Standards for cyber security audit
K. P. SHASHIDHARAN
Share · print · T+
Digital crimes are so difficult to solve as they are committed with
lightning speed and precision.
AICPA recently introduced a Statement on Standards applied to evaluate
controls on services performed by a service organisation.
Cyber attacks have increased at an alarming rate in the
Internet-powered e-business environment. Websites of government
agencies, corporates and individuals are systematically attacked,
increasingly using impeccably-engineered automated software for
phishing and accessing critical information assets. Unlike other
physical crimes such as automobile thefts or house burglary, crimes in
the digital terrain are committed with lightning speed and precision.
Corporates are increasingly switching to new technologies on cloud
computing, and outsource many functions to service organizations.
These companies demand assurance from outsourced service providers,
identifying risks and mitigating them. Approximately 42 per cent of
cloud service providers follow the PCI DSS (Payment Card Industry Data
Security Standard) standard. This global security standard applies to
all organizations that engage in credit card business, intending to
provide the credit card industry adequate controls for data integrity,
authenticity, confidentiality and availability, designed to prevent
potential financial or identity fraud and theft when using a credit
card.
AUDITING STANDARDS
American Institute of Certified Public Accountants (AICPA) developed
SAS 70 (Statement on Auditing Standards) in 1992, defining what an
auditor should do to assess the internal controls of a service
organization. This standard requires the auditor to categorise audit
reports into Type I or Type II, customised at the request of the
service organization or the user organization.
In a Type I report, the auditor evaluates the efforts of a service
organization at the time of audit to prevent accounting
inconsistencies, errors and misrepresentation. After assessing the
controls in place within the organization, the auditor provides a Type
II report, providing additional information on effectiveness of
agreed-upon additional controls. Independent audit assessment builds
credentials, customer's trust and confidence. Besides, Type II reports
pinpoint operational deficiencies that need rectification.
ATTESTATION ENGAGEMENTS
Considering the recent technological innovations, AICPA replaced SAS
70 by the Statement on Standards for Attestation Engagements – SSAE
No. 16 on June 15, 2011, on the lines of globally-accepted
international accounting standards. This standard will be applied to
evaluate controls on services performed by a service organization, and
its internal control on financial reporting. The service organization
may undertake an SSAE 16 engagement that mandates SOC 1 Report
(Service Organization Control Report). Such a report highlights
control deficiencies to the management of the service organization,
the financial auditor of the service organization, and its customers.
Keeping in view the emerging marketplace requirements, AICPA has
examined controls relevant to the security, availability, integrity,
confidentiality or privacy of the information the system processes for
customers and has designed appropriate guidance. The standard and
guidance require preparation of SOC 2 Report and, in certain
circumstances, even an SOC 3 Report, analysing and resolving key
issues of controls.
When a company outsources a function to a service organization, it is
important to sign up an SSAE 16 engagement with the service
organization, as it may obtain mission critical information assets,
such as patient information for medical claims for a health insurer.
In such circumstances, the health insurer should insist on assurance
from the service organization, such as the cloud service provider
regarding the privacy of the key digital data. And the information
system auditor should deploy the comprehensive checks required under
the revised engagement standard SSAE 16, and prepare his report,
ensuring security of the information system.
(The author is a Director-General, CAG Office.)
K. P. SHASHIDHARAN
Share · print · T+
Digital crimes are so difficult to solve as they are committed with
lightning speed and precision.
AICPA recently introduced a Statement on Standards applied to evaluate
controls on services performed by a service organisation.
Cyber attacks have increased at an alarming rate in the
Internet-powered e-business environment. Websites of government
agencies, corporates and individuals are systematically attacked,
increasingly using impeccably-engineered automated software for
phishing and accessing critical information assets. Unlike other
physical crimes such as automobile thefts or house burglary, crimes in
the digital terrain are committed with lightning speed and precision.
Corporates are increasingly switching to new technologies on cloud
computing, and outsource many functions to service organizations.
These companies demand assurance from outsourced service providers,
identifying risks and mitigating them. Approximately 42 per cent of
cloud service providers follow the PCI DSS (Payment Card Industry Data
Security Standard) standard. This global security standard applies to
all organizations that engage in credit card business, intending to
provide the credit card industry adequate controls for data integrity,
authenticity, confidentiality and availability, designed to prevent
potential financial or identity fraud and theft when using a credit
card.
AUDITING STANDARDS
American Institute of Certified Public Accountants (AICPA) developed
SAS 70 (Statement on Auditing Standards) in 1992, defining what an
auditor should do to assess the internal controls of a service
organization. This standard requires the auditor to categorise audit
reports into Type I or Type II, customised at the request of the
service organization or the user organization.
In a Type I report, the auditor evaluates the efforts of a service
organization at the time of audit to prevent accounting
inconsistencies, errors and misrepresentation. After assessing the
controls in place within the organization, the auditor provides a Type
II report, providing additional information on effectiveness of
agreed-upon additional controls. Independent audit assessment builds
credentials, customer's trust and confidence. Besides, Type II reports
pinpoint operational deficiencies that need rectification.
ATTESTATION ENGAGEMENTS
Considering the recent technological innovations, AICPA replaced SAS
70 by the Statement on Standards for Attestation Engagements – SSAE
No. 16 on June 15, 2011, on the lines of globally-accepted
international accounting standards. This standard will be applied to
evaluate controls on services performed by a service organization, and
its internal control on financial reporting. The service organization
may undertake an SSAE 16 engagement that mandates SOC 1 Report
(Service Organization Control Report). Such a report highlights
control deficiencies to the management of the service organization,
the financial auditor of the service organization, and its customers.
Keeping in view the emerging marketplace requirements, AICPA has
examined controls relevant to the security, availability, integrity,
confidentiality or privacy of the information the system processes for
customers and has designed appropriate guidance. The standard and
guidance require preparation of SOC 2 Report and, in certain
circumstances, even an SOC 3 Report, analysing and resolving key
issues of controls.
When a company outsources a function to a service organization, it is
important to sign up an SSAE 16 engagement with the service
organization, as it may obtain mission critical information assets,
such as patient information for medical claims for a health insurer.
In such circumstances, the health insurer should insist on assurance
from the service organization, such as the cloud service provider
regarding the privacy of the key digital data. And the information
system auditor should deploy the comprehensive checks required under
the revised engagement standard SSAE 16, and prepare his report,
ensuring security of the information system.
(The author is a Director-General, CAG Office.)
No comments:
Post a Comment