By Carly Lombardo
Like what you see? Click here to sign up for Accounting Today's daily newsletter to get the latest news and behind the scenes commentary you won't find anywhere else.
Entrepreneurship is a Porter Keadle Moore core value, and that’s well demonstrated by the cutting-edge activities of its Information Technology Assurance Services Group.
“If CPAs don’t become involved in technology, they’re not going to have a full understanding of their clients’ businesses,” says Terry Ammons, CPA partner-in charge of the Atlanta-based ITAS. “Our job is to get companies to understand technology and IT controls.”
That duty has assumed increased urgency in recent months, since Section 404 of the Sarbanes-Oxley Act of 2002 now requires that management of a public company file, in tandem with its year-end financial statement, an assessment of internal controls as they relate to the company’s financial reports. “Since our practice is focused on small registrants of the Securities and Exchange Commission, the importance of controls in general and IT controls in particular are more than a vogue,” states Ammons, who is a Certified Information Systems Auditor.
ITAS targets small and medium-sized financial institutions, related service companies, and bank service corporations throughout the U.S. The group specializes in IT control and Management Information Systems reviews, Statement on Auditing Standards 70 (Processing of Transactions by Service Organizations) reports, e-commerce and Internet banking reviews, and assessments of trust services. ITAS has revenues of $700,000, and two full technical IT auditors, one administrative support person, and several senior and staff auditors who assist in various audit projects.
ITAS is part of PKM, a firm that provides accounting, auditing, tax, and information technology assurance and consulting services throughout the Southeast. PKM ranks among the top 25 CPA firms in the nation servicing public companies, according to the Public Accounting Report.
Among the specific services that PKM and its ITAS group offer to publicly held clients are outsourced internal audits, which help clients maintain, validate, and improve internal controls. In addition, the internal audit process helps identify opportunities to reduce costs, improve processes, and enhance corporate governance. Ammons provides this example: over the course of three years, a large bank outgrew its internal audit expertise. The bank hired ITAS to serve as its outsourced internal auditor based on a limited scope that was prepared by the internal auditor and risk manager. ITAS uses Lotus Notes and its collaborative capabilities for all projects. This engagement will provide approximately $35,000 in fees annually.
Ammons, who has been with the firm since 1989, has been in charge of ITAS since 1997. Specific services that ITAS supplies include information systems auditing, network vulnerability assessment, and SAS 70 reports.
These latter reports are designed to review the processing of transactions by service organizations, such as banking and insurance data processing centers, third-party administrators, Web-hosting companies, bank service corporations, account aggregation service providers, and item processing centers.
“A bank uses a data processing service, but they have no control over the processor,” Ammons explains. “ITAS goes into the data processing center and looks at all the information and makes sure it’s in the right place. We report to the client if the data processing service is doing a good job or not, and we go to the bank and give them our report, which in turn they give to their auditors.”
Meanwhile, network vulnerability assessments examine potential internal and external threats to an organization’s networking and core processing systems. “A critical element in this approach is a risk-based assessment of the IT function,” says Ammons.
ITAS uses commercially available scanners, firewall tools, and manual procedures to perform the assessments. “There are a large number of freeware tools that are available for download on the Internet and most hacking courses will hand out CDs full of them. We test all of the tools and determine which ones are most valuable and we stay on top of the latest manual procedures. We don’t reveal the exact tools we use, since it would affect the assessments,” says Ammons.
Carly Lombardo is Associate Editor of Accounting Technology and can be reached at firstname.lastname@example.org.