providing security services for longer. But Cieslak and ITG saw the requirement as an opportunity to develop a new revenue stream. Cieslak began by getting his GSEC certification (See sidebar, page 16), after attending a six-day boot camp, and taking two exams. There are a confusing number of security standards, many more complex, but this one, “says you are checked out in the fundamentals of information security,” says Cieslak.
ITG has developed three levels of security assessment. A LeveI I assessment is “something that can be commoditized. We come in and evaluate your security readiness as it comes to the SANS and FBI Top 20 risk. We’ll give you a report on how you are presently positioned,” he says. Level II offers penetration testing and helping clients develop a written security policy, while Level III is still being developed by the ITG systems engineering group. The company offers different levels of testing, depending on whether clients security assessment have full-time IT staffers.
Level I is being priced at a $995 fixed fee, and provides the client with a schematic and a security report, including the expected costs of getting an organization in compliance.
ITG is rolling out the service to its installed base before soliciting new business, and is also marketing it to the Hamilton, Boynton, & Speakman client base. The firm is now appearing at Chambers of Commerce to talk about the issues. Cieslak sees lots of potential because security issues affect all businesses with computers. “This is a service for home-based businesses on up to the small and medium-sized businesses,” he notes. The company will also provide Level II assessments for enterprise-size clients.
Standards? Pick One
The security business provides a confusing set of standards coming from both the accounting and technology sides, and experienced professionals like Bruce Nearon often blend different standards together.
“There are several different ways to go about it,” says Nearon, director of IT security audit for the Roseland, N.J.-based sister firms, Cohn Consulting and J.H. Cohn. “There is the old tried-and-true way of evaluating policies and procedures-just run what’s referred to as a vulnerability assessment by using scanning software. Such a procedure involves plugging in the computer, selecting a menu item, and running a report.”
Beyond that, there are standards such as CoBit- “really rigorous. It’s only a guide. Nobody is required to follow it, but they cover everything end-to-end” - ISO 17999, an international standard that’s even more rigorous; those from the National Institute of Standards and Technology-”very specific about what you have to do”-and SysTrust, the standards developed for the American Institute of CPAs.
Nearon believes the new Trust Services standards, a blend of SysTrust and WebTrust, are not as rigorous as the previous SysTrust standards, but may be easier to sell because “they are more palatable to the auditor and the client. The client gets a letter saying ‘everything is okay’ and the auditor has significant leeway in exactly what they are going to do and what they are going to allow.”
Despite the number of standards available, Cohn has created its own, based on the report of COSO, the Committee of Sponsoring Organizations of the Treadway Commission on Fraudulent Financial Reporting. The AICPA adopted COSO for SAS 78, the auditor’s consideration on internal controls, and the SEC recommended it be adopted for internal control consideration under Sarbanes-Oxley.
The Cohn standards mix starts with COSO, then moves to SAS 94 “which is essentially COSO. Then we work CoBit into it,” notes Nearon. “The only other things we use are documents provided by Practical IT Auditing, the successor to the Handbook of IT Auditing.” The firm also uses information from the SANS (SysAdmin, Audit, Network, Security) Institute.
“If that doesn’t give us everything we need, we go to the vendors,” says Nearon. In fact, vendors are the word of last resort on security, particularly with Big Blue. “With the IBM systems, there are no ifs, ands or buts,” says Nearon. “We use IBM’s recommendations.”
For Cohn, security is an ongoing business, both for the firm’s clients and for clients of other CPA firms. It has performed about 150 such engagements over four months. Cohn provides the service under the other firms’ names. “They are taking responsibility for the audit,” says Nearon. “We are just specialists.”
In fact, Nearon says the only way to sell such services is as part of the audit.
“I wouldn’t try to sell this work outside of the audit,” he says. He views treating security as an IT issue a mistake many businesses make.
“The problems we come across aren’t new. They are from the inside, not the outside,” says Nearon. The problems are more often managerial than technical, “It’s a lack of monitoring. Senior management doesn’t really have any IT objectives and they leave it to the IT department,” he says. The results can be expensive. In the case of one Cohn client, “if they had spent $100,000 on improving controls, they could have avoided seven figures in potential legal liability.”
The IT View
Despite the audit issues, the Peoria, Ill., based-firm of Clifton Gunderson has been steadfast in running its four-year-old security practice through its IT arm.
Clifton Gunderson started its security business as a niche practice from its Washington, D.C. office, which runs the business as a national niche practice. The practice now has a dozen full-time consultants and roughly another dozen “where security is a main part of their job,” says Matthew Camden, the firm’s chief technology officer.
All consultants have the Certified Information Systems Auditor (CISA) credential from the Information Systems Audit and Control Association.
“We are positioning security as a consulting service,” says Camden. “There is a push on to sell it as an audit service because it has a higher perceived value and it’s an annuity. But because security has grown up on the technology consulting side, and not the audit side, we’re not ready to do the security audit.”
Camden’s organization offers traditional security reviews based on SAS 70 and CoBit. Intrusion detection and penetration testing was added about three years ago, used especially for government and not-for-profit clients, while the third arm utilizes the AICPA’s SysTrust standards.
Camden says the firm has received most of its SysTrust engagements through referrals because of its activities with the AICPA’s SysTrust committee. “We gained the work that the Big Four didn’t want,” he says. He has some concerns whether the perceived value of SysTrust will survive the current marriage between that program and the AICPA’s WebTrust standards.
But security reviews are going back to their roots, embracing not just hardware and software, but the people part of the equations “where it’s really important to know what you are doing in intrusion detection and penetration,” he says.
A security assessment is crucial because “clients often don’t know what they need,” says Camden. “Intrusion detection may only be the beginning.” Many businesses don’t realize that the easiest way for an intruder to access a firm’s technology may simply be to walk into an office and find an open terminal.
Security is a profitable business, with typical CG engagements ranging from $15,000 to $50,000 with client size “all over the board,” says Camden. It is also a recurring business.
“You have to recheck this every year,” says Camden. “There is no guarantee that three months from now we will have the same security issues.”
Get Expert Help
Because of the changing nature of security, few organizations have the expertise to handle all of the possible problems. One of the major pieces of advice for computer users of all kinds is to get expert help.